Question 1

What is an X.509 certificate?

Accepted Answer

X.509 is a standard format for public key certificates used in SSL/TLS, code signing, email encryption, and authentication. Certificates contain a public key, identity information (domain, organization), validity period, and digital signature from a Certificate Authority (CA). They enable secure communications by proving the identity of servers, software, and users.

Question 2

What information can I extract from an X.509 certificate?

Accepted Answer

This tool decodes: Subject (certificate owner identity), Issuer (who signed the certificate), Validity period (not before/after dates), Serial number, Public key algorithm and size, Signature algorithm, Extensions (SANs, key usage, basic constraints), Fingerprints (SHA-1, SHA-256), and encoded public key. This helps verify certificate authenticity, check expiration, identify certificate chains, and troubleshoot SSL/TLS issues.

Question 3

What certificate formats does this tool support?

Accepted Answer

The tool accepts PEM format (Base64-encoded, between BEGIN/END CERTIFICATE headers) and raw Base64 without headers. PEM is the most common format for certificates on Linux/Unix systems and web servers. If you have a DER (binary) certificate, convert it to PEM using: openssl x509 -inform der -in cert.der -out cert.pem

Question 4

How do I get a certificate to decode?

Accepted Answer

From a website: Use browser dev tools (Security tab) or command line: openssl s_client -connect example.com:443 -servername example.com | openssl x509 -text. From a file: cat certificate.crt. From a certificate chain: Extract individual certificates between BEGIN/END markers. This tool processes one certificate at a time.

Question 5

What are SANs (Subject Alternative Names)?

Accepted Answer

SANs are extensions listing additional identities the certificate is valid for. Modern certificates use SANs for multiple domains (e.g., example.com, www.example.com, api.example.com). SANs replaced the Common Name (CN) field as the primary way to specify certificate domains. They can contain DNS names, IP addresses, email addresses, or URIs.

Question 6

How can I verify if a certificate is valid?

Accepted Answer

Check: (1) Current date is within the validity period (Not Before/Not After), (2) Certificate is issued by a trusted CA (verify issuer), (3) Domain matches the Subject or SANs, (4) Certificate has not been revoked (check CRL/OCSP), (5) Signature is valid (verify with issuer public key), (6) Key usage extensions match intended purpose. This tool shows the data; manual verification or command-line tools (openssl verify) confirm trust.

Question 7

Is my certificate data sent to your servers?

Accepted Answer

No. All certificate decoding happens entirely in your browser using JavaScript. The certificate data never leaves your computer. This ensures complete privacy and security, making it safe to analyze certificates from internal systems, development environments, or sensitive production services. The tool processes certificates locally without any server uploads.

Question 8

What should I do if decoding fails?

Accepted Answer

Ensure the certificate is in PEM format with "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" markers, or pure Base64 without headers. Remove any extra whitespace or line breaks outside the PEM block. If you have a certificate chain, extract only one certificate. If you have a private key file, use the certificate portion (not the PRIVATE KEY section). DER certificates need conversion to PEM first.

X.509 Certificate Decoder

Need Professional IT Services?

Frequently Asked Questions

Explore More Tools

SSL Certificate Checker

Certificate Transparency Lookup

Hash Generator

Base64 Encoder/Decoder

⚠️ Security Notice