PEM Certificate
Load Example
Certificate Summary
Subject
Issuer
Public Key Information
Extensions
PEM, DER, PFX, CRT — certificate file formats explained
- PEM (Privacy Enhanced Mail) — Base64-encoded certificate wrapped in
-----BEGIN CERTIFICATE-----/-----END CERTIFICATE-----headers. Plain text. Most common format on Linux + macOS. Usual extensions:.pem,.crt,.cer,.key. - DER (Distinguished Encoding Rules) — binary encoding of the same X.509 data. Smaller, not human-readable. Convert to/from PEM with
openssl x509 -inform DER -in cert.der -out cert.pem. - PKCS#7 / P7B — container for one or more certificates (no private keys). Extensions:
.p7b,.p7c. - PKCS#12 / PFX — password-protected container with certificate AND private key. Used by Windows / IIS. Extensions:
.pfx,.p12. - CRT / CER — ambiguous: could be PEM or DER. Check the first bytes —
-----BEGIN= PEM, otherwise DER.
Our decoder handles all four. For PFX files with private keys, we decode only the certificate portion (private key stays in your file — never paste private keys into any online tool).
Verifying a certificate chain
A complete chain includes the leaf certificate (your domain) plus every intermediate up to (but usually not including) the root CA. To verify manually:
# Inspect a cert
openssl x509 -in cert.pem -text -noout
# Verify the chain
openssl verify -CAfile intermediate.pem cert.pem
# "cert.pem: OK" on success
# Extract chain from a live HTTPS server
openssl s_client -connect example.com:443 -showcerts < /dev/null
Missing intermediate = browser error NET::ERR_CERT_AUTHORITY_INVALID. Our SSL Checker fetches and walks the chain automatically — pair both tools when diagnosing a cert issue.
Frequently Asked Questions
How do I decode a PEM or X.509 certificate online?
Paste the PEM block (starts with `-----BEGIN CERTIFICATE-----`). The decoder shows subject, issuer, validity period, SAN list, key algorithm, key size, signature algorithm, fingerprints (SHA-1, SHA-256) and extensions. Perfect for debugging TLS certs.
What's the difference between PEM, DER, PFX and CRT?
PEM = Base64-encoded text with `-----BEGIN-----` headers. DER = binary form of the same data. CRT / CER = either (context-dependent). PFX / P12 = PEM + private key in one encrypted bundle (for Windows/IIS). Our decoder handles all four.
How do I check a certificate's expiration or SAN list?
Paste the cert. The decoder highlights "Valid from" and "Valid to" dates (red if expired, yellow if <30 days). SAN (Subject Alternative Names) list shows every hostname the cert covers — critical for wildcard or multi-domain certs.
Can I decode a certificate chain (intermediate + root)?
Yes. Paste multiple PEM blocks concatenated — common for Let's Encrypt (leaf + intermediate). The decoder parses each and links them visually by issuer/subject. Useful for verifying the chain is complete when configuring nginx, Apache or a load balancer.
Is my certificate data sent to a server?
No. All decoding runs in your browser using Web Crypto APIs. Safe for real production certs — even private keys (though we never ask you to paste private keys). Client-side only.
Related Developer Tools
Copyright © 2026 BuildStudio. All rights reserved.
Designed and Developed by Webority Technologies
Report an issue
We use necessary cookies to run this site, and analytics cookies only with your consent. No advertising, no cross-site tracking. Read our Privacy Policy.