How to Use the SSL Certificate Decoder
The SSL decoder reads PEM-format certificates or fetches live certificates from a domain and displays all fields in a readable format.
How to Use the SSL Certificate Decoder
The SSL Certificate Decoder extracts and displays every field from an X.509 SSL certificate. You can paste a certificate in PEM format or enter a domain name to fetch the live certificate directly.
Accessing the Tool
Go to Tools → SSL Decoder.
Option 1: Paste a PEM Certificate
If you have a certificate file (typically a .crt, .cer, or .pem file), paste its contents into the text area. PEM format starts and ends like this:
-----BEGIN CERTIFICATE----- [base64 encoded data] -----END CERTIFICATE-----
Click Decode to display all fields.
Option 2: Fetch a Live Certificate
Enter a domain name (e.g., example.com) and click Fetch Live Certificate. The decoder connects to port 443 of that domain, retrieves the certificate the server presents, and decodes it.
This shows you exactly what browsers and clients see when they connect — useful for verifying that the correct certificate is installed after a renewal.
What the Decoder Shows
| Field | What It Means |
|---|---|
| Subject CN | Primary domain the certificate was issued for |
| Subject Alternative Names | All domains covered by this certificate |
| Issuer | The Certificate Authority that issued it |
| Valid From | When the certificate became active |
| Valid To | When the certificate expires |
| Days Remaining | Days until expiry (calculated at decode time) |
| Serial Number | Unique identifier for this certificate |
| SHA-256 Fingerprint | Cryptographic hash — use this for pinning or change detection |
| Key Algorithm | RSA or ECDSA |
| Key Size | RSA 2048 or 4096 bits; ECDSA P-256 or P-384 |
| Signature Algorithm | SHA-256 with RSA is standard; SHA-1 is deprecated |
Checking the Certificate Chain
Paste the full chain (leaf certificate + intermediate(s)) to verify:
- Certificates are in the correct order (leaf first, root last)
- Each issuer matches the next certificate's subject
- No expired intermediates
A broken chain causes connection errors in some clients even when the leaf certificate itself is valid.
Common Use Cases
- After renewing a certificate — verify the new certificate was installed correctly
- Debugging mixed content — confirm the certificate covers all SANs you are using
- CSR verification — paste a CSR to confirm it includes all required SANs before submitting to your CA
- Compliance checks — confirm key size meets requirements (RSA 2048+ minimum for most compliance frameworks)
- SHA-1 audit — find certificates still using deprecated SHA-1 signatures