Decode and inspect SSL/TLS certificates (X.509 format). Essential for debugging HTTPS issues, verifying certificate details, and understanding certificate chains.

Decode Certificate

Common Use Cases

  • Certificate Verification: Check issuer, validity dates, and subject information
  • Debugging SSL/TLS Issues: Verify certificate is for the correct domain
  • Expiration Monitoring: Check when certificates expire
  • Security Audits: Review certificate details and signature algorithms
  • SAN Verification: Check Subject Alternative Names for multi-domain certificates
  • Certificate Chain Analysis: Understand intermediate and root certificates

Certificate Information

Standard Fields:

  • Issuer: Certificate Authority that issued the certificate
  • Subject: Entity the certificate was issued to (usually a domain)
  • Valid From/To: Certificate validity period
  • Serial Number: Unique identifier for the certificate
  • Signature Algorithm: How the certificate is signed (e.g., SHA-256 with RSA)

Public Key Info:

  • Algorithm: RSA, ECDSA, etc.
  • Key Size: 2048-bit, 4096-bit, etc.
  • Public Key: The actual key data

Extensions:

  • Subject Alternative Names (SANs): Additional domains covered
  • Key Usage: What the certificate can be used for
  • Extended Key Usage: Specific purposes (server auth, client auth)
  • Basic Constraints: Whether it’s a CA certificate
  • Authority Key Identifier: Links to issuing CA

Getting Certificates

From a Website:

Lang: bash 
1# Using OpenSSL
2echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -text
3
4# Just get the certificate
5echo | openssl s_client -connect example.com:443 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

From a File:

Lang: bash 
1# View certificate details
2openssl x509 -in certificate.crt -text -noout
3
4# Convert DER to PEM
5openssl x509 -inform der -in certificate.cer -out certificate.pem

Important Notes

  • This tool only decodes certificates - it doesn’t verify signatures or trust chains
  • All processing happens in your browser - no data is sent to any server
  • Supports PEM format (text with BEGIN/END markers)
  • Does not validate certificate authenticity or trustworthiness
  • For production use, always verify certificates through proper SSL/TLS validation