About Certificate Decoder

Decode X.509 PEM certificates into readable fields. Part of the DevTools Surf developer suite. Browse more tools in the Networking collection.

Use Cases

• Checking SSL certificate expiration dates before renewal deadlines
• Verifying SAN entries cover all required domain variations
• Debugging TLS handshake failures by inspecting certificate fields
• Auditing intermediate certificate chain completeness

Tips

• Paste a PEM certificate to see expiry date and issuer details
• Check the Subject Alternative Names for covered domains
• Verify the certificate chain and key usage extensions

Fun Facts

• X.509 was first published in 1988 by the ITU-T as part of the X.500 directory services standard.
• Let's Encrypt, launched in April 2016, has issued over 4 billion certificates and made HTTPS free for everyone.
• The first SSL certificate was issued by Netscape in 1994, and a single certificate could cost over $1,000 per year at that time.

FAQ

What does it show?

Subject and issuer, validity dates, public key type/size, extensions (SAN, key usage), signature algorithm, fingerprints (SHA-1, SHA-256). Everything needed to audit a cert.

Does it verify the cert?

No — it only parses. Verification (chain validation, revocation check) requires contacting CAs. Use openssl or a specific verifier for that.

Which cert formats?

PEM (BEGIN CERTIFICATE) and DER (binary, base64-encoded). Chains of multiple certs are decoded one by one.

Is my certificate private?

Runs entirely in your browser. Paste production certs safely — they don't leave your device.