A TLS certificate in PEM form is just Base64-encoded ASN.1 DER between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. Inside is an X.509 structure that binds a server’s public key to one or more hostnames and is signed by a certificate authority. This decoder reads that structure in your browser and lays out the fields you actually need when debugging a TLS handshake or a misissued cert.
How it works
An X.509 Certificate is SEQUENCE { tbsCertificate, signatureAlgorithm, signatureValue }. The decoder:
- Base64-decodes the PEM body to raw DER bytes.
- Parses the ASN.1 tag/length/value tree.
- Walks
tbsCertificateto read, in order: version, serial number, signature algorithm, issuer (Distinguished Name), validity (not-before / not-after), subject (DN), the public-key info, and the extensions — including the Subject Alternative Name (OID2.5.29.17).
Distinguished Names are decoded by reading each RelativeDistinguishedName and mapping its attribute OID (CN 2.5.3.3, O 2.5.4.10, etc.) to a readable label.
Example decode
A typical decode looks like:
Subject: CN=example.com
Issuer: CN=R3, O=Let's Encrypt
Valid from: 2026-01-01T00:00:00Z
Valid to: 2026-04-01T00:00:00Z
SANs: example.com, www.example.com
Signature: sha256WithRSAEncryption
Status: Valid (in date)
How to get a certificate to decode
If you need to inspect a certificate from a live server, you can pull it with openssl:
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -in /dev/stdin
This prints the full PEM block to stdout, which you can paste directly into the decoder. On Windows, you can export from the browser by clicking the padlock icon, navigating to Certificate, and exporting in PEM/Base64 format.
What to look for when debugging TLS problems
Hostname mismatch errors. Modern browsers validate hostnames against the SAN list, not the Subject CN. If your browser reports “hostname does not match certificate”, check that your domain appears in the SAN extension — if it is only in the CN, it will fail on modern clients. Look for wildcards (*.example.com) which cover one level of subdomain.
Expired certificates. The “valid to” date compared against today tells you immediately. Let’s Encrypt certificates are 90 days; commercial certificates are typically 1 year. Certificate expiry is the most common cause of sudden TLS failures.
Wrong issuer. If you installed a certificate but clients see a different cert, you may be hitting a cached version or a load balancer that has not been updated. Compare the issuer and serial number of what you expect against what the decoder shows from the live server.
SHA-1 signatures. Browsers deprecated SHA-1 signatures years ago. If the signature field shows sha1WithRSAEncryption, the certificate will be untrusted in modern browsers.
Notes
The tool reads the not-before / not-after times as UTCTime (YYMMDDHHMMSSZ, with the 50-year pivot) or GeneralizedTime (YYYYMMDDHHMMSSZ). The serial number is shown as hex. If an extension OID is unknown it is skipped rather than guessed. Everything runs locally, so you can paste production certificates safely — X.509 certificates are public information by design and there is no credential risk in pasting one.