Oh MyUtils

Certificate Decoder - Decode X.509 PEM Certificates Online

Decode and inspect X.509 PEM certificates. View subject, issuer, validity, extensions, SANs, and fingerprints — 100% client-side, no data sent to server.

100% Client-Side — Your certificate data never leaves this browser
PEM Certificate

Frequently Asked Questions

What is a Certificate Decoder?

A Certificate Decoder is an online tool that parses X.509 PEM-encoded digital certificates and displays their contents in a human-readable format. X.509 certificates are the standard format used in SSL/TLS to establish secure HTTPS connections. They are encoded using ASN.1 DER (Distinguished Encoding Rules) and wrapped in PEM (Privacy-Enhanced Mail) format with Base64 encoding. This tool extracts key information such as the domain name (Subject), the certificate authority that issued it (Issuer), validity dates, public key details, and security extensions — all without needing to install OpenSSL or use command-line tools.

How do I use this Certificate Decoder?

1. Obtain your PEM certificate from a .pem, .crt, or .cer file, or export it from your web server or browser. 2. Paste the PEM text into the input textarea. The certificate should begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----. 3. The tool automatically decodes the certificate and displays the results — no button click required. 4. Review the Certificate Summary card for a quick overview (domain, issuer, expiration status). 5. Navigate through the Details, Extensions, and Chain tabs for more information. 6. Click the copy button next to any field to copy its value. 7. For certificate chains, paste all certificates in order. The tool will parse each one and show the chain hierarchy.

Is my certificate data safe? Does it get sent to a server?

Your certificate data is 100% safe and never leaves your browser. All certificate parsing — ASN.1 decoding, extension extraction, fingerprint computation — is performed entirely client-side using JavaScript. The tool uses the @peculiar/x509 library for ASN.1 parsing and the browser's native Web Crypto API for fingerprint computation. No data is transmitted to any server, no analytics track your certificate content, and no data is stored anywhere beyond your browser tab's memory. This makes the tool safe for parsing certificates containing internal domain names, organizational details, or other sensitive infrastructure information.

What is the difference between PEM and DER format?

DER (Distinguished Encoding Rules) is the raw binary format used to encode X.509 certificate data according to ASN.1 rules. It is a compact binary representation that is not human-readable. PEM (Privacy-Enhanced Mail) is a text-based wrapper around DER data. It Base64-encodes the DER bytes and adds -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- markers. PEM is the most common format for certificate exchange because it can be safely copied and pasted as text, embedded in configuration files, and transmitted over text-based protocols. This tool accepts PEM format. If you have a DER-encoded .der file, you can convert it using: openssl x509 -inform der -in cert.der -out cert.pem.

What is a certificate chain and how does this tool handle it?

A certificate chain (or chain of trust) is a sequence of certificates linking a website's leaf certificate to a trusted root Certificate Authority (CA). The chain typically consists of: 1) Leaf Certificate — the server's own certificate containing the domain name, 2) Intermediate CA Certificate(s) — certificates issued by the root CA to delegate signing authority, 3) Root CA Certificate — the self-signed certificate of a trusted Certificate Authority. When you paste a PEM block containing multiple certificates, this tool parses each one and displays them in chain order, identifying each certificate's position (leaf, intermediate, root).

What are X.509 v3 extensions?

X.509 v3 extensions are optional fields in certificates that convey additional information. Common extensions include: Subject Alternative Names (SAN) for additional domain names and IPs, Key Usage for allowed cryptographic operations (digital signature, key encipherment), Extended Key Usage for specific purposes like TLS server authentication or code signing, Basic Constraints to indicate if a certificate is a CA, Authority/Subject Key Identifier for building certificate chains, and CRL Distribution Points for revocation checking. Extensions can be Critical (must be understood by the verifier) or Non-Critical (informational).

How is the certificate fingerprint computed?

A certificate fingerprint (or thumbprint) is a cryptographic hash of the entire DER-encoded certificate bytes. It is NOT part of the certificate itself — it is computed externally as a compact identifier for referencing a specific certificate. This tool computes both SHA-256 and SHA-1 fingerprints using the browser's Web Crypto API (crypto.subtle.digest()). The result is displayed in colon-separated hexadecimal format (e.g., AB:CD:EF:12:34:...). SHA-256 fingerprints are preferred for security; SHA-1 fingerprints are included for compatibility with older systems.

Code Examples

// Certificate Decoder - JavaScript Implementation
// Uses Web Crypto API for fingerprint computation

/**
 * Extract the DER bytes from a PEM string
 * @param {string} pem - PEM-encoded certificate
 * @returns {ArrayBuffer} DER-encoded certificate bytes
 */
function pemToDer(pem) {
  const base64 = pem
    .replace(/-----BEGIN CERTIFICATE-----/g, '')
    .replace(/-----END CERTIFICATE-----/g, '')
    .replace(/\s/g, '');
  const binary = atob(base64);
  const bytes = new Uint8Array(binary.length);
  for (let i = 0; i < binary.length; i++) {
    bytes[i] = binary.charCodeAt(i);
  }
  return bytes.buffer;
}

/**
 * Parse multiple certificates from a PEM chain
 * @param {string} pemText - PEM text (may contain multiple certificates)
 * @returns {string[]} Array of individual PEM certificate strings
 */
function extractPemBlocks(pemText) {
  const regex = /-----BEGIN CERTIFICATE-----[\s\S]*?-----END CERTIFICATE-----/g;
  return pemText.match(regex) || [];
}

/**
 * Compute SHA-256 fingerprint of a DER-encoded certificate
 * @param {ArrayBuffer} derBytes - DER-encoded certificate
 * @returns {Promise<string>} Colon-separated hex fingerprint
 */
async function computeSha256Fingerprint(derBytes) {
  const hashBuffer = await crypto.subtle.digest('SHA-256', derBytes);
  const hashArray = Array.from(new Uint8Array(hashBuffer));
  return hashArray
    .map(b => b.toString(16).padStart(2, '0').toUpperCase())
    .join(':');
}

// Usage with @peculiar/x509:
// import { X509Certificate } from '@peculiar/x509';
// const cert = new X509Certificate(pem);
// console.log('Subject:', cert.subject);
// console.log('Issuer:', cert.issuer);

Related Tools

UUID Generator - Generate UUID v4 & v7 Online
ULID Generator - Generate Sortable Unique IDs Online
Hash Generator - MD5, SHA-256 & SHA-512 Online
JWT Decoder - Decode JSON Web Tokens Online
Chmod Calculator - Unix File Permission Calculator Online
RSA Key Pair Generator - RSA & Ed25519 Online