Web Security · X.509

Certificate Decoder

Paste a PEM certificate — the kind that starts with -----BEGIN CERTIFICATE----- — and get a full breakdown: subject, issuer, validity, SANs, public key, signature algorithm, and every extension. The findings panel flags expiry, weak keys, SHA-1 signatures, and other things worth a second look. Raw base64 or hex DER also accepted.

→ TLS Cipher Decoder → Security Headers Analyzer → JWT Decoder

Certificate (PEM, base64, or hex DER)

Tip: echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 prints a site's leaf cert in PEM.

No certificate decoded yet. Paste a PEM above or load a sample.

ASN.1 structure

▸ Show raw DER tree

Reference

Privacy: the certificate is parsed entirely in your browser — nothing is uploaded, logged, or sent anywhere. A certificate is public information by design, but the habit is a good one. Fingerprints are computed locally with the Web Crypto API.