Features

Decode X.509 certificates

View expiration date

Check certificate validity

View issuer information

View subject details

Subject Alternative Names (SAN)

Serial number and fingerprint

Public key information

100% client-side decoding

No data sent to servers

What is an SSL Certificate?

An SSL/TLS certificate is a digital certificate that authenticates a website's identity and enables encrypted connections. SSL certificates contain the website's public key and identity information, verified by a Certificate Authority (CA). When you visit a website with HTTPS, your browser uses the SSL certificate to establish a secure, encrypted connection.

SSL certificates use the X.509 standard format and contain important information like the domain name, organization details, issuer (Certificate Authority), validity period, and public key. Understanding certificate details is crucial for security audits, troubleshooting SSL issues, and ensuring proper HTTPS configuration.

SSL Certificate Components

Subject: The entity the certificate is issued to (domain, organization)
Issuer: The Certificate Authority that issued the certificate
Validity Period: Start and expiration dates
Public Key: Used for encryption and signature verification
Serial Number: Unique identifier for the certificate
SAN: Subject Alternative Names (additional domains covered)
Signature: CA's digital signature verifying authenticity

Example certificate information:

Subject: CN=example.com
Issuer: CN=Let's Encrypt Authority X3
Valid From: 2024-01-01 00:00:00 UTC
Valid To: 2024-04-01 00:00:00 UTC
SAN: example.com, www.example.com
Serial Number: 03:5D:A7:E9:F4:2B:8C:9A

How to Use the SSL Certificate Decoder

Step 1: Obtain Certificate

Get the SSL certificate in PEM format. You can export it from your web server, download it from a website using your browser, or use OpenSSL command: `openssl s_client -connect example.com:443 -showcerts`

Step 2: Paste Certificate

Copy the entire certificate including the BEGIN and END markers. The certificate should start with "-----BEGIN CERTIFICATE-----" and end with "-----END CERTIFICATE-----".

Step 3: Decode and Analyze

Click "Decode Certificate" to parse the certificate. The decoder displays all certificate details including validity dates, issuer, subject, and Subject Alternative Names. Check the expiration date to ensure the certificate is still valid.

Step 4: Verify Information

Review the decoded information to verify the certificate is issued to the correct domain, by a trusted CA, and hasn't expired. Check SAN entries to see all domains covered by the certificate.

Common Use Cases

1. Certificate Expiration Monitoring

Check when SSL certificates expire to avoid website downtime. Expired certificates cause browser warnings and prevent users from accessing your site. Set up monitoring to renew certificates before expiration.

2. SSL Troubleshooting

When users report SSL errors, decode the certificate to verify it's correctly configured. Check that the certificate matches the domain, is issued by a trusted CA, and hasn't expired.

3. Security Audits

During security audits, decode certificates to verify they meet security requirements. Check key length, signature algorithm, and ensure certificates are from trusted CAs.

4. Certificate Chain Verification

Decode intermediate and root certificates to verify the complete certificate chain. Incomplete chains cause SSL errors in some browsers and should be fixed.

5. Multi-Domain Certificate Validation

For wildcard or SAN certificates covering multiple domains, decode to verify all required domains are included in the Subject Alternative Names field.

SSL Certificate Examples

Example 1: Get Certificate from Website

# Using OpenSSL
openssl s_client -connect example.com:443 -showcerts

# Using curl
curl -v https://example.com 2>&1 | openssl x509 -text

Example 2: Check Certificate Expiration

# Check expiration date
openssl x509 -in certificate.crt -noout -enddate

# Check if certificate is valid
openssl x509 -in certificate.crt -noout -checkend 86400

Example 3: View Certificate Details

# View all certificate information
openssl x509 -in certificate.crt -text -noout

# View subject and issuer
openssl x509 -in certificate.crt -noout -subject -issuer

Example 4: Extract SAN Entries

# View Subject Alternative Names
openssl x509 -in certificate.crt -noout -ext subjectAltName

# Output example:
# X509v3 Subject Alternative Name:
#     DNS:example.com, DNS:www.example.com

Example 5: Verify Certificate Chain

# Verify certificate against CA bundle
openssl verify -CAfile ca-bundle.crt certificate.crt

# Check certificate chain
openssl s_client -connect example.com:443 -showcerts

Frequently Asked Questions

What is PEM format?

PEM (Privacy Enhanced Mail) is a Base64 encoded format for certificates. It's the most common format and starts with "-----BEGIN CERTIFICATE-----". Most web servers and tools use PEM format.

How do I get a website's SSL certificate?

Click the padlock icon in your browser's address bar, view certificate details, and export it. Or use OpenSSL: `openssl s_client -connect example.com:443 -showcerts | openssl x509 > cert.pem`

What is Subject Alternative Name (SAN)?

SAN is an extension that allows one certificate to secure multiple domain names. For example, a SAN certificate can cover both example.com and www.example.com, or multiple different domains.

How long before expiration should I renew?

Renew certificates at least 30 days before expiration to allow time for deployment and troubleshooting. Many organizations renew 60-90 days early. Let's Encrypt certificates expire after 90 days.

What's the difference between SSL and TLS?

TLS (Transport Layer Security) is the successor to SSL (Secure Sockets Layer). Modern websites use TLS, but "SSL certificate" is still the common term. Current versions are TLS 1.2 and TLS 1.3.

Can I decode encrypted private keys?

No, this tool only decodes public certificates. Private keys should never be shared or decoded online. Keep private keys secure and never upload them to web tools.

What is a wildcard certificate?

A wildcard certificate secures a domain and all its subdomains. For example, *.example.com covers www.example.com, api.example.com, mail.example.com, etc. The wildcard only works for one level of subdomains.

How do I fix certificate errors?

Common fixes: ensure certificate matches domain name, verify certificate hasn't expired, install intermediate certificates, check system date/time, and ensure certificate is from a trusted CA.

Is my certificate data safe?

Yes, all decoding happens in your browser using JavaScript. Certificates are public information anyway, but no data is sent to any server. Never upload private keys to any online tool.

What certificate authorities are trusted?

Major trusted CAs include Let's Encrypt, DigiCert, Sectigo, GlobalSign, and GoDaddy. Browsers maintain lists of trusted root CAs. Certificates from untrusted CAs trigger browser warnings.

Related Tools

Explore our other security and network tools:

CSR Generator - Generate certificate signing requests
RSA Key Generator - Generate RSA key pairs
DNS Lookup - Check DNS records
HTTP Header Analyzer - Analyze HTTP headers
HMAC Generator - Generate HMAC signatures

SSL Certificate Decoder

Paste Certificate

Decode

View Details

Paste SSL Certificate (PEM Format)