ZeroTool Workbench

SSL Certificate Decoder

Paste any X.509 PEM certificate to view Subject, Issuer, validity, SANs, public key, signature algorithm, and SHA-256/SHA-1/MD5 fingerprints. Free, browser-based, no upload.

100% Client-Side Your data never leaves your browser Free · No Sign-Up

Related Tools

RSA Key Pair Generator Generate RSA key pairs (2048/4096-bit) in PEM or JWK format. 100% client-side — keys never leave your browser. JWT Decoder Decode and inspect JWT header, payload, and signature. Highlights expiry status and timestamp claims. Hash Generator Generate MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes from any text. Basic Auth Header Generator Generate and decode HTTP Basic Authentication headers in your browser. Copy Authorization headers, tokens, cURL snippets, and Fetch examples with no upload. Password Generator Generate cryptographically secure passwords. Customize length and character sets with entropy meter. AES Encrypt / Decrypt Encrypt and decrypt text using AES-GCM with a user-supplied password. 100% client-side via Web Crypto API — nothing leaves your browser.

How to Use

  1. Paste your X.509 certificate (PEM format) into the input box.
  2. Click Decode. The full set of certificate fields appears below.
  3. Review Validity for expiry status — expired, valid, or expiring within 30 days.
  4. Inspect Subject, Issuer, and Subject Alternative Names to confirm hostnames.
  5. Copy any fingerprint to clipboard for pinning, troubleshooting, or audit logs.

What this decoder shows

  • Validity period — Not Before / Not After timestamps plus a colour-coded status badge.
  • Subject and Issuer — CN, O, OU, C, L, ST, plus any extension fields (jurisdiction, business category, serial number).
  • Subject Alternative Names — DNS names, IP addresses, URIs, and email entries, grouped by type.
  • Public key — algorithm (RSA, EC, Ed25519, Ed448), key size in bits, RSA exponent, EC named curve.
  • Key Usage and Extended Key Usage — digital signature, key encipherment, server / client authentication, code signing, OCSP signing, and more.
  • Basic Constraints — whether the certificate is a CA, and its path length constraint.
  • Signature algorithm — sha256WithRSAEncryption, ecdsa-with-SHA384, Ed25519, etc.
  • Fingerprints — SHA-256, SHA-1, MD5 hex digests with colon separators.
  • Serial number and version — hex serial and X.509 version (typically v3).

How a PEM certificate decodes

A PEM certificate is a Base64 wrapper around DER-encoded ASN.1. Once stripped and decoded, you get a Certificate SEQUENCE containing tbsCertificate, signatureAlgorithm, and signatureValue. The TBS half holds every field above. This tool walks the ASN.1 tree directly in JavaScript — no network round-trip, no server-side parser.

Typical use cases

  • Verifying SAN coverage before deploying a new TLS certificate.
  • Spot-checking expiry across staging and production endpoints.
  • Pinning by SHA-256 fingerprint in mobile apps or HSTS-preload submissions.
  • Confirming the signature algorithm and key strength meet a compliance policy (PCI DSS, FIPS 140-3, Mozilla Modern profile).
  • Debugging mismatched Subject CN versus modern SAN-only validators.

Limits by design

This tool decodes a single certificate. It does not validate the chain, fetch CRL/OCSP, perform revocation checks, or speak TLS. For chain validation use openssl verify; for live TLS inspection use openssl s_client -showcerts or nmap —script ssl-cert.

FAQ

Is my certificate uploaded anywhere?

No. Parsing happens entirely in your browser via inline JavaScript and the Web Crypto API. The PEM never leaves your machine — safe for staging, internal, and production certificates.

Which certificate formats does this decoder accept?

PEM-encoded X.509 certificates wrapped in -----BEGIN CERTIFICATE----- … -----END CERTIFICATE----- markers. DER (raw binary) is not accepted. Convert first with: openssl x509 -inform DER -in cert.der -out cert.pem.

Can this verify the certificate chain or trust?

No. The tool only decodes the certificate fields. To validate the chain, use openssl verify -CAfile chain.pem cert.pem, or rely on your operating system's trust store.

How are the fingerprints calculated?

SHA-256, SHA-1, and MD5 digests are computed over the DER bytes of the certificate (not the PEM text). SHA-256 is the standard identifier today; SHA-1 and MD5 are shown for compatibility with legacy tooling.

Does it handle ECDSA, Ed25519, or only RSA certificates?

All three. The decoder recognises rsaEncryption, id-ecPublicKey with named curves prime256v1 / secp384r1 / secp521r1 (plus secp256k1 and Brainpool variants), Ed25519, and Ed448 public keys.