QuickTooly

Free Online X.509 / PEM Certificate Decoder

Instantly decode and inspect X.509 SSL/TLS certificates in PEM format. View subject, issuer, validity dates, SANs, key usage, and SHA fingerprints — 100% private, runs entirely in your browser. Your certificate never leaves your device.

Related Developer Tools

JWT DecoderHMAC GeneratorBcrypt GeneratorIP Lookup

Last updated: May 22 2026

Reviewed by the QuickTooly Team

Certificate Decoder Guide

Why Use QuickTooly.com's Certificate Decoder?

  • 100% private: Your certificate is decoded entirely in your browser — no data ever reaches a server.
  • Instant results: Paste a PEM certificate and get all fields decoded in milliseconds.
  • Complete field extraction: Subject, issuer, SANs, validity, key algorithm, fingerprints, and extension flags.
  • Safe for sensitive certs: Never upload private keys or internal CA certificates to an unknown server again.
  • DevOps-ready: Quickly verify certs during deployments, renewals, or debugging TLS handshake failures.
  • No registration: Open the tool and start decoding — no account, no sign-up, no ads.

What is an X.509 Certificate?

An X.509 certificate is a digital document that binds a public key to an identity (such as a domain name, organization, or email address). It is the foundation of SSL/TLS encryption on the web and is used in HTTPS, code signing, email signing (S/MIME), VPNs, and mutual TLS authentication.

X.509 certificates are defined by RFC 5280 and are issued by Certificate Authorities (CAs) such as Let's Encrypt, DigiCert, and Sectigo. They are encoded in DER (binary) or PEM (Base64-armored) format. The PEM format wraps the Base64-encoded DER data between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- markers.

Key Certificate Fields Explained

  • Subject — The entity the certificate is issued to, expressed as a Distinguished Name (e.g., CN=example.com, O=Example Inc).
  • Issuer — The Certificate Authority that signed and issued this certificate.
  • Serial Number — A unique identifier assigned by the CA to this specific certificate.
  • Valid From / Valid To — The certificate's active window. Browsers reject certificates outside this range.
  • Subject Alternative Names (SANs) — Additional hostnames, IP addresses, or email addresses the certificate covers. Modern TLS relies on SANs rather than the Common Name (CN).
  • Public Key Algorithm — The algorithm of the embedded public key (e.g., RSA 2048-bit, ECDSA P-256).
  • Signature Algorithm — The algorithm the CA used to sign the certificate (e.g., SHA-256 with RSA).
  • SHA-256 / SHA-1 Fingerprint — A hash of the entire certificate used to verify identity. Use SHA-256 for security-critical comparisons; SHA-1 is provided for legacy compatibility.

Common Use Cases for Certificate Decoding

Certificate decoding is a daily task for DevOps and security engineers. Typical scenarios include verifying that a renewed certificate covers the correct SANs before deployment, diagnosing TLS handshake failures by comparing the certificate chain, confirming expiry dates during incident response, checking that a certificate's issuer matches the expected CA in a zero-trust environment, pinning a certificate by its SHA-256 fingerprint in a mobile or IoT application, and auditing code-signing certificates before a software release.

How to Decode a Certificate

Decoding a certificate with QuickTooly.com takes just three steps:

  • Obtain your PEM certificate — copy it from your web server config, run openssl s_client -connect example.com:443 < /dev/null 2>/dev/null | openssl x509, or export it from a browser or keystore.
  • Paste the PEM block into the text area above, including the -----BEGIN CERTIFICATE----- header and footer.
  • Click "Decode Certificate" — all fields appear instantly, with copy buttons for easy use in scripts or configs.

Certificate Security Best Practices

Always decode certificates from a tool that processes them locally — never paste internal CA certificates, client certificates, or certificates tied to private keys into an unknown online service. Verify SANs cover every hostname that will use the certificate before deploying. Monitor expiry dates and renew at least 30 days before expiration. For high-security applications, pin the SHA-256 fingerprint rather than relying solely on CA validation. Prefer ECDSA P-256 keys over RSA 2048 for new certificates — smaller, faster, and equally secure.

Frequently Asked Questions

Is my certificate data safe to paste here?

Yes. QuickTooly's certificate decoder is entirely client-side — your PEM data is processed in your browser using the open-source @peculiar/x509 library and is never transmitted to any server. It is safe to paste internal, self-signed, or corporate CA certificates.

What certificate formats does this tool support?

This tool supports PEM-encoded X.509 certificates (the most common format), identified by the -----BEGIN CERTIFICATE----- header. DER (binary) format is not directly supported — convert with openssl x509 -inform DER -in cert.der -out cert.pem first.

Can I decode a certificate chain (multiple PEM blocks)?

The tool decodes the first certificate found in the pasted PEM block. If you have a chain file, paste each certificate individually to inspect intermediate or root CA certificates separately.

What is the difference between SHA-1 and SHA-256 fingerprints?

Both are hashes of the full certificate DER bytes. SHA-1 (40 hex chars) is provided for legacy compatibility — some older systems and browsers still display it. SHA-256 (64 hex chars) is the modern standard and should be used for security-critical operations like certificate pinning.

How do I get a certificate in PEM format from my server?

Run: openssl s_client -connect yourdomain.com:443 < /dev/null 2>/dev/null | openssl x509. This prints the leaf certificate in PEM format. Copy the full output including the headers and paste it into the tool above.

Why does the tool show "EXPIRED" even though my server is working?

If the expiry badge shows "EXPIRED", the Not After date in the certificate is in the past. Your server may still be serving it (browsers cache connections), or you may have pasted an old certificate. Renew the certificate and re-decode to confirm the new expiry date.