Is my certificate sent to a server?

No. The decoder runs entirely in your browser using JavaScript. Your certificate data — including any embedded hostnames, organisation names, and key information — never leaves your device.

What PEM format does the decoder expect?

Paste the certificate exactly as it appears in your certificate file, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- header and footer. Base64-encoded DER without headers is also accepted.

Where do I get the PEM certificate for my site?

Run: openssl s_client -connect example.com:443 -showcerts /dev/null | openssl x509 -outform PEM. This downloads the leaf certificate. For the full chain, omit the second openssl command.

What is the difference between the subject and the SAN?

The Subject CN (Common Name) was the original way to specify the hostname(s) a certificate covers. The Subject Alternative Name (SAN) extension replaced it and supports multiple domains. Modern browsers require a SAN — they no longer check the CN alone.

How do I check if my certificate is expired?

The "Not After" field shows the expiry date. If today's date is past that date, the certificate is expired. Add monitoring via Let's Encrypt certbot renew --dry-run or a third-party monitor to get alerts before expiry.

What is the serial number used for?

The serial number uniquely identifies the certificate within the issuing CA. It is used in Certificate Revocation Lists (CRLs) and OCSP responses to identify revoked certificates.

What key algorithms are common in TLS certificates?

RSA (2048 or 4096 bits) is the most common for compatibility. ECDSA (P-256 or P-384) is increasingly used for performance — ECDSA handshakes are faster. Ed25519 is not yet supported by all browsers as a TLS certificate key type.

How do I verify a certificate chain?

Run: openssl verify -CAfile ca-bundle.crt leaf.crt. For a remote site: openssl s_client -connect example.com:443 -showcerts. The chain must end at a root CA trusted by the client.

SSL Certificate Decoder

Paste a PEM-encoded SSL/TLS certificate to decode subject, issuer, serial number, validity dates, and key algorithm. Runs entirely in your browser — your certificate is never uploaded.

100% client-side · certificate data stays on your device

PEM 証明書

Certificate details

Paste a PEM certificate and click "Decode Certificate".

How to decode an SSL certificate

Get your certificate PEM: run openssl s_client -connect example.com:443 </dev/null 2>/dev/null | openssl x509 -outform PEM or copy from your certificate file.
Paste the full PEM (including -----BEGIN CERTIFICATE----- header) into the input.
Click Decode Certificate to see subject, issuer, validity dates, and key info.

Common use cases

Expiry audit: Quickly check the Not After date before a renewal window.
Certificate mismatch: Verify the Subject or SAN covers the hostname you expect.
Issuer verification: Confirm which CA issued the certificate before deploying.
Key algorithm check: Verify RSA vs ECDSA and key size for compliance requirements.

よくある質問

Is my certificate sent to a server?: No. The decoder runs entirely in your browser using JavaScript. Your certificate data — including any embedded hostnames, organisation names, and key information — never leaves your device.
What PEM format does the decoder expect?: Paste the certificate exactly as it appears in your certificate file, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- header and footer. Base64-encoded DER without headers is also accepted.
Where do I get the PEM certificate for my site?: Run: openssl s_client -connect example.com:443 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM. This downloads the leaf certificate. For the full chain, omit the second openssl command.
What is the difference between the subject and the SAN?: The Subject CN (Common Name) was the original way to specify the hostname(s) a certificate covers. The Subject Alternative Name (SAN) extension replaced it and supports multiple domains. Modern browsers require a SAN — they no longer check the CN alone.
How do I check if my certificate is expired?: The "Not After" field shows the expiry date. If today's date is past that date, the certificate is expired. Add monitoring via Let's Encrypt certbot renew --dry-run or a third-party monitor to get alerts before expiry.
What is the serial number used for?: The serial number uniquely identifies the certificate within the issuing CA. It is used in Certificate Revocation Lists (CRLs) and OCSP responses to identify revoked certificates.
What key algorithms are common in TLS certificates?: RSA (2048 or 4096 bits) is the most common for compatibility. ECDSA (P-256 or P-384) is increasingly used for performance — ECDSA handshakes are faster. Ed25519 is not yet supported by all browsers as a TLS certificate key type.
How do I verify a certificate chain?: Run: openssl verify -CAfile ca-bundle.crt leaf.crt. For a remote site: openssl s_client -connect example.com:443 -showcerts. The chain must end at a root CA trusted by the client.

このツールの問題を報告