SSL Certificate & CSR Decoder
Paste a certificate, CSR, or full chain and see everything inside it - expiry with days remaining, SANs, key strength, signature algorithm, fingerprints, and chain order with signature checks. Decoding runs entirely in your browser; nothing is uploaded.
Decoding runs entirely in your browser - nothing is uploaded. Certificates and CSRs are public data, but the same applies here regardless.
Prefer to decode offline, or need a live site's certificate? The openssl equivalents:
openssl x509 -in certificate.pem -noout -textopenssl req -in server.csr -noout -text -verifyopenssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -textopenssl x509 -in certificate.pem -noout -datesopenssl x509 -in certificate.pem -noout -fingerprint -sha256What the decoder shows you
A certificate is an ASN.1 structure that is unreadable by eye. This tool decodes it into the fields you actually check: who it was issued to (subject and SANs), who issued it, when it expires (with days remaining and an expiring-soon warning), the key type and strength, the signature algorithm, and the SHA-256 / SHA-1 fingerprints you compare when pinning or debugging.
It also flags real problems automatically: expired or not-yet-valid certificates, SHA-1 signatures, RSA keys under 2048 bits, missing SANs, and validity periods longer than the 398-day cap for publicly-trusted TLS.
Decoding a CSR before you send it to a CA
A CSR (Certificate Signing Request) is what you generate with openssl req -new and hand to a certificate authority. Decode it here first to confirm the Common Name, the requested SANs, and the key sizeare right - a wrong SAN list is the most common reason a freshly issued certificate fails hostname verification. The tool also verifies the CSR's own signature, which proves the file was not corrupted in transit.
Chain order: why fullchain.pem order matters
A server should send the leaf certificate first, then each intermediate, in order. Some TLS stacks tolerate a shuffled bundle, but many strict clients (and tools like older Java or embedded devices) refuse the handshake. Paste your fullchain.pem here: the tool resolves the correct order, verifies that each certificate is genuinely signed by the next one, detects duplicates and missing intermediates, and gives you a corrected bundle to copy when the order is wrong.
A missing intermediateis the classic "works in Chrome, fails in curl" bug - browsers cache intermediates, command-line clients do not.
Checking a live website (what a browser tool cannot do)
Browsers cannot open raw TLS connections to arbitrary hosts, so no client-side tool can fetch a live server's certificate - tools that do are running the check on their servers. The honest equivalent is one command on your machine: openssl s_client -connect example.com:443 -servername example.com, piped into openssl x509 -noout -text. The decoder shows this exact command with copy buttons, plus the offline equivalents for files.
Is it safe to paste a certificate here?
Yes. Certificates and CSRs contain only public data- your server hands the certificate to every client that connects. Decoding still runs 100% client-side with no network calls, which you can confirm with the browser's network tab open. The one thing you should never paste anywhere is a private key - and if you do it here by accident, the tool refuses to decode it and reminds you to keep it secret.
Certificate file formats at a glance
| Format | What it is | Typical file |
|---|---|---|
| PEM | Base64 text with BEGIN/END lines - the format this tool reads | cert.pem / fullchain.pem |
| DER | The same data in raw binary - upload it as a file | cert.der / cert.cer |
| CSR (PKCS#10) | A signing request you send to a CA | server.csr |
| PKCS#7 | Certificate bundle - extract with openssl first | bundle.p7b |
| PKCS#12 | Certs + private key in one encrypted file - keep it offline | site.pfx / site.p12 |
Frequently asked questions
Related developer tools
Manage the servers, not just the certs.
CtrlOps is a modern SSH workspace for the machines your certificates live on - organized hosts, secure key management, and instant terminals. Decode the cert here, fix it on the server in one click.
✓ Start instantly·✓ No credit card·✓ No sneaky autorenewals

