All Tools About Blog Code Examples MCP Server — Use tools from AI agents
Workflows Paste Anything — Smart Detector Tool Pipeline Builder Bulk / Batch Processor
JSON Tools JSON Formatter & Beautifier JSON Validator JSON to CSV Converter JSON to TypeScript Generator JSON to Python Converter JSON Flatten & Unflatten jq Playground — JSON Processor JSON Mock Data Generator JSON Schema Validator JSONPath Evaluator JSON Schema Generator JSON Patch / Diff Generator
Encoding Tools Base64 Encoder / Decoder URL Encoder / Decoder Hash Generator (MD5/SHA) JWT Decoder HTML Entity Encoder / Decoder Image to Base64 Converter String Escape / Unescape Tool ASCII / Binary / Hex Converter Protobuf Decoder — Wire Format Viewer Encoding Detective — Mojibake Repair
Formatters HTML Beautifier XML Formatter & Validator SQL Formatter & Beautifier CSS Minifier & Beautifier JavaScript Minifier & Beautifier TOML Formatter & Converter YAML Formatter, Validator & Minifier
Generators UUID Generator Password Generator QR Code Generator Lorem Ipsum Generator Cron Expression Generator chmod Calculator Slug / URL Generator .gitignore Generator
Testing Tools Regex Tester Regex Explainer — Plain English
Security Tools HMAC Generator Content Security Policy Generator SSH Key Generator SSL Certificate Decoder CORS Header Builder & Generator
Design Tools Color Picker & Converter Placeholder Image Generator SVG Path Editor & Visualizer
Comparison Tools Diff Checker / Text Compare .env Diff & Merge
Converters JSON-YAML Converter Epoch / Unix Timestamp Converter Markdown to HTML Preview Curl to Fetch/Axios Converter Tailwind CSS Converter OpenAPI to TypeScript Text Case Converter Number Base Converter CSV Viewer & Editor Date & Time Format Converter SQL to MongoDB & N1QL Converter Semver Calculator & Comparator Byte / Size Calculator URL Parser & Builder Glob to Regex Converter Math Expression Evaluator SQL DDL to TypeScript Converter Duration / Time Calculator CSS Unit Converter — px, rem, em, pt, vw, vh JSON to Go Struct Converter HTML to Markdown Converter CSV to SQL Converter SQL to ORM Converter
Reference HTTP Status Code Explorer Git Command Builder GraphQL Schema Explorer MIME Type Lookup
Text Tools Word & Character Counter Text Line Sorter, Deduplicator & Tools
Networking Tools Subnet / CIDR Calculator
DevOps Tools Nginx Config Generator Docker Compose Validator Robots.txt Generator & Validator GitHub Actions YAML Validator

SSL Certificate Decoder

Decode PEM-encoded SSL/TLS certificates and view subject, issuer, validity dates, SANs, and key info. Free online certificate decoder.

Your data never leaves your browser

Paste a PEM-encoded certificate or CSR and click Decode
Next steps
Base64 Hash Generator JWT Decoder Nginx Config

How to Use

  1. Copy your PEM-encoded certificate — everything from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----, inclusive.
  2. Paste it into the text area and click Decode.
  3. Review the decoded fields: subject, issuer, validity period, SANs, public key algorithm, key size, and extensions.
  4. For certificate chains, paste the entire chain (multiple PEM blocks) — each certificate is decoded separately with a clear label.

What Are SSL/TLS Certificates?

SSL/TLS certificates are digital documents that bind a cryptographic public key to an organization's identity. When you visit a website over HTTPS, the server presents its certificate to your browser, which verifies the certificate's authenticity against a list of trusted Certificate Authorities (CAs). This process ensures two things: the server is who it claims to be (authentication), and the connection between your browser and the server is encrypted (confidentiality).

Every certificate contains structured data defined by the X.509 standard (RFC 5280). The key fields include the subject (who the certificate is issued to), the issuer (which CA signed it), the validity period (when it becomes active and when it expires), the public key (used for TLS key exchange), and extensions like Subject Alternative Names that list which domain names the certificate covers.

Understanding the PEM Format

PEM is the most widely used certificate encoding format. Under the hood, a PEM file is simply a DER-encoded (binary) certificate that has been Base64-encoded and wrapped with human-readable header and footer lines. The DER binary data follows the ASN.1 (Abstract Syntax Notation One) encoding rules, which define how the certificate fields are structured as nested sequences of typed data.

You can obtain a server's certificate using OpenSSL: openssl s_client -connect example.com:443 -showcerts. This outputs the full certificate chain in PEM format, which you can paste directly into this tool. Alternatively, click the padlock icon in your browser's address bar, view the certificate details, and export it as a PEM or Base64-encoded file.

Certificate Chains Explained

Browsers and operating systems ship with a set of trusted root CA certificates. When a server presents its certificate, the browser builds a chain from the server's certificate up to one of these trusted roots. Intermediate certificates bridge the gap between the server certificate and the root CA. If the chain is incomplete (missing intermediates), browsers may show a trust error even though the server certificate itself is valid.

A typical chain has three certificates: the leaf (server) certificate, an intermediate CA certificate, and the root CA certificate. Some chains are longer, especially for certificates issued by smaller CAs that chain through multiple intermediates. This tool decodes each certificate in the chain separately, making it easy to inspect the full trust path.

Certificate Signature Algorithms

The signature algorithm determines how the CA digitally signs the certificate. SHA-256 with RSA is the most common algorithm in use today. Older certificates may use SHA-1 with RSA, which is deprecated and no longer trusted by modern browsers. Elliptic curve signatures (ECDSA with SHA-256) are increasingly common because they offer equivalent security with smaller keys and faster verification. Ed25519 signatures are the newest option, offering excellent performance and compact signatures.

Common Certificate Issues

  • Certificate expired — The current date is past the "Not After" date. Renew the certificate with your CA or use automated renewal via ACME/Let's Encrypt.
  • Name mismatch — The domain you are connecting to is not listed in the certificate's Common Name (CN) or Subject Alternative Names (SANs). Reissue the certificate with the correct domain names.
  • Incomplete chain — The server is not sending intermediate certificates. Configure your web server to serve the full chain, not just the leaf certificate.
  • Self-signed certificate — The certificate is not signed by a trusted CA. This is normal for development environments but will cause browser warnings in production.
  • Weak key size — RSA keys under 2048 bits are considered insecure. Modern best practice is 2048-bit RSA or 256-bit ECDSA (P-256).

CSR (Certificate Signing Request) Decoding

This tool also decodes Certificate Signing Requests. A CSR contains the subject information and public key that you want the CA to include in your certificate, along with a signature proving you hold the corresponding private key. CSRs do not contain issuer or validity information — those are set by the CA during issuance. Decode a CSR to verify its contents before submitting it to a CA.

Related Tools

Certificates use Base64 encoding for the PEM format. Verify certificate fingerprints with the Hash Generator. Decode JWT tokens, which also use public key cryptography for signing. Check certificate data programmatically with the JSON Formatter when working with certificate APIs.

Frequently Asked Questions

What is a PEM-encoded SSL certificate?
PEM (Privacy Enhanced Mail) is the most common format for SSL/TLS certificates. It is a Base64-encoded DER certificate wrapped between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" headers. PEM files typically use .pem, .crt, or .cer extensions. You can open them in any text editor.
What is a certificate chain?
A certificate chain (or chain of trust) is a sequence of certificates where each certificate is signed by the next one in the chain. It typically includes the server (leaf) certificate, one or more intermediate certificates, and a root CA certificate. Paste an entire chain into this tool to decode all certificates at once.
What are Subject Alternative Names (SANs)?
SANs are an X.509 extension that lists additional hostnames, IP addresses, or identifiers that a certificate is valid for. Modern browsers require SANs and ignore the Common Name (CN) for hostname validation. A single certificate can cover multiple domains using SANs — this is how wildcard and multi-domain certificates work.
What does "self-signed" mean?
A self-signed certificate is one where the issuer and subject are the same entity — the certificate is signed by its own private key rather than by a trusted Certificate Authority (CA). Self-signed certificates are used for development, testing, and internal services, but browsers will show a security warning because they are not in the trusted root store.
Is it safe to paste my certificate here?
Yes. All decoding happens entirely in your browser using JavaScript — no data is sent to any server. Certificates are public information by design (servers send them during every TLS handshake), so there is no security risk in pasting them here. Never paste private keys into any online tool.
What is a CSR (Certificate Signing Request)?
A CSR is a message sent to a Certificate Authority to request a signed digital certificate. It contains the public key and subject information (organization, domain name, etc.) but no validity dates or issuer, since those are set by the CA when it issues the certificate. This tool can decode CSRs wrapped in "-----BEGIN CERTIFICATE REQUEST-----" markers.

Related Tools

HMAC Generator

Generate HMAC-SHA256, HMAC-SHA384, HMAC-SHA512, and HMAC-SHA1 keyed-hash signatures.

Content Security Policy Generator

Generate Content Security Policy headers with an interactive builder. Configure all CSP directives with presets and custom domains.

SSH Key Generator

Generate RSA and ECDSA SSH key pairs entirely in your browser. Private keys never leave your device.

CORS Header Builder & Generator

Generate CORS headers interactively. Output as HTTP headers, Nginx config, Express middleware, or Apache .htaccess.

Paste Anything — Smart Detector

Paste any text and instantly detect its format — JSON, JWT, Base64, UUID, SQL, timestamps, colors, and more.

AI agent tools available. The CodeTidy MCP Server gives Claude, Cursor, and other AI agents access to 47 developer tools. One command: npx @codetidy/mcp

Drop file to load