X.509 Certificate Decoder

What is X.509 Certificate Decoder?

The X.509 Certificate Decoder is a free, in-browser tool that turns the dense base64 of a TLS/SSL certificate or a PKCS#10 certificate signing request into a clear, readable summary. Sysadmins, DevOps engineers, and security reviewers use it to confirm which domains a certificate protects, check the not-before and not-after dates before a renewal, inspect the issuer and subject, and read the public key size and signature algorithm without reaching for openssl on the command line. It accepts a full PEM block or a raw base64 DER body in the Certificate or CSR input, detects whether the blob is a certificate or a CSR, and lays out the Subject, Issuer, serial number, validity window, Subject Alternative Names, public key, and signature algorithm. Because the parsing runs with pkijs and asn1js entirely inside your browser, nothing is uploaded and the tool keeps working offline.

How to use X.509 Certificate Decoder

1. Copy a certificate or CSR, including the -----BEGIN----- and -----END----- lines if you have them, or just the base64 body.
2. Paste it into the Certificate or CSR input box; decoding starts automatically as soon as it parses.
3. Read the Decoded details output: Subject, Issuer, validity dates, Subject Alternative Names, public key, and signature algorithm.
4. Use the copy button to grab the full decoded summary, or copy individual lines from the output.
5. If the input is not a valid certificate or CSR, fix the surrounding text or padding shown in the error note and try again.

Examples

-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIE...truncated...
-----END CERTIFICATE-----

Subject: CN=example.com
Issuer: CN=R3, O=Let's Encrypt, C=US
Valid from: 2026-01-01
Valid to: 2026-04-01
SANs: example.com, www.example.com
Public key: RSA 2048-bit
Signature: RSASSA-PKCS1-v1_5 with SHA-256

-----BEGIN CERTIFICATE REQUEST-----
MIICijCCAXICAQAw...truncated...
-----END CERTIFICATE REQUEST-----

Type: Certificate Signing Request (CSR)
Subject: CN=api.example.com, O=Example Inc
Public key: EC P-256
Signature: ECDSA with SHA-256

Frequently asked questions

Is my certificate or CSR uploaded anywhere?

No. Decoding runs entirely in your browser with the pkijs and asn1js libraries loaded on demand. The certificate or CSR you paste is never sent to or stored on any server, so the tool works offline and your data stays on your device.

What input formats are accepted?

PEM blocks wrapped in -----BEGIN CERTIFICATE----- or -----BEGIN CERTIFICATE REQUEST----- lines, and raw base64 DER bodies without the wrapper. The tool strips whitespace and the header/footer automatically, then decodes the base64 to DER bytes.

Does it tell certificates and CSRs apart?

Yes. It first tries to parse the input as an X.509 certificate; if that fails it tries a PKCS#10 certificate signing request, and the output labels which one it found. CSRs have no validity dates or issuer, so those fields are omitted for them.

Why does it say my input is invalid?

The base64 may be truncated, contain stray characters, or be a different format such as a private key or a PKCS#12 bundle. Make sure you pasted the whole certificate body and that the header and footer lines match the content.

Can it verify whether the certificate is trusted or expired?

It shows the not-before and not-after dates so you can judge expiry yourself, but it does not validate the certificate against a trust store or check revocation. It is a read-only decoder, not a chain validator.