SSL Certificate Decoder
Decode X.509 certificates, CSRs, and private keys. Extract all fields and verify certificate chains.
What It Decodes
- SSL/TLS Certificates: PEM or DER format
- Certificate Signing Requests (CSR): Verify before submitting to CA
- Private Keys: RSA, EC, DSA (encrypted or plaintext)
- Certificate Chains: Full chain validation (root → intermediate → leaf)
Quick Start
- Go to SSL Decoder
- Paste PEM-encoded certificate (BEGIN CERTIFICATE block)
- Or upload .crt, .cer, .pem file
- Click "Decode" — see all certificate details
Extracted Information
Certificate Details
- Issuer: Who signed the certificate (e.g., Let's Encrypt)
- Subject: Domain(s) the cert is issued for
- Validity: Not Before / Not After dates
- Serial Number: Unique ID
- Signature Algorithm: SHA-256, RSA, ECDSA
- Public Key: Key type, size (2048-bit RSA, 256-bit EC)
- SANs (Subject Alternative Names): All domains covered (example.com, www.example.com)
- Extensions: Key Usage, Extended Key Usage, CRL Distribution Points, OCSP
- Fingerprints: SHA-1 and SHA-256 hashes
CSR Details
- Common Name (CN)
- Organization, City, Country
- Public key embedded in CSR
- Signature (verifies CSR wasn't tampered with)
Use Cases
1. Verify Certificate Before Installation
Problem: CA sent you a .crt file. Is it for the right domain?
Solution: Decode → Check Subject + SANs → Ensure your domain is listed
2. Debug SSL Errors
Problem: Browser shows "Certificate name mismatch"
Solution: Decode cert → Check SANs → See if www. subdomain is missing
3. Certificate Chain Validation
Problem: SSL works in Chrome but fails in Java/Android
Solution: Decode chain → Check for missing intermediate certificate
4. Compare Certificates
Need: You have staging and production certs — are they identical?
Solution: Decode both → Compare fingerprints (SHA-256 hash)
Certificate Chain Verification
Paste full PEM chain (leaf + intermediates + root) — tool validates:
- ✅ Each cert is signed by the next in chain
- ✅ Root CA is trusted (Mozilla/Apple/Microsoft trust store)
- ✅ No expired certificates in chain
- ✅ Name constraints respected
- ❌ Detects self-signed or invalid chains
Private Key Analysis
Warning: Never paste production private keys into ANY online tool! Use for testing/learning only.
For local use, the tool can analyze:
- Key type (RSA, ECDSA, Ed25519)
- Key size (1024, 2048, 4096-bit for RSA | P-256, P-384 for EC)
- Whether key is encrypted (detects PKCS#8 with passphrase)
- Modulus (for RSA keys)
Supported Formats
| Format | Extension | Description |
|---|---|---|
| PEM | .pem, .crt, .cer | Base64 encoded (most common) |
| DER | .der, .cer | Binary format (convert to PEM first) |
| PKCS#7 | .p7b | Bundle format (Windows) |
| PKCS#12 | .pfx, .p12 | Password-protected bundle |
Example: Decoding Let's Encrypt Certificate
Issuer: Let's Encrypt R3
Subject: CN=example.com
Validity: 2026-01-10 to 2026-04-10 (90 days)
SANs: example.com, www.example.com
Public Key: ECDSA P-256 (256-bit)
Signature: ECDSA with SHA-256
Serial: 04:a1:b2:c3:d4:e5:f6:a7:b8:c9:d0:e1:f2:a3:b4:c5
Fingerprint (SHA-256): 1a2b3c4d...Best Practices
- ✅ Always verify SANs match all your domains (including www)
- ✅ Check expiry date before deploying (Give yourself buffer time)
- ✅ Ensure intermediate cert is included (required for trust chain)
- ✅ Use 2048-bit or 256-bit EC keys minimum
- ❌ Never use 1024-bit RSA (insecure)
- ❌ Don't use SHA-1 signatures (deprecated)
- ❌ Don't paste production private keys online (security risk!)