Decode an X.509 Certificate
Inspect TLS certificate subject, issuer, SANs, and expiry dates. Decode CSRs before submission. Split PEM bundles into individual blocks.
Open Certificate & PEM Tools with a ready-to-run example.
- You need to confirm a TLS certificate's expiry date before a planned maintenance window.
- You want to verify that the Subject Alternative Names (SANs) include the correct domains.
- You received a CSR from a developer and need to check the subject fields before signing.
- You have a PEM bundle from your load balancer and need to split it into individual certificates for inspection.
- Open Certificate & PEM Tools and select the X.509 Decode tab.
- Paste the PEM block (including the
-----BEGIN CERTIFICATE-----header and footer). - Click Decode to see the subject, issuer, validity period, SANs, and key algorithm.
- Switch to CSR Viewer or PEM Splitter as needed for other certificate workflows.
- Include the full PEM block including the
-----BEGIN-----and-----END-----lines. - If your server returns a certificate chain, paste the entire chain into the PEM Splitter to separate the leaf cert from intermediates.
- The
notAfterfield is the expiry date — set a calendar reminder at least 30 days before it. - A CSR does not contain the validity period — that is set by the CA during signing.
Self-signed certificate (example.com)
-----BEGIN CERTIFICATE----- MIICpDCCAYwCCQDU9pQ4pHXSpDANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAl leGFtcGxlIENBMB4XDTIzMDEwMTAwMDAwMFoXDTI0MDEwMTAwMDAwMFowGzEZMBcG A1UEAwwQYXBpLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEA2a2rwplBQLzHPZe5RJa9ZfFDkCgHdOgUMFm3+7bXnsTKtOMSWUAMECKk POGVYhksTQa7h/1Wv0n0yDWBhKsf3s6VxLbfhZt3YWPmwUMnVDxhLGJsxhpHbAg5 GSmJWJBhEPRKxnWW5SXKC5R6o5qVKp6VH4S7xnwOqsxVDRV6GQA3g8Dw7fsTrPHI O+dFq+PpjFWmWijEAhMn3QUzDYFzDQ9VGQhOLq9HibJKBjqAUDAnBq5EbNLQyTTn MHZh1TF4J8J0yq7uHklOoLPDEPjqxvVGd6G5tQ1LFqJlRDFNNRmPXbqrCTi2XRQP CRm4xz3Qv3bF7TbqJkVlDQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCzRH4G3UZP -----END CERTIFICATE-----
Subject: CN=api.example.com Issuer: CN=example CA Valid from: 2023-01-01 Valid until: 2024-01-01 Algorithm: RSA 2048-bit SANs: api.example.com
PEM (Privacy Enhanced Mail) is a Base64-encoded format for storing cryptographic objects. PEM blocks are bounded by -----BEGIN ...----- and -----END ...----- lines and can contain certificates, keys, or CSRs.
In Chrome, click the padlock → Certificate Details. Via command line: openssl s_client -connect example.com:443 < /dev/null | openssl x509 -text -noout. Copy the PEM block from the output and paste it into the tool.
A Certificate Signing Request contains your public key and subject information (CN, O, SANs). You submit it to a Certificate Authority which signs it and returns the certificate. Use the CSR Viewer mode to check the fields before submission.
Yes. Paste the entire PEM chain into the PEM Splitter mode and the tool separates each -----BEGIN CERTIFICATE----- block into individual sections you can inspect or download.
Privacy-first: runs locally in your browser. No uploads.