🔐

Certificate Decoder | Free X.509 Certificate Inspector

Securely decode and contrast X.509, JWK, and SSH key formats client-side.

⚡ Load Standard Format Benchmarks:

Decoder Console

📋 Certificate Details

CRT
Common Name:Albert Marashi
Organization:Corstex
Issuer:N/A
Serial Number:2a0f
Signature Algorithm:1.2.840.113549.1.1.11
Key size:2048 bit
Valid From:Nov 06, 2019, 12:00 p.m
Expires On:Jan 05, 2020, 12:00 p.m
SANs:Albert Marashi
Status: EXPIRED

{ } Expanded ASN.1 Raw Tree

{
"version": 2
"serialNumber": 2a0f
"signatureOid": 1.2.840.113549.1.1.11
"signature": t¿&×FÜå_@²4øÇÌr#ê˽9q¸P‹e¿ [†Ág¿Xܧè™y°´sUΎ•íѾ÷*ÊFŠoõïejÖJd à‚S”h@“ÝšÌVnì°e·l£’ùÀ¶ÝD¶vζk4c€ï Lß»0O¡8$Žâ5Fõ¸w5ƒ)ɦªÓÒ¿ê&¶J‰c;ÿIŸA7‹1ž]rÑÖoÅ'°Líç¿3biCÁZ´éâeS¹O × ¥Ž>1½\¦ÖëÔÈśº\Lõ"TxˆÅ#h©Bå¼;µ]÷†„È(•Ï3%¨7¦r…þá¨ë³Õ[5|­„ŸuP o´
"siginfo": {... 2 items}
"validity": {... 2 items}
"issuer": {... 2 items}
"subject": {... 2 items}
"extensions": [... 4 items]
"publicKey": {... 2 items}
"md": null
"signatureParameters": {... 0 items}
"tbsCertificate": {... 5 items}
}

Certificate Essentials

X.509 digital certificates establish ownership of public keys and enable encrypted SSL/TLS channels.

  • Zero-Server Privacy: Processing is completed 100% locally in your browser. Keys never traverse the network.
  • Trust Hierarchy: Certificates form a link to root CAs to verify digital signatures.
  • Weak Key Flagging: Keys below 2048-bit RSA are flagged as insecure for modern HTTPS deployments.

Certificate & Cryptography Knowledge Center

🏛️

1. What is a Digital Certificate?

A digital certificate is a cryptographically signed file that binds a public key to an identity (such as a website or organization), validating safe identity on the internet.

🛡️ Types of Certificates & Purposes:

  • Domain Validation (DV)

    Purpose: Validates domain name ownership only. Fast issuance, perfect for standard blogs.

  • Organization Validation (OV)

    Purpose: Validates domain plus legal business records. Ideal for corporate portals.

  • Extended Validation (EV)

    Purpose: Undergoes strict government-level registry checks. Maximum trust badge for banking systems.

📁

2. X.509 Encoding Formats

Cryptographic assets are saved in various text or binary structures. Understanding each is key for system setups:

PEM (.pem, .crt, .cer)

Structure: Base64 text starting with ---BEGIN---. Standard format for Nginx, Apache, and Linux configurations.

DER (.der, .cer)

Structure: Raw binary X.509 format. Primarily utilized by Java platforms (Keystores) and legacy systems.

PKCS#7 (.p7b, .p7c)

Structure: ASCII text containing certificates and trust chains, excluding the private key.

PKCS#12 (.p12, .pfx)

Structure: An encrypted binary vault. Contains the private key, public key, and complete intermediate CA chain securely.

🔬

3. All About Decoders

Because raw cryptographic structures are compiled into unreadable blocks, decoder nodes are critical to verify keys before deployment:

🔌 Special Decoders & Operations:

  • SSL / TLS Decoders

    Deciphers the active production certificate deployed on an IP to verify hostnames and expiration.

  • PEM Decoders

    Extracts the Base64 ASCII block, parses the ASN.1 structure, and reviews common fields and public components safely.

  • CSR Decoders

    Reads Certificate Signing Requests to double-check organizational info and hostnames before paying the CA for signing.

Zero Server HandshakeSecure Browser Sandbox

Overview & Capabilities

Our **X.509 Certificate Decoder** is a privacy-first developer tool for instantly inspecting digital certificates in any standard format. It supports PEM, DER, CSR, and more, providing a comprehensive breakdown of the certificate details securely in your browser.

Tutorial

How to Use

01
Paste your certificate (PEM, CSR, DER, PKCS#7, or PKCS#12) into the input area, or drag & drop a certificate file directly.
02
The tool auto-detects the certificate format from the content headers.
03
View the parsed Certificate Summary panel showing Common Name, SAN, validity dates, issuer, and key strength.
04
Check the expiry countdown to see exactly how many days remain.
05
Explore the interactive JSON tree for the full raw certificate fields.
06
Copy the summary or download as TXT or JSON for your records.
Capabilities

Key Features

Multi-Format Support: PEM CRT, PEM CSR, RSA Key, PKCS#7, PKCS#12/P12, and DER.
Expiry Countdown: See exactly how many days until your certificate expires.
100% Client-Side: Powered by node-forge; your certificate never leaves your browser.
Interactive JSON Tree: Expandable raw ASN.1 parsed output via ngx-json-viewer.
Key Strength Indicator: Flags weak RSA keys (≤1024-bit) instantly.
Validity Status Badge: Clear Valid / Expired / Expiring Soon visual indicator.
Drag & Drop Upload: Drop any .pem, .crt, .csr, .der, .p12 file directly.
Sample Certificates: One-click load for CRT, CSR, RSA Key, DER, and P12 formats.
Dual Export: Download as human-readable TXT or machine-readable JSON.
Applications

Common Use Cases

**DevOps & SRE**: Verify certificate validity before deploying to production servers.
**SSL Renewal Workflows**: Confirm CSR fields match expected values before CA submission.
**Security Audits**: Check key size, algorithm, and SAN entries for compliance.
**Troubleshooting**: Diagnose SSL handshake errors by inspecting the actual cert fields.
**Education**: Learn X.509 certificate structure with real parsed examples.
Ecosystem

Related Tools

JWT Decoder

JWT Decoder

Decode and inspect JSON Web Tokens (JWT) instantly. 🔐 Secure, client-side decoding with human-readable dates (exp, iat), claim explanations, and expiry tracking. Private & Fast.

JSON Studio

JSON Studio

Format, Validate & Transform (JSON, CSV, XML, YAML)

Base64 Encoder Decoder

Base64 Encoder Decoder

Convert images to Base64, decode JWT tokens, and encode text securely. Secure, privacy-first tool with HTML/CSS snippets and URL-safe Base64 support.

Hex Decoder & Encoder Online - Convert Hex to Text

Hex Decoder & Encoder Online - Convert Hex to Text

Convert text to hexadecimal and hex to text instantly. Free online hex encoder and decoder tool. Perfect for developers, programmers, and data conversion.

Online Hash Generator

Online Hash Generator

Generate cryptographic hashes for text and files instantly. Supports SHA-256, MD5, SHA-512, CRC-32 and more. Features file drag-and-drop, verification, and offline-first performance.

Answers

Frequently Asked Questions

Q Is my certificate data safe to paste here?

Yes. This tool uses node-forge and processes everything locally in your browser. Your certificate data is never transmitted to any server.

Q What certificate formats are supported?

PEM (CRT), CSR, RSA Private Key, PKCS#7 (P7B), PKCS#12 (P12/PFX), and DER binary format.

Q How do I check if my certificate is expired?

Paste your certificate and check the "Valid To" field and the expiry countdown badge. A red "Expired" badge means the certificate is no longer valid.

Q Can I decode a PKCS#12 (.pfx) file?

Yes. Upload or paste the P12 binary, enter the password in the P12 password field, and click Save to decrypt and decode the certificate bundle.

Q What is a Certificate Signing Request (CSR)?

A CSR is a Base64-encoded request sent to a Certificate Authority to apply for a digital certificate. It contains the public key and subject details.