About X.509 Certificate Decoder

Decodes public X.509 certificates inside the browser instead of sending them to an upload service. It supports PEM chains and individual DER files, then exposes the subject, issuer, serial number, validity window, subject alternative names, public-key and signature algorithms, key usages, CA constraints, and fingerprints. It also calls out expired certificates, near-term expiry, weak RSA sizes, old elliptic curves, and MD5 or SHA-1 signatures.

  • Uses a maintained ASN.1 and X.509 parser rather than hand-written certificate decoding.
  • Accepts up to 20 PEM certificates at once or a single DER certificate up to 2 MB.
  • Rejects PEM private keys before parsing and never generates, stores, or exports key material.
  • Does not fetch an endpoint, build a trust chain, check revocation, or claim that a certificate is trusted.

Frequently Asked Questions

Does this verify that the certificate is trusted?
No. Decoding shows what the certificate contains. Trust requires a chain, trust store, hostname, time, policy, and often revocation checks, none of which are inferred here.
Why show a SHA-1 fingerprint?
SHA-1 fingerprints still appear in older operational workflows and are useful for comparison. The tool also provides SHA-256, which should be the primary fingerprint.

More Networking & IT Tools

All Networking & IT tools