Logo

MonoCalc

/

Certificate Decoder

Encode/Decode
Paste one or more PEM certificates, or upload a .pem .crt .cer .der file

About This Tool

🔐 Certificate Decoder – Parse X.509 PEM & DER Certificates

An X.509 certificate is the standard format for public key certificates used in TLS/SSL, code signing, email encryption, and more. While certificates are technically binary ASN.1 structures, this tool decodes them into a clear, human-readable breakdown — no OpenSSL installation required.

What Is a PEM Certificate?

PEM (Privacy Enhanced Mail) is the most common encoding format for X.509 certificates. A PEM certificate is a Base64-encoded DER certificate wrapped between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- header lines. Most web server certificates, intermediate CA bundles, and root certificates are distributed in PEM format.

What Is a DER Certificate?

DER (Distinguished Encoding Rules) is the binary form of an ASN.1-structured X.509 certificate. Files with .cer or .der extensions are typically DER-encoded. This tool automatically converts DER binary files to PEM before decoding, so you can upload either format seamlessly.

Key Certificate Fields Explained

Subject & Issuer

The Subject identifies who the certificate was issued to — for a web server certificate, the Common Name (CN) is typically the domain name. The Issuer identifies the Certificate Authority (CA) that signed the certificate. When the Subject and Issuer are identical, the certificate is self-signed (common for root CAs or development environments).

Validity Period & Expiry

Every certificate has a Not Before and Not After date. The tool displays a visual timeline bar showing where today falls within the certificate's lifetime, along with a colour-coded countdown:

  • 🟢 Green — Valid with more than 30 days remaining
  • 🟠 Amber — Expiring within 8–30 days; renewal recommended
  • 🔴 Red — Expires within 7 days or already expired

Subject Alternative Names (SANs)

SANs list every domain name, IP address, or email address the certificate is valid for. Modern TLS certificates use SANs instead of relying on the CN alone. For example, a certificate for example.com might include SANs for www.example.com, api.example.com, and an IP like 192.0.2.1. Browsers validate against the SAN list when establishing HTTPS connections.

Key Usage & Extended Key Usage

Key Usage flags define what cryptographic operations the certificate's public key may be used for (e.g., Digital Signature, Key Encipherment). Extended Key Usage (EKU) further restricts usage — for example, TLS Web Server Authentication allows the cert to authenticate HTTPS servers, while Code Signing allows it to sign software packages.

Certificate Fingerprints

A fingerprint is a cryptographic hash of the full DER-encoded certificate bytes. It uniquely identifies a specific certificate — even a minor change to any field produces a completely different fingerprint. The tool computes both SHA-256 (current standard) and SHA-1 (legacy) fingerprints using your browser's built-in WebCrypto API, matching the output of:

openssl x509 -fingerprint -sha256 -noout -in cert.pem

Serial Number

The serial number is a unique integer assigned by the CA to each certificate it issues. It is displayed in both hexadecimal (colon-separated) and decimal formats. Serial numbers are used in Certificate Revocation Lists (CRLs) to identify revoked certificates.

Certificate Chains

A TLS connection typically involves three certificates in a chain: the leaf certificate (issued to your domain), one or more intermediate CA certificates, and a root CA certificate trusted by browsers. Paste a full PEM bundle (multiple -----BEGIN CERTIFICATE----- blocks) and this tool decodes each certificate separately, labelled by its position in the chain.

Common Use Cases

  • Debugging HTTPS errors — check expiry, domain mismatch, or missing SANs
  • Certificate renewal audit — compare serial numbers and fingerprints before and after renewal
  • Security review — verify key size, signature algorithm, and key usage restrictions
  • Development & testing — inspect self-signed or locally generated certificates
  • Compliance checking — ensure certificates meet policy requirements (minimum 2048-bit RSA, SHA-256 signature, etc.)

Privacy & Security

All certificate parsing happens entirely in your browser using the node-forge library. No certificate data is transmitted to any server. It is safe to decode production, internal, or sensitive certificates with this tool.

Frequently Asked Questions

Is the Certificate Decoder free?

Yes, Certificate Decoder is totally free :)

Can I use the Certificate Decoder offline?

Yes, you can install the webapp as PWA.

Is it safe to use Certificate Decoder?

Yes, any data related to Certificate Decoder only stored in your browser (if storage required). You can simply clear browser cache to clear all the stored data. We do not store any data on server.

How does the Certificate Decoder work?

Paste a PEM-encoded X.509 certificate (or upload a .pem / .crt / .cer / .der file) and click Decode. The tool uses the node-forge library entirely in your browser to parse the ASN.1 DER structure and extract every certificate field — no data is ever sent to a server.

What input formats are supported?

PEM format (Base64-encoded text with -----BEGIN CERTIFICATE----- headers) and DER format (binary .cer or .der files uploaded via the file picker). You can also paste a full PEM bundle containing multiple certificates to decode an entire certificate chain at once.

What certificate fields does this tool display?

Version, serial number (hex and decimal), signature algorithm, issuer DN, subject DN, validity dates with days-remaining countdown, public key algorithm and bit length, key usage flags, extended key usage, Subject Alternative Names (SANs), basic constraints, and SHA-1 / SHA-256 fingerprints.

How is the SHA-256 fingerprint calculated?

The fingerprint is computed by hashing the full DER-encoded certificate bytes using the browser's built-in WebCrypto API (SHA-256). This matches what OpenSSL reports with `openssl x509 -fingerprint -sha256 -in cert.pem`.

Is my certificate data kept private?

Yes. All decoding happens entirely in your browser — node-forge runs locally and no certificate data is ever transmitted to a server. It is safe to use with production or sensitive certificates.

What do the expiry status colours mean?

Green means the certificate is valid with more than 30 days remaining. Amber means it expires within 8–30 days and should be renewed soon. Red means it expires within 7 days or has already expired and is shown with an EXPIRED badge.