TLS Certificate Decoder

Paste a PEM certificate and decode every X.509 field in your browser.

Free in-browser X.509 / TLS certificate decoder. Paste a PEM certificate and read its subject, issuer, serial, validity dates, Subject Alternative Names and signature algorithm. ASN.1 DER is parsed locally — the certificate never leaves your device. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

What is an X.509 certificate?

X.509 is the standard format for TLS/SSL certificates. It binds a public key to an identity (the subject) and is signed by a certificate authority (the issuer). The decoder shows those fields plus validity and extensions.

A TLS certificate in PEM form is just Base64-encoded ASN.1 DER between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. Inside is an X.509 structure that binds a server’s public key to one or more hostnames and is signed by a certificate authority. This decoder reads that structure in your browser and lays out the fields you actually need when debugging a TLS handshake or a misissued cert.

How it works

An X.509 Certificate is SEQUENCE { tbsCertificate, signatureAlgorithm, signatureValue }. The decoder:

  1. Base64-decodes the PEM body to raw DER bytes.
  2. Parses the ASN.1 tag/length/value tree.
  3. Walks tbsCertificate to read, in order: version, serial number, signature algorithm, issuer (Distinguished Name), validity (not-before / not-after), subject (DN), the public-key info, and the extensions — including the Subject Alternative Name (OID 2.5.29.17).

Distinguished Names are decoded by reading each RelativeDistinguishedName and mapping its attribute OID (CN 2.5.3.3, O 2.5.4.10, etc.) to a readable label.

Example decode

A typical decode looks like:

Subject:    CN=example.com
Issuer:     CN=R3, O=Let's Encrypt
Valid from: 2026-01-01T00:00:00Z
Valid to:   2026-04-01T00:00:00Z
SANs:       example.com, www.example.com
Signature:  sha256WithRSAEncryption
Status:     Valid (in date)

How to get a certificate to decode

If you need to inspect a certificate from a live server, you can pull it with openssl:

echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -in /dev/stdin

This prints the full PEM block to stdout, which you can paste directly into the decoder. On Windows, you can export from the browser by clicking the padlock icon, navigating to Certificate, and exporting in PEM/Base64 format.

What to look for when debugging TLS problems

Hostname mismatch errors. Modern browsers validate hostnames against the SAN list, not the Subject CN. If your browser reports “hostname does not match certificate”, check that your domain appears in the SAN extension — if it is only in the CN, it will fail on modern clients. Look for wildcards (*.example.com) which cover one level of subdomain.

Expired certificates. The “valid to” date compared against today tells you immediately. Let’s Encrypt certificates are 90 days; commercial certificates are typically 1 year. Certificate expiry is the most common cause of sudden TLS failures.

Wrong issuer. If you installed a certificate but clients see a different cert, you may be hitting a cached version or a load balancer that has not been updated. Compare the issuer and serial number of what you expect against what the decoder shows from the live server.

SHA-1 signatures. Browsers deprecated SHA-1 signatures years ago. If the signature field shows sha1WithRSAEncryption, the certificate will be untrusted in modern browsers.

Notes

The tool reads the not-before / not-after times as UTCTime (YYMMDDHHMMSSZ, with the 50-year pivot) or GeneralizedTime (YYYYMMDDHHMMSSZ). The serial number is shown as hex. If an extension OID is unknown it is skipped rather than guessed. Everything runs locally, so you can paste production certificates safely — X.509 certificates are public information by design and there is no credential risk in pasting one.