liminfoCertificate Decoder
Free web tool: Certificate Decoder
About Certificate Decoder
The Certificate Decoder is a free, browser-based tool for parsing X.509 digital certificates in PEM format. Paste a PEM-encoded certificate (the familiar block starting with "-----BEGIN CERTIFICATE-----") into the textarea and click Decode Certificate. The tool immediately extracts and displays eight fields: Subject DN, Issuer DN, Serial Number, Not Before date, Not After date, Signature Algorithm, Public Key Algorithm, and Public Key Size in bits.
System administrators, DevOps engineers, TLS/SSL troubleshooters, and security auditors regularly need to inspect certificates to verify domain ownership, check expiry dates, confirm the issuing CA, and confirm the key strength. This tool provides those details instantly without requiring OpenSSL commands, an online service that logs your certificate, or any software installation.
Technically, the decoder implements a minimal ASN.1/DER parser in pure JavaScript. It strips the PEM header and footer, decodes the Base64 body to raw bytes, and then recursively walks the ASN.1 structure of the TBSCertificate (To-Be-Signed Certificate). OID values are resolved against a built-in lookup table covering common distinguished-name attributes (CN, O, OU, C, L, ST) and signature algorithms (SHA256withRSA, SHA384withRSA, SHA512withRSA, SHA1withRSA, SHA256withECDSA). Both UTCTime and GeneralizedTime date formats are supported, so certificates from any era are handled correctly. Because the entire parse runs in the browser, your certificate contents are never transmitted to any server.
Key Features
- Parses PEM-encoded X.509 certificates with a single click
- Extracts Subject and Issuer Distinguished Names (DN) with OID-to-name resolution (CN, O, OU, C, L, ST)
- Displays serial number in colon-separated hex notation
- Shows Not Before and Not After validity dates in a readable UTC format
- Identifies signature algorithm (SHA256withRSA, SHA384withRSA, SHA512withRSA, SHA1withRSA, SHA256withECDSA)
- Reports public key algorithm (RSA or EC) and estimated key size in bits
- Pure client-side ASN.1/DER parser — certificate data never leaves your browser
- Supports both UTCTime (2-digit year) and GeneralizedTime (4-digit year) date encodings
Frequently Asked Questions
What is a PEM certificate?
PEM (Privacy Enhanced Mail) is a Base64-encoded representation of a DER-encoded X.509 certificate, wrapped with "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" header/footer lines. It is the most common format used by web servers, browsers, and TLS libraries.
How do I get a PEM certificate to decode?
You can obtain a PEM certificate by exporting it from your browser (click the padlock icon → Certificate → Export), from your server configuration files (usually .crt or .pem files), or from a CA issuance email. You can also use OpenSSL: `openssl s_client -connect example.com:443 -showcerts` to download a live certificate.
What information does the decoder extract?
The decoder extracts Subject (the entity the certificate belongs to), Issuer (the Certificate Authority that signed it), Serial Number (unique hex identifier), Not Before and Not After (validity window), Signature Algorithm (how the CA signed the cert), Public Key Algorithm (RSA or EC), and Public Key Size (e.g. 2048 bits).
Is the certificate data sent to a server?
No. The entire decoding process runs in your browser using a custom JavaScript ASN.1/DER parser. Your certificate — which may contain sensitive organisational information — never leaves your device and is never stored or logged anywhere.
What is the difference between the Subject and Issuer?
The Subject is the entity the certificate was issued to — for a TLS certificate this is typically the website domain and organisation. The Issuer is the Certificate Authority (CA) that signed and vouches for the certificate, such as Let's Encrypt, DigiCert, or an internal CA.
What does the public key size tell me?
The public key size indicates the cryptographic strength of the certificate. RSA keys of 2048 bits are currently considered the minimum for production use; 4096-bit RSA keys offer stronger protection. EC (Elliptic Curve) keys are shorter for equivalent security — a 256-bit EC key provides roughly the same strength as a 3072-bit RSA key.
Can I decode a certificate chain or intermediate certificate?
Yes, as long as you paste a single certificate (one BEGIN/END block). The tool parses the first valid certificate it finds. For a full chain, decode each certificate individually by copying its separate BEGIN/END block.
What algorithms does the decoder recognise?
The built-in OID table covers SHA256withRSA (1.2.840.113549.1.1.11), SHA384withRSA, SHA512withRSA, SHA1withRSA, RSA (1.2.840.113549.1.1.1), EC (1.2.840.10045.2.1), and SHA256withECDSA. Unknown OIDs are displayed in dotted-decimal notation.