How to Inspect an X.509 Certificate Before Renewal

Problem

Certificate renewals fail when the new certificate has the wrong SAN, issuer chain, key type, validity period, or environment. These issues are easy to miss if you only check that a PEM file exists.

Solution

Use Certificate Decoder to inspect the certificate fields, compare old and new decoded outputs, and convert validity timestamps if needed.

Workflow

1. 1Decode the current certificate
   Paste the existing PEM certificate into Certificate Decoder and save the decoded output for comparison.
2. 2Decode the renewed certificate
   Run the same decoder on the new certificate. Check subject, issuer, notBefore, notAfter, public key algorithm, and Subject Alternative Name values.
3. 3Compare old and new outputs
   Use Split & Diff to compare decoded fields. Expected differences include validity dates and serial number; unexpected SAN or issuer changes need review.
4. 4Check dependent formats
   If you receive escaped PEM text from a secret store or JSON file, unescape it before decoding.

Examples

Subject
Issuer
Validity: Not Before / Not After
Subject Alternative Name
Public Key Algorithm
Key Usage / Extended Key Usage

Checklist

• Confirm every production hostname appears in SAN.
• Confirm the renewed certificate is for the right environment.
• Compare issuer and chain expectations.
• Check expiry in UTC and local time.
• Keep private keys out of browser tools; only paste public certificates.

Tools Used

• Certificate DecoderDecode PEM-encoded X.509 certificates.
• Split & DiffCompare old and renewed certificate fields.
• What is an X.509 certificate?Review certificate concepts and field meanings.

Frequently Asked Questions

Related Recipes