PKI and TLS utility
X.509 & PEM Certificate Decoder & Inspector
Decode and inspect certificate validity, subject and issuer names, public-key details, SANs, key usage, extensions, fingerprints, and basic pasted-chain relationships without uploading the certificate bundle.
Certificate decoder & inspector
Paste a certificate or PEM bundle to decode
Supports PEM certificate blocks and base64 DER certificate input. Decoding and inspection remain in the browser. The tool performs structural inspection only and does not verify signatures, revocation, trust anchors, or complete TLS service identity.
Multiple certificates can be pasted together. Other PEM block types are identified where possible.
Inspection notes
Text report
Inspect certificates to generate a local text report.
FAQ
Certificate decoder and inspector questions
Does this validate that a certificate is trusted?
No. It parses certificate fields and performs practical local checks. It does not verify the certificate signature, build a trusted path against an operating-system or browser trust store, check OCSP/CRLs, or establish that a TLS service is trustworthy.
What happens if I paste a private key?
The page identifies common private-key PEM block types and shows a warning. It intentionally does not parse, display, copy, include, or export the private-key bytes in the inspection report.
What does the hostname check do?
It compares the entered DNS name or IP address against parsed Subject Alternative Name entries. DNS wildcards are limited to a complete left-most label. It is a debugging aid, not complete TLS identity verification.
Can I inspect a certificate chain?
Yes. Paste multiple certificate blocks. The tool compares issuer and subject names and, when present, Authority Key Identifier and Subject Key Identifier values. It does not cryptographically verify the chain signatures.
Is certificate data uploaded?
No. Parsing and fingerprint calculation run in your browser. The page does not upload or save the pasted input.