Certificate Decoder — Decode SSL/TLS X.509 Certs Online
Certificate Decoder parses PEM-encoded X.509 certificates (SSL/TLS certificates starting with -----BEGIN CERTIFICATE-----) and extracts the subject, issuer, validity period, serial number, and signature algorithm. You can also paste a raw Base64-encoded certificate (without the PEM headers) — the decoder wraps it automatically. All parsing runs via a pure-JavaScript ASN.1 DER decoder entirely in the browser. No certificate data is sent to a server.
What Is an X.509 Certificate?
An X.509 certificate is the standard data structure that proves ownership of a public key. Every HTTPS website, code-signing package, and S/MIME email uses X.509 certificates defined by RFC 5280. The certificate binds a public key to an identity (a domain name, organisation, or individual) using a digital signature from a trusted Certificate Authority (CA).
When you see the padlock in your browser, the server has presented an X.509 certificate. Your browser checks that the certificate was signed by a CA it trusts, that the hostname matches a Subject Alternative Name in the certificate, and that the current date falls within the validity window. If any of those checks fail, the browser shows a warning.
On disk, certificates are usually stored in PEM format — a Base64-encoded DER structure wrapped in -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- headers. DER is the binary ASN.1 encoding of the certificate's fields. This decoder converts that Base64 text back to human-readable field values without sending anything to a server.
Understanding the Output Fields
Version: X.509 v3 (value 2) is the current standard. v3 added the extensions mechanism, which carries SANs, key usage constraints, and CA path length limits. You will rarely see v1 certificates outside of self-signed root CAs.
Serial Number: A unique integer assigned by the CA. Certificate Transparency logs use the serial number to track issuance. If you are investigating a specific certificate in a CT log or revocation list, this is the field to match on.
Issuer: The Distinguished Name (DN) of the CA that signed the certificate. It is composed of sub-fields: Country (C), State (ST), Locality (L), Organisation (O), Organisational Unit (OU), and Common Name (CN). For a Let's Encrypt certificate the issuer CN is typically "R10" or "R11"; for DigiCert it may be "DigiCert TLS RSA SHA256 2020 CA1".
Subject: The DN of the entity the certificate was issued to. For domain certificates the CN is often the primary hostname, though browsers now require SANs for all hostname validation. For EV (Extended Validation) certificates the O field contains the verified legal organisation name.
Validity: Not Before and Not After timestamps define the certificate's lifetime. Domain Validation (DV) certificates from public CAs are currently capped at 398 days. Check this field when troubleshooting an expired certificate error.
Subject Alternative Names (SANs): A comma-separated list of DNS names and IP addresses the certificate covers. This is the definitive field for hostname matching. A wildcard SAN such as *.example.com covers one level of subdomain (api.example.com) but not two levels (v1.api.example.com).
Signature Algorithm: The algorithm the CA used to sign the certificate — typically sha256WithRSAEncryption or ecdsa-with-SHA256. SHA-1 signatures were deprecated in 2017; any certificate still showing sha1WithRSAEncryption should be replaced immediately.
Worked Example
Below is a minimal self-signed certificate. Paste it into the decoder to follow along:
-----BEGIN CERTIFICATE----- MIICpDCCAYwCCQDU9pQ4pHgSpDANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAls b2NhbGhvc3QwHhcNMjQwMTAxMDAwMDAwWhcNMjUwMTAxMDAwMDAwWjAUMRIwEAYD VQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7 -----END CERTIFICATE-----
The decoder will show: Version v3, a serial number, Issuer CN=localhost, Subject CN=localhost, a one-year validity window, and a 2048-bit RSA public key. Because this is self-signed, the issuer and subject DNs are identical — a pattern that immediately identifies root CAs and development certificates.
For a real production certificate you would typically see a multi-level issuer chain (root CA → intermediate CA → end-entity cert), an O field in the subject for OV/EV certificates, and a SANs extension listing every hostname the certificate is valid for.
Common Use Cases
- Checking certificate expiry dates before renewal
- Verifying the Subject CN and SAN fields of a certificate
- Inspecting issuer chain information for SSL debugging
- Auditing certificate serial numbers and algorithms
Frequently Asked Questions
How do I decode an X.509 certificate?
Paste a PEM-encoded certificate (starting with -----BEGIN CERTIFICATE-----) into SmartDevBox. The Certificate Decoder extracts the subject, issuer, validity period, public key algorithm, and all certificate extensions.
Is it safe to paste a certificate into an online decoder?
X.509 public certificates are designed to be public — they contain no private key material. It is safe to decode them in any online tool. Never paste a private key into an online service.
What are Subject Alternative Names (SANs) in an SSL certificate?
Subject Alternative Names (SANs) are the list of domain names and IP addresses a certificate is valid for. Modern browsers ignore the Subject CN field for hostname validation and rely entirely on SANs. A certificate for example.com will typically include SANs for both example.com and www.example.com.
How do I get the PEM certificate from a live website?
Run: openssl s_client -connect example.com:443 </dev/null 2>/dev/null | openssl x509 -outform PEM. This prints the server certificate in PEM format, which you can paste directly into the decoder.
Privacy & Security
This tool runs entirely in your browser using client-side JavaScript. No data is sent to a server — your input never leaves your machine. SmartDevBox has no account system, no usage tracking, and no paid tier. See the Privacy & Security page for full details.
Related Tools
- Base64 DecoderDecode any Base64 string back to plain text instantly in your browser. Free, no sign-up, 100% client-side. Supports standard and URL-safe Base64.
- JWT DecoderDecode JWT tokens and inspect header, payload, and signature instantly. Free, no sign-up. Works without the signing secret. 100% client-side.
Related Recipes
- Inspect X.509 renewalDecode a PEM certificate locally and verify the fields that can break HTTPS after renewal.