What's the difference between PEM and DER?

Same content, different encoding. DER is the raw binary ASN.1 representation. PEM is DER base64-encoded with header/footer lines — it's safe to put in text files and emails. This tool reads PEM and decodes the DER inside.

Can I paste a CSR (certificate signing request) instead?

No — this version handles X.509 certificates only. CSRs have a similar but different structure (PKCS#10). A CSR decoder is a separate tool we may add later.

Why doesn't the certificate I pasted decode?

Most common: missing or extra characters in the BEGIN/END lines (sometimes copy-paste adds extra newlines or spaces); a binary DER file pasted directly without base64 encoding; or a private key pasted instead of a cert. The status line will say which it failed on.

Is my certificate sent anywhere?

No. All ASN.1 parsing and hash computation happens in your browser. Even the SHA-256 fingerprint is computed locally via the Web Crypto API.

SSL Certificate Decoder

Paste a PEM-encoded SSL certificate to see issuer, validity dates, SANs, fingerprint, and more. Decoded in your browser.

Runs entirely in your browser. Nothing is sent to our servers.

About this tool

Decodes PEM-encoded X.509 certificates entirely in your browser. The decoder parses the underlying DER (Distinguished Encoding Rules) bytes, walks the ASN.1 structure, and extracts the parts you usually want to see: subject, issuer, validity period, public key info, fingerprints, and the Subject Alternative Names. Your certificate never leaves your device.

What this shows

Subject — who the certificate is issued to.
Issuer — the CA that signed it.
Validity period — when the cert is valid from and until, plus whether it's currently active or expired.
Serial number — the issuer-assigned unique number.
Signature algorithm — how the issuer signed the cert (SHA-256 with RSA, ECDSA P-256, etc.).
Subject Alternative Names (SANs) — the list of domain names and IPs the cert is valid for. This is what browsers actually check, not the Common Name.
Fingerprints — SHA-1 and SHA-256 hashes of the DER-encoded cert, used for pinning and identification.

What this doesn't do

This tool decodes a single certificate. It doesn't verify the chain back to a root, check revocation status (CRL/OCSP), or test that a certificate matches a given private key. For chain validation, use openssl verify or a dedicated tool like SSL Labs' analyzer.

Frequently asked questions

What's the difference between PEM and DER?: Same content, different encoding. DER is the raw binary ASN.1 representation. PEM is DER base64-encoded with header/footer lines — it's safe to put in text files and emails. This tool reads PEM and decodes the DER inside.
Can I paste a CSR (certificate signing request) instead?: No — this version handles X.509 certificates only. CSRs have a similar but different structure (PKCS#10). A CSR decoder is a separate tool we may add later.
Why doesn't the certificate I pasted decode?: Most common: missing or extra characters in the BEGIN/END lines (sometimes copy-paste adds extra newlines or spaces); a binary DER file pasted directly without base64 encoding; or a private key pasted instead of a cert. The status line will say which it failed on.
Is my certificate sent anywhere?: No. All ASN.1 parsing and hash computation happens in your browser. Even the SHA-256 fingerprint is computed locally via the Web Crypto API.

Last updated: May 17, 2026

About this tool

What this shows

What this doesn't do

Frequently asked questions

Related tools