// FREE IT TOOLS

SSL Certificate Decoder

Paste any SSL certificate in PEM format to decode its subject, issuer, validity, extensions, and fingerprint.

// PASTE PEM CERTIFICATE

Paste an SSL certificate in PEM format above to decode it

What Is an SSL Certificate?

An SSL/TLS certificateis a digital file that binds a cryptographic key to an organisation's details. It enables encrypted (HTTPS) connections between a web browser and a server, and is essential for securing data in transit.

Certificates are issued by Certificate Authorities (CAs) and follow the X.509standard. They contain the server's public key, identity information, the CA's digital signature, and metadata such as validity dates and permitted uses.

Understanding Certificate Fields

Subject:The entity the certificate is issued to — typically a domain name (CN) and organisation (O)
Issuer:The Certificate Authority that signed the certificate — for self-signed certs, subject and issuer are the same
Validity:The period during which the certificate is trusted: a Not Before date and a Not After (expiry) date
Serial Number:A unique identifier assigned by the issuing CA, used for revocation checking
Signature Algorithm:The cryptographic algorithm used to sign the certificate (e.g. SHA-256 with RSA)

Subject Alternative Names (SANs)

Subject Alternative Names (SANs) are the modern way to list all domains and IPs a certificate covers. Since 2000, SANs have replaced the Common Name (CN) field for domain validation — modern browsers require the SAN extension and will show errors if a domain is listed only in the CN.

A certificate with multiple SANs can secure example.com, www.example.com, and api.example.com all at once. This decoder extracts all SANs and displays them as a list.

Certificate Chain and Trust

A certificate chainlinks a server's end-entity certificate back to a trusted root CA through one or more intermediate certificates. Browsers verify the chain from leaf to root, checking signatures and validity at each step.

If any certificate in the chain is expired, revoked, or signed by an untrusted CA, the browser will display a security warning. This decoder shows the validity dates and expiry status so you can quickly identify expiring certificates that need renewal.

Frequently Asked Questions

What format does this decoder accept?: PEM format — a Base64-encoded certificate wrapped in BEGIN/END CERTIFICATE markers. This is the most common format used by web servers (Nginx, Apache, IIS) and certificate authorities.
What is a SAN (Subject Alternative Name)?: SANs are the modern standard for listing all domains and IP addresses a certificate covers. Since 2000, SANs have replaced the Common Name (CN) field — modern browsers require the SAN extension and will show errors if a domain is only in the CN.
How do I check if my certificate is expired?: Paste your certificate above — the decoder will show the validity dates and a clear status badge: green for valid, red for expired, or amber for not-yet-valid. It also shows the number of days remaining.
What is key usage?: Key usage is a certificate extension that defines what the cryptographic key can be used for — for example, Digital Signature, Key Encipherment, or Certificate Sign. This restricts how the certificate can be used, preventing misuse.
What is a certificate chain?: A certificate chain (or path) links an end-entity certificate to a trusted root CA through intermediate certificates. Browsers verify each link in the chain. If any link is broken — expired, untrusted, or missing — the connection is considered insecure.

// CYBER SECURITY

Need help with SSL/TLS or security?

DMC IT Services manages SSL certificate lifecycle, TLS configuration, and security hardening for SMBs across London, Cambridge, Hertfordshire, and Bedfordshire — from procurement through renewal and deployment.

Talk to an Engineer

← Back to all free tools

What Is an SSL Certificate?

Understanding Certificate Fields

Subject:The entity the certificate is issued to — typically a domain name (CN) and organisation (O)
Issuer:The Certificate Authority that signed the certificate — for self-signed certs, subject and issuer are the same
Validity:The period during which the certificate is trusted: a Not Before date and a Not After (expiry) date
Serial Number:A unique identifier assigned by the issuing CA, used for revocation checking
Signature Algorithm:The cryptographic algorithm used to sign the certificate (e.g. SHA-256 with RSA)

Subject Alternative Names (SANs)

A certificate with multiple SANs can secure example.com, www.example.com, and api.example.com all at once. This decoder extracts all SANs and displays them as a list.

Certificate Chain and Trust

Frequently Asked Questions

What format does this decoder accept?

PEM format — a Base64-encoded certificate wrapped in BEGIN/END CERTIFICATE markers. This is the most common format used by web servers (Nginx, Apache, IIS) and certificate authorities.

What is a SAN (Subject Alternative Name)?

SANs are the modern standard for listing all domains and IP addresses a certificate covers. Since 2000, SANs have replaced the Common Name (CN) field — modern browsers require the SAN extension and will show errors if a domain is only in the CN.

How do I check if my certificate is expired?

Paste your certificate above — the decoder will show the validity dates and a clear status badge: green for valid, red for expired, or amber for not-yet-valid. It also shows the number of days remaining.

What is key usage?

Key usage is a certificate extension that defines what the cryptographic key can be used for — for example, Digital Signature, Key Encipherment, or Certificate Sign. This restricts how the certificate can be used, preventing misuse.

What is a certificate chain?

A certificate chain (or path) links an end-entity certificate to a trusted root CA through intermediate certificates. Browsers verify each link in the chain. If any link is broken — expired, untrusted, or missing — the connection is considered insecure.