PKI Toolkit
Certificate Decoder

Decode a certificate and see exactly what it says

Paste or upload an issued TLS certificate to check its subject, issuer, validity window and expiry countdown, Subject Alternative Names, key usage, and fingerprint — at a glance.

Runs entirely in your browser — nothing you paste or upload is sent anywhere

Decode a certificate

A certificate is public information by design, so it's always safe to paste or upload one here.

Paste PEM text, or upload a PEM (.pem/.crt/.cer) or binary DER (.der/.cer) file below.
Ready to check
Paste or upload a certificate and press Decode to see its contents.

What you'll see

Every field below is read directly from the certificate — nothing is checked against a CA, a revocation list, or a live server.

Subject
No certificate decoded yet.
Issuer
Serial number
Validity
Public key
Signature algorithm
SHA-256 fingerprint
Certificate Authority?
Subject Alternative Names
Key usage
Extended key usage
For non-technical readers

What "expiry" actually means here

A certificate is only trusted between its "valid from" and "valid to" dates. Past the expiry date, browsers and clients will reject it outright — this tool flags that countdown so you can renew before it becomes an outage.

Why key usage matters

Not every certificate can do every job

Key Usage and Extended Key Usage restrict what a certificate is allowed to be used for — for example, whether it can authenticate a server, a client, or sign other certificates. A certificate missing "Server Authentication" won't work for TLS even if everything else looks fine.

Next step

Check the whole chain, not just one certificate

A single certificate is only half the picture. Use the Certificate Chain Validator to confirm this certificate resolves up to a trusted root through its intermediates.