SSH Workbench

X.509 Certificate Decoder

Paste a PEM certificate to view subject, issuer, validity, SANs, fingerprints, and extensions.

Client-side only — nothing leaves your browser

What is an X.509 Certificate Decoder?

An X.509 certificate decoder parses the binary contents of a PEM- or base64-encoded SSL/TLS certificate and shows the human-readable fields inside: subject (CN, O, OU), issuer, serial number, validity dates, public key algorithm and size, signature algorithm, Subject Alternative Names (SANs), key usage, extended key usage, and SHA-1/SHA-256 fingerprints. It's the browser equivalent of running openssl x509 -in cert.pem -text -noout — useful for inspecting what a cert actually covers, when it expires, and which CA signed it.

Common Certificate File Formats

FormatEncodingTypical Extension
PEMBase64 between BEGIN/END markers.pem .crt .cer
DERRaw binary ASN.1.der .cer
PKCS#7Cert chain bundle.p7b .p7c
PKCS#12Cert + private key, encrypted.p12 .pfx

This decoder accepts PEM. If you have a DER file, convert it first with openssl x509 -inform der -in cert.der -out cert.pem. For PKCS#12, extract the certificate with openssl pkcs12 -in cert.pfx -nokeys -out cert.pem.

Frequently Asked Questions

What is an X.509 certificate?
X.509 is the standard format for public-key certificates used in SSL/TLS, code signing, S/MIME email, and most other PKI systems. An X.509 certificate binds a public key to an identity (typically a domain name or organization) and is signed by a Certificate Authority (CA). The structure is defined in RFC 5280 and includes fields like Subject, Issuer, Serial Number, Validity period, Public Key, and a set of extensions (SANs, Key Usage, etc.). Almost every HTTPS certificate you encounter is an X.509 v3 certificate.
What is the difference between PEM and DER certificate formats?
PEM (Privacy-Enhanced Mail) and DER (Distinguished Encoding Rules) hold the same X.509 certificate, just packaged differently. DER is the raw binary ASN.1 encoding. PEM wraps that binary in base64 and adds '-----BEGIN CERTIFICATE-----' / '-----END CERTIFICATE-----' markers so it can be safely emailed or pasted into config files. Convert between them with openssl: 'openssl x509 -inform der -in cert.der -out cert.pem' or 'openssl x509 -outform der -in cert.pem -out cert.der'. PEM is what you normally see in Linux/macOS config files; DER is what Windows and Java often use.
What is a Subject Alternative Name (SAN) in a certificate?
A Subject Alternative Name is an X.509 extension that lists every hostname, IP address, or email the certificate is valid for — beyond just the single Common Name. Modern browsers (Chrome since 2017) ignore the CN entirely and only trust hostnames in the SAN list. That's why a cert for 'example.com' that doesn't also list 'www.example.com' as a SAN will trigger a warning on the www subdomain. SANs can be DNS names, IP addresses, URIs, or email addresses. Wildcards like '*.example.com' are also stored as SANs.
What is a certificate fingerprint or thumbprint?
A certificate fingerprint (Windows calls it a thumbprint) is a cryptographic hash of the entire DER-encoded certificate. It's a short, unique identifier that lets you verify two parties are looking at exactly the same certificate. SHA-256 is the modern standard; SHA-1 is still shown for legacy compatibility but should not be relied on for security. Fingerprints are commonly used for certificate pinning, comparing a cert seen in the browser against one published out-of-band, or quickly distinguishing between multiple certs issued for the same domain.
How do I decode a certificate with OpenSSL?
The canonical command is 'openssl x509 -in cert.pem -text -noout'. The '-text' flag prints all decoded fields in human-readable form; '-noout' suppresses re-printing the base64. Useful variants: '-fingerprint -sha256' to print only the SHA-256 fingerprint, '-subject' or '-issuer' to print just one field, '-dates' to show only validity, and '-ext subjectAltName' to extract just the SANs. For a DER-encoded file, add '-inform der'. This decoder runs the same parsing logic in your browser so you don't need OpenSSL installed.

Related Tools

SSL Checker

Check SSL/TLS certificate validity, expiry, chain, and issuer for any domain. Color-coded expiry warnings.

chmod Calculator

Visual chmod calculator. Toggle owner/group/other permissions, see octal (755) and symbolic (rwxr-xr-x) live.

Key Generator

Generate RSA, Ed25519, and ECDSA SSH keys securely in your browser.

Port Checker

Test if SSH port 22 is open on any server. Diagnose firewall and connection issues.

Config Generator

Generate ~/.ssh/config entries visually. Build config files with host aliases, jump hosts, and identity files.

Need to manage SSH connections?

SSH Workbench lets you connect, browse files, and manage servers visually.

Try SSH Workbench Free