SSL/TLS Certificate Decoder and Chain Inspector - X.509 PEM/DER Viewer

First Published:
Last Updated:

Decode SSL/TLS certificates (X.509) directly in your browser. Paste a PEM block, drop a .pem/.crt/.cer/.der file, or paste multiple certificates to inspect chain ordering.

All processing is performed entirely in your browser using client-side JavaScript. No data is transmitted to any server. Your certificates and private metadata never leave your device.

  • This tool is provided "AS IS" without any warranties of any kind.
  • This tool decodes certificate contents but does not verify revocation (OCSP / CRL) or trust against CA stores.
  • The author accepts no responsibility for any security issues arising from handling certificates.
  • Never paste private keys into any online tool. Only public certificates are processed here.
  • By using this tool, you accept full responsibility for any outcomes.

Privacy: This tool uses client-side JavaScript for all processing. No data is transmitted to servers, no files are uploaded online, all processing happens locally in your browser. Once loaded, this tool continues to work even without an internet connection. For more details, please refer to our Web Tools Disclaimer.

Drop a .pem / .crt / .cer / .der file here, or click to browse.

Features

  • PEM & DER Input: Paste a PEM block, paste raw Base64-encoded DER, or drag-and-drop .pem/.crt/.cer/.der files.
  • Multi-Certificate / Chain Mode: Concatenate several certificates and inspect Issuer→Subject DN linkage between adjacent certificates. Leaf, intermediate, and root roles are detected automatically.
  • Subject & Issuer: Distinguished Name attributes (CN, O, OU, C, ST, L, emailAddress, etc.) are decoded individually for easy reading.
  • Validity with Color-Coded Status: Days remaining are highlighted — red for expired or ≤30 days, yellow for ≤90 days, green for healthy. A progress bar shows lifetime usage.
  • Subject Alternative Names: DNS, IP, URI, rfc822Name, and directoryName entries are listed individually.
  • Public Key Info: RSA modulus size in bits and public exponent, EC named curve and public point, plus Ed25519 / Ed448 detection.
  • Extensions Decoded: Key Usage, Extended Key Usage, Basic Constraints, Subject Key Identifier, Authority Key Identifier, CRL Distribution Points, Authority Information Access, Certificate Policies. All other extensions are listed in raw OID form.
  • SHA-1 / SHA-256 Fingerprints: Computed over the full DER using the Web Crypto API.
  • Drag & Drop: File reader detects DER (binary) vs PEM (text) automatically.
  • Built-in Samples: RSA self-signed (multi-SAN), CA + leaf chain, and EC P-256 self-signed.
  • 100% Client-Side: No network requests at runtime. Works offline once loaded.
  • No External Libraries: Pure vanilla JavaScript ASN.1 / X.509 parser plus the browser's Web Crypto API.

How to Use

  1. Paste PEM: Copy a PEM-encoded certificate (including the -----BEGIN CERTIFICATE----- / -----END CERTIFICATE----- markers) into the text area. The tool auto-decodes on paste.
  2. Or Paste Base64 DER: If you only have raw Base64-encoded DER without PEM markers, paste it directly — it will be detected.
  3. Or Drop a File: Drag a .pem, .crt, .cer, or .der file onto the drop zone, or click to browse. Multiple files are concatenated into a chain.
  4. Inspect the Chain: If you provided more than one certificate, the chain summary at the top tells you whether each adjacent pair is consistent (Issuer of cert N matches Subject of cert N+1).
  5. Read the Card: Each certificate card shows Subject, Issuer, Validity (with days-remaining color coding), Identification (version, serial, signature algorithm), SAN, Public Key, key-usage extensions, and SHA-1 / SHA-256 fingerprints.
  6. Try a Sample: Click one of the Sample buttons to load a real, locally generated demo certificate.

Important Notes

  • This tool decodes certificate contents but does not verify revocation (OCSP / CRL) nor trust against the operating system's or browser's CA stores. Use OS / browser TLS clients for trust validation.
  • It does not perform a TLS handshake, so it cannot show what a server would actually present at :443. Export the chain from your server (e.g. openssl s_client -showcerts -connect host:443) and paste it here.
  • Chain consistency is decided by comparing Distinguished Names (Issuer of cert N vs Subject of cert N+1), not by verifying the cryptographic signature. A consistent chain is necessary but not sufficient — the signature could still be invalid.
  • Validity calculations use your local system clock. Make sure your system time is accurate.
  • RSA modulus size, EC curve, and signature algorithm are reported but not cross-checked against CA/Browser Forum baseline requirements.
  • Implementation note: the parser is a focused vanilla-JS ASN.1 / X.509 implementation (no asn1js / pkijs bundle) so the page stays small and loads instantly. SHA-1 and SHA-256 fingerprints use the browser's built-in Web Crypto API (crypto.subtle.digest).
  • If a certificate uses unusual extensions, those are still listed in the "Other Extensions" table at the bottom of each card with their raw OID and (truncated) hex value.
  • Never paste private keys (-----BEGIN PRIVATE KEY----- / -----BEGIN RSA PRIVATE KEY-----) into any online tool, including this one. Only public certificates need decoding.

References:
Tech Blog with curated related content
Web Tools Collection

Written by Hidekazu Konishi