Tools/Security/Certificate Decoder

Certificate Decoder

Decode PEM-encoded X.509 certificates and inspect all fields.

PEM Certificate

Load Example

Related Tools

SSL/TLS Checker

Verify SSL certificates and check expiration

JWT Decoder

Decode and inspect JSON Web Tokens

Base64 Encode / Decode

Encode or decode Base64 strings

PEM, DER, PFX, CRT — certificate file formats explained

  • PEM (Privacy Enhanced Mail) — Base64-encoded certificate wrapped in -----BEGIN CERTIFICATE----- / -----END CERTIFICATE----- headers. Plain text. Most common format on Linux + macOS. Usual extensions: .pem, .crt, .cer, .key.
  • DER (Distinguished Encoding Rules) — binary encoding of the same X.509 data. Smaller, not human-readable. Convert to/from PEM with openssl x509 -inform DER -in cert.der -out cert.pem.
  • PKCS#7 / P7B — container for one or more certificates (no private keys). Extensions: .p7b, .p7c.
  • PKCS#12 / PFX — password-protected container with certificate AND private key. Used by Windows / IIS. Extensions: .pfx, .p12.
  • CRT / CER — ambiguous: could be PEM or DER. Check the first bytes — -----BEGIN = PEM, otherwise DER.

Our decoder handles all four. For PFX files with private keys, we decode only the certificate portion (private key stays in your file — never paste private keys into any online tool).

Verifying a certificate chain

A complete chain includes the leaf certificate (your domain) plus every intermediate up to (but usually not including) the root CA. To verify manually:

# Inspect a cert
openssl x509 -in cert.pem -text -noout

# Verify the chain
openssl verify -CAfile intermediate.pem cert.pem
# "cert.pem: OK" on success

# Extract chain from a live HTTPS server
openssl s_client -connect example.com:443 -showcerts < /dev/null

Missing intermediate = browser error NET::ERR_CERT_AUTHORITY_INVALID. Our SSL Checker fetches and walks the chain automatically — pair both tools when diagnosing a cert issue.

Frequently Asked Questions

How do I decode a PEM or X.509 certificate online?

Paste the PEM block (starts with `-----BEGIN CERTIFICATE-----`). The decoder shows subject, issuer, validity period, SAN list, key algorithm, key size, signature algorithm, fingerprints (SHA-1, SHA-256) and extensions. Perfect for debugging TLS certs.

What's the difference between PEM, DER, PFX and CRT?

PEM = Base64-encoded text with `-----BEGIN-----` headers. DER = binary form of the same data. CRT / CER = either (context-dependent). PFX / P12 = PEM + private key in one encrypted bundle (for Windows/IIS). Our decoder handles all four.

How do I check a certificate's expiration or SAN list?

Paste the cert. The decoder highlights "Valid from" and "Valid to" dates (red if expired, yellow if <30 days). SAN (Subject Alternative Names) list shows every hostname the cert covers — critical for wildcard or multi-domain certs.

Can I decode a certificate chain (intermediate + root)?

Yes. Paste multiple PEM blocks concatenated — common for Let's Encrypt (leaf + intermediate). The decoder parses each and links them visually by issuer/subject. Useful for verifying the chain is complete when configuring nginx, Apache or a load balancer.

Is my certificate data sent to a server?

No. All decoding runs in your browser using Web Crypto APIs. Safe for real production certs — even private keys (though we never ask you to paste private keys). Client-side only.

Related Developer Tools

JWT Decoder Decode and verify JSON Web Tokens.
Hash Generator MD5, SHA-1, SHA-256, SHA-512.
SSL / TLS Checker Verify certificates and expiry.
Security Headers Scan HTTP security headers A–F.
CSP Evaluator Analyze Content Security Policy.
CORS Tester Debug Cross-Origin policy.

Smarter quality checks. Faster deployments.
Better apps.

Legal
Privacy Policy Terms & Conditions
Company
About Contact
Get in touch

email contact@webority.com

Follow us

Copyright © 2026 BuildStudio. All rights reserved.

Designed and Developed by Webority Technologies

Copied to clipboard