How do I get the PEM certificate for my website?

Extract it with OpenSSL: `echo | openssl s_client -connect yourdomain.com:443 2>/dev/null | sed -n "/BEGIN/,/END/p"`. Or click the padlock icon in your browser address bar, view the certificate, and export or copy the PEM data.

What is the difference between a DER and PEM certificate?

DER is the raw binary format of an X.509 certificate. PEM is the same data base64-encoded with -----BEGIN/END CERTIFICATE----- header lines. This tool only accepts PEM. Convert DER to PEM with: `openssl x509 -inform DER -in cert.der -out cert.pem`.

What are Subject Alternative Names (SANs)?

SANs are additional hostnames (and sometimes IP addresses) the certificate is valid for. Modern browsers require the hostname to be listed in SANs — the CN alone is no longer trusted. A wildcard like *.example.com covers immediate subdomains but not sub-subdomains.

Is my certificate sent to any server?

No. The entire decoding process uses the WebCrypto API and JavaScript — your certificate data never leaves your browser. This is safe for internal certificates, self-signed certs, or any certificate you would not want sent to a third party.

Why does the decoder show a "Decode error"?

Common causes: (1) Incomplete PEM — the base64 payload is truncated; (2) Multiple certificates chained together — paste only the first BEGIN/END block; (3) The PEM is a CSR or private key rather than a certificate — those are not supported.

SSL Certificate Decoder — View PEM Cert Details, SANs & Expiry

CodeLint.Dev Dev Tools

Network & Security

IP Address Lookup HTTP Header Analyzer SSL Certificate Decoder CIDR / Subnet Calculator

AI Tools

LLM Model Comparison Token Counter Prompt Builder AI Cost Calculator Context Window Visualizer Prompt Diff / A-B Tester Regex for AI Outputs System Prompt Analyzer

Currency & Forex

Currency Converter Exchange Rate Tracker Crypto Price Tracker Crypto Unit Converter

Blog

Technical Tools

IP Address Lookup
HTTP Header Analyzer
SSL Certificate Decoder
CIDR / Subnet Calculator

SSL Certificate Decoder

Paste a PEM certificate below. Decoding uses WebCrypto API — 100% client-side, nothing leaves your browser.

PEM Certificate

Paste a PEM certificate to decode

Supports X.509 certificates in PEM format (Base64-encoded DER)

About

The SSL Certificate Decoder parses and displays all fields of an X.509 certificate provided in PEM format — the base64-encoded format used by NGINX, Apache, Let's Encrypt, and most certificate authorities. Paste your PEM certificate to see: the subject (CN, O, OU, C, L, ST), the issuer (CA details), validity window and days remaining with colour-coded expiry warnings, subject alternative names (SANs), SHA-256 and SHA-1 fingerprints, the public key type (RSA or EC) and size or curve name, the signature algorithm, the serial number, and whether the certificate is a CA certificate. Decoding uses the WebCrypto API built into your browser — your certificate is never transmitted anywhere.

How to use

1 Paste a PEM certificate into the left panel — it should start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.
2 Click "Load example" to see a demonstration with a real root CA certificate.
3 The tool decodes automatically after a short delay.
4 Check the validity banner: green = valid, amber = expires within 30 days, red = expired.
5 Use the copy button next to fingerprints to grab the SHA-256 value for certificate pinning.
6 Review the Subject Alternative Names list to confirm all intended hostnames are covered.

How do I get the PEM certificate for my website?: Extract it with OpenSSL: `echo | openssl s_client -connect yourdomain.com:443 2>/dev/null | sed -n "/BEGIN/,/END/p"`. Or click the padlock icon in your browser address bar, view the certificate, and export or copy the PEM data.
What is the difference between a DER and PEM certificate?: DER is the raw binary format of an X.509 certificate. PEM is the same data base64-encoded with -----BEGIN/END CERTIFICATE----- header lines. This tool only accepts PEM. Convert DER to PEM with: `openssl x509 -inform DER -in cert.der -out cert.pem`.
What are Subject Alternative Names (SANs)?: SANs are additional hostnames (and sometimes IP addresses) the certificate is valid for. Modern browsers require the hostname to be listed in SANs — the CN alone is no longer trusted. A wildcard like *.example.com covers immediate subdomains but not sub-subdomains.
Is my certificate sent to any server?: No. The entire decoding process uses the WebCrypto API and JavaScript — your certificate data never leaves your browser. This is safe for internal certificates, self-signed certs, or any certificate you would not want sent to a third party.
Why does the decoder show a "Decode error"?: Common causes: (1) Incomplete PEM — the base64 payload is truncated; (2) Multiple certificates chained together — paste only the first BEGIN/END block; (3) The PEM is a CSR or private key rather than a certificate — those are not supported.

CodeLint.Dev Dev Tools

Your code never touches our servers. Everything runs locally in your browser.

WCAG 2.1 AA

Tools

JSON Tools JWT Encoder / Decoder Hash Generator Morse Code Password Generator 1D & 2D Barcode Generator QR Code Generator Code Formatter CSV ⇄ JSON GeoJSON Tools UUID Generator Percentage Calculator Countdown Timer Stopwatch Date Calculator Clock Time Utility Regex Checker String Tuner Countries Reference

Company

Support

Support / Donate

We and our partners (including Google) use cookies to serve ads based on your prior visits to this and other sites. Your tool data is never collected or shared. Cookie Policy