Certificate Decoder
Paste a PEM certificate or drop a .crt / .pem / .cer / .der file to read its subject, issuer, alternative names, validity and fingerprint — parsed entirely in your browser. Nothing is uploaded.
About X.509 certificates
An X.509 certificate binds a public key to an identity (a domain, an organisation, a person). It is a DER-encoded structure, usually wrapped in Base64 between -----BEGIN CERTIFICATE----- markers (PEM). This decoder reads that structure locally and shows the fields that actually matter when you debug a TLS setup: who it is for (subject and Subject Alternative Names), who issued it, how long it is valid, what key and signature algorithm it uses, and its fingerprint.
Subject vs SAN
Modern browsers ignore the legacy Common Name and match the hostname against the Subject Alternative Names only. If a certificate "works in curl but not in the browser", a missing SAN entry is the usual cause — check the SANs row above.
Fingerprints
The fingerprint is a hash of the whole certificate (the DER bytes), computed here with the browser's native crypto.subtle.digest. SHA-256 is the modern reference; SHA-1 is still shown because some pinning and console tools display it. Two systems showing the same fingerprint are looking at the exact same certificate.
Is the certificate uploaded?
No. Parsing is pure JavaScript and the hash is computed locally. A certificate is public by nature, but the promise holds anyway — open DevTools → Network and confirm nothing leaves your tab.