SSL Certificate Decoder
Parse and decode PEM-format SSL/TLS certificates.
About this tool
An SSL certificate decoder is an essential tool for anyone working with web servers, security, or cryptography. It allows you to inspect the contents of PEM-format SSL/TLS certificates without needing command-line tools or specialized software. By uploading or pasting a certificate, you can instantly view all the encoded information—such as the issuer, subject, validity period, public key details, and fingerprints—that would otherwise remain cryptic. This transparency is critical for verifying certificate authenticity, troubleshooting connection issues, and ensuring your infrastructure meets security compliance requirements.
To use the SSL certificate decoder, simply paste your certificate in PEM format (the block between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) into the input field. The tool automatically parses the certificate and displays all embedded data in a human-readable format, including the issuer organization, certificate subject, issue and expiration dates, serial number, signature algorithm, and the certificate's public key. Whether you're a system administrator managing multiple domains, a developer testing a staging environment, or a security professional auditing infrastructure, this tool eliminates the need to juggle OpenSSL commands or other external utilities.
The SSL certificate decoder works entirely in your browser—no data is sent to any server, so your certificates remain private and secure. This makes it especially useful for handling sensitive certificates in restricted environments. Keep in mind that the tool reads PEM-format certificates only; if you have a certificate in DER (binary) format, you'll need to convert it to PEM first. Using this tool regularly as part of your certificate management workflow helps catch expiration dates, verify issuer details, and prevent security gaps before they become problems.
Frequently Asked Questions
Code Implementation
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from datetime import datetime, timezone
import base64, textwrap
def decode_pem_certificate(pem: str) -> dict:
cert = x509.load_pem_x509_certificate(pem.encode(), default_backend())
now = datetime.now(timezone.utc)
# Subject / Issuer fields
def dn(name) -> dict:
return {attr.oid._name: attr.value for attr in name}
# Subject Alternative Names
try:
san_ext = cert.extensions.get_extension_for_class(x509.SubjectAlternativeName)
san = san_ext.value.get_values_for_type(x509.DNSName)
except x509.ExtensionNotFound:
san = []
# Key usage
try:
ku = cert.extensions.get_extension_for_class(x509.KeyUsage).value
key_usage = [
name for name, ok in [
("digitalSignature", ku.digital_signature),
("keyEncipherment", ku.key_encipherment),
("keyCertSign", ku.key_cert_sign),
("cRLSign", ku.crl_sign),
] if ok
]
except Exception:
key_usage = []
return {
"subject": dn(cert.subject),
"issuer": dn(cert.issuer),
"serial": hex(cert.serial_number),
"not_before": cert.not_valid_before_utc.isoformat(),
"not_after": cert.not_valid_after_utc.isoformat(),
"is_expired": cert.not_valid_after_utc < now,
"days_remaining": (cert.not_valid_after_utc - now).days,
"signature_alg": cert.signature_hash_algorithm.name,
"public_key_type": cert.public_key().__class__.__name__,
"san": san,
"key_usage": key_usage,
"is_ca": cert.extensions.get_extension_for_class(
x509.BasicConstraints
).value.ca if True else False,
}
if __name__ == "__main__":
import sys, json
pem = open(sys.argv[1]).read() if len(sys.argv) > 1 else ""
if pem:
info = decode_pem_certificate(pem)
print(json.dumps(info, indent=2))Comments & Feedback
Comments are powered by Giscus. Sign in with GitHub to leave a comment.