SSL/TLS Certificate Decoder

An X.509 certificate (RFC 5280) is the binary structure that proves a TLS server's identity. This decoder takes a PEM-encoded certificate and parses out the Subject, Issuer, validity window, Subject Alternative Names, key usage, basic constraints, public-key algorithm, and SHA-256 / SHA-1 fingerprints — entirely in your browser, with no request sent anywhere.

The validity banner colour-codes expiry urgency: green for > 30 days, amber for < 30 days, red for already-expired. Useful when auditing a cert chain pulled during a pentest, or sanity-checking a self-signed cert before deployment.

PEM-encoded X.509 certificate

What you get

Validity at a glance

Color-coded expiry banner, exact days remaining, full validity window in UTC. Catches the 30-day-warning window automatically.

SAN list extracted

Every Subject Alternative Name is listed with its type (DNS, IP, Email, URI). A cert often binds dozens of names — easy to miss in raw OpenSSL output.

Fingerprints

SHA-256 and SHA-1 fingerprints in colon-separated hex — the format used by browsers, certificate-pinning libraries, and CT log lookups.