How to use the Certificate & PEM Tools
Decode X.509 certificates, inspect CSRs, view SANs and expiry dates, and split PEM bundles into individual blocks before configuring TLS, NGINX, HAProxy, load balancers, mTLS clients, or certificate renewal tasks. Useful for cert audits, mTLS troubleshooting, expiry tracking, and chain validation. Everything runs in your browser; certificates and CSRs are never uploaded.
What it does
- Decodes X.509 certificates (PEM or DER → Base64): subject, issuer, serial number, validity (
notBefore, notAfter), SANs, key algorithm and size, signature algorithm, key usage, and extensions.
- Inspects CSRs (PKCS#10): subject, requested SANs, public key, signature algorithm.
- Splits PEM bundles: separates leaf, intermediate, and root certificates from a chained PEM file.
- Shows SHA-1 and SHA-256 fingerprints for matching against published thumbprints.
- Indicates expiry in days, with warning thresholds.
- Detects weak key sizes (RSA < 2048) and deprecated signature algorithms (SHA-1).
When to use it
- Confirm a TLS certificate's expiry before a planned maintenance window.
- Verify that Subject Alternative Names (SANs) include the correct hostnames.
- Inspect a CSR before submitting it to a CA.
- Separate the leaf certificate from intermediates in a server bundle.
- Check fingerprints when configuring mTLS client trust.
- Debug "certificate chain incomplete" warnings.
How to use it
- Pick the tab: X.509 Decode, CSR Viewer, or PEM Splitter.
- Paste the full PEM block (including
-----BEGIN CERTIFICATE----- / -----END CERTIFICATE-----).
- Click Decode (or Split) — the parsed fields appear instantly.
- Copy individual blocks from the splitter into the leaf, intermediate, or chain files your server needs.
- For private keys and JWKs, use the JWK / JWKS / PEM Converter.
Tips & pitfalls
- Always include the full PEM block, including the
-----BEGIN----- / -----END----- lines.
- The expiry date is
notAfter — set renewal reminders at least 30 days before; cloud-managed certs often auto-renew shorter cycles.
- Server bundles often include the leaf + intermediates. The splitter separates them so your server config can serve the right chain.
- Modern browsers ignore the
CN for hostname matching — make sure the SAN list contains every hostname.
- Do not paste private keys into a certificate tool — even though this runs locally, treat keys with care.
- Self-signed certificates are valid PEM but will be rejected by browsers unless trusted explicitly.
FAQ
- How do I decode a TLS certificate? Paste the PEM block into X.509 Decode. The tool shows subject, issuer, SANs, validity, and fingerprints.
- How do I check certificate expiry? The
notAfter field is the expiry — the tool also reports days remaining.
- How do I split a PEM bundle into individual certificates? Paste the full bundle into the PEM Splitter — each certificate is extracted with its
-----BEGIN----- / -----END----- intact.
- What is a SAN? Subject Alternative Name — the list of hostnames the certificate is valid for. Modern browsers require it; CN matching is deprecated.
- Are my certificates uploaded? No. All decoding runs in your browser.
- Can it decode private keys? Use the JWK / JWKS / PEM Converter for keys; this tool focuses on certificates and CSRs.
- How do I decode an X.509 certificate or PEM file online? Paste the PEM block (-----BEGIN CERTIFICATE-----) into X.509 Decode and the tool shows subject, issuer, SANs, validity, and fingerprints. Everything runs in your browser; nothing is uploaded.
Related tools
Runs locally in your browser. No uploads. Certificates and CSRs are parsed entirely in-browser.
Related guides
Daily Developer Tools