What it does

Paste a certificate in PEM, base64, or hex and the tool decodes it: the subject and issuer, the validity window, the public key, and the v3 extensions, together with SHA-256 and SHA-1 fingerprints. It parses the certificate entirely in your browser and contacts nothing.

What an X.509 certificate holds

An X.509 certificate binds a public key to an identity, signed by a certificate authority. Its main body, the TBSCertificate ("to be signed"), carries the fields the CA vouches for: the version and serial number, the issuer and subject distinguished names, the validity window (notBefore and notAfter), the subject's public key, and a set of extensions; the CA's signature over that body is what makes the whole thing trustworthy. The tool walks the DER-encoded ASN.1 (the tag-length-value encoding defined by X.690) into readable fields, and renders distinguished names most-specific-first in the RFC 4514 style.

The v3 extensions that matter

Most of what makes a modern certificate useful lives in its v3 extensions, and the decoder surfaces the important ones:

  • Subject Alternative Names, the list of hostnames the certificate is actually valid for (the subject common name is legacy for this purpose);
  • Key Usage and Extended Key Usage, which constrain what the key may do, such as server authentication;
  • Basic Constraints, which says whether the certificate is a CA and may sign others;
  • Authority Information Access, from which the OCSP responder location (RFC 6960) is surfaced; and
  • the TLS Feature extension, whose status_request flag is the Must-Staple marker (RFC 7633).

For elliptic-curve keys, the named curve (P-256, P-384, or P-521) is read from the key info per RFC 5480.

Fingerprints

A fingerprint is a hash of the certificate's raw DER bytes, and it uniquely identifies that exact certificate, which is what certificate pinning and many tools compare on. The tool shows the SHA-256 fingerprint, the current standard, and the SHA-1 fingerprint, still common in older tooling despite SHA-1's weakness for collisions.

Using it

Paste a certificate as PEM, base64, or hex and read its subject, issuer, validity, key, and extensions, with both fingerprints. The decode is deterministic; whether the certificate is expired right now is shown separately, against your device clock.