Paste a PEM certificate or upload a .crt / .pem file to instantly decode subject, issuer, validity, Subject Alternative Names, key info, fingerprints and the full certification chain — no server, all in your browser.
An X.509 certificate is a standardized digital document that binds a public key to an identity — a domain name, organization, or individual. Defined by RFC 5280, X.509 is the foundation of TLS/SSL, HTTPS, S/MIME email encryption, code signing, and virtually every PKI (Public Key Infrastructure) system in use today. Every time your browser shows a padlock, it has validated an X.509 certificate.
Certificates are issued by a Certificate Authority (CA) — a trusted entity that vouches for the identity of the certificate holder by signing the certificate with its own private key. Modern certificates use PEM format for text exchange and DER for binary storage.
Despite the different file extensions, these are usually the same underlying X.509 data in different encodings:
-----BEGIN CERTIFICATE----- / -----END CERTIFICATE----- headers. The most common text format; can contain multiple certificates in a single file (full chain).This tool accepts any PEM input: paste a single certificate, a full chain bundle, or upload a file. It automatically detects and separates multiple PEM blocks.
A certificate chain (also called a chain of trust) is a sequence of certificates where each one has been signed by the next. The chain typically has three levels:
example.com). It cannot sign other certificates (CA: false in Basic Constraints).When validating a TLS connection, the client builds a path from the server's certificate up to a trusted root. All three levels must be present and valid. This tool displays the full chain when you paste multiple PEM blocks.
CN (Common Name) is the primary identifier; for TLS certs it was traditionally the domain, now superseded by SANs.Not Before / Not After window. Certificates presented outside this window must be rejected.Click the padlock → Connection is secure → Certificate is valid → Details tab → Copy to file → Base64 PEM. Then paste it here.
openssl s_client -connect example.com:443 \
-showcerts 2>/dev/null \
| openssl x509 -outform PEMopenssl x509 -in cert.crt \
-text -nooutOr just upload it here to get the same info in a readable UI.
openssl s_client -connect example.com:443 \
-showcerts 2>/dev/null \
| sed -n '/BEGIN/,/END/p'Paste the multi-cert output to see the full chain here.
No. All parsing is done locally in your browser using a built-in ASN.1/DER parser and the Web Cryptography API (crypto.subtle) for fingerprints. Your certificate never leaves your device. You can disconnect from the internet and the tool will still work.
.der is the raw binary ASN.1 encoding of the certificate. .pem is the same data Base64-encoded with BEGIN/END headers — the most portable text format. .crt and .cer are generic extensions that can be either PEM or DER; the extension itself does not guarantee the encoding. This tool accepts PEM (text) input; DER files uploaded via the button are automatically detected and converted.
The Common Name (CN) field was historically used to store the primary domain. However, its interpretation was never standardized, which led to ambiguity. Since 2017, browsers (following CA/Browser Forum Baseline Requirements) ignore the CN for hostname validation and use only the Subject Alternative Names (SANs) extension, which supports multiple domains, wildcards, and IP addresses in a single certificate.
The Basic Constraints extension with cA: TRUE marks the certificate as a Certificate Authority certificate — it is authorized to sign other certificates. End-entity (leaf) certificates have cA: FALSE or no Basic Constraints extension at all. Browsers enforce this: a certificate without cA: TRUE cannot be used to sign other certificates, preventing fraudulent sub-CA creation.
A fingerprint is a hash (SHA-256 or SHA-1) of the entire DER-encoded certificate. It uniquely identifies a specific certificate file. Fingerprints are used for: certificate pinning (HPKP, TrustKit), verifying that a downloaded certificate matches an expected one, and identifying certificates in CA trust stores and revocation lists. Always prefer SHA-256 fingerprints — SHA-1 is deprecated and collision-prone.
Paste the certificate above — the tool shows a Valid, Expires soon, or Expired badge next to the Not After date. Via command line: openssl x509 -in cert.pem -noout -dates prints the validity window. openssl x509 -in cert.pem -noout -checkend 0 returns exit code 1 if the certificate is already expired.
Not currently. Signature verification requires the issuer's public key from the next certificate in the chain, plus a full RSA or ECDSA verification operation. The tool does parse and display all the data needed for manual verification, including the signature algorithm and key info. Full chain path validation (including revocation via OCSP/CRL) is outside the scope of a client-side browser tool.
Key Usage is a core X.509 extension that restricts the cryptographic operations the key can perform at a low level: digital signature, key encipherment, key agreement, etc. Extended Key Usage (EKU) further narrows usage to specific application-level purposes: TLS Server Authentication, TLS Client Authentication, Code Signing, Email Protection, OCSP Signing, and more. Both extensions can be marked critical, meaning any software that does not understand them must reject the certificate.