X.509 Certificate Inspector

Decode SSL/TLS and PKI certificates in seconds. View subject, issuer, validity, public key, SAN, key usage, and fingerprints — entirely in your browser.

Certificate Input

PEM · base64 · DER hex

Inspection Result

Paste a certificate and click Inspect Certificate. Results will appear here — your data never leaves your browser.

Local-only parsing

Certificates are decoded entirely in your browser. Nothing is uploaded — safe for private CAs and internal certificates.

Full X.509 v3 support

Decodes RSA, ECDSA, Ed25519, and Ed448 keys plus all standard v3 extensions like SAN, key usage, EKU, and CRL distribution points.

Fingerprints & validity

SHA-1 and SHA-256 fingerprints, expiry warnings, and detailed validity windows so you can verify pinning and rotation in seconds.

About X.509 Certificate Inspector

The X.509 Certificate Inspector is a free online tool that decodes SSL/TLS, S/MIME, and PKI certificates and shows every standard field in a clean, structured view. It accepts PEM blocks (the -----BEGIN CERTIFICATE----- format), bare base64 bodies, and raw DER hex dumps, then walks the full ASN.1 tree to extract the certificate's identity, validity, public key, and extensions.

X.509 is the standard defined in RFC 5280 that describes the structure of a digital certificate. Every TLS handshake, code-signing artifact, JWT-via-x5c chain, mutual TLS client cert, and S/MIME email signature uses an X.509 certificate to bind a public key to an identity. This inspector lets you audit those certificates without OpenSSL, without pasting them into an unknown server, and without leaving your browser.

The inspector reports the version, serial number, issuer DN, subject DN, validity window with expiry warnings, public key algorithm and size, signature algorithm, all v3 extensions (Subject Alternative Name, Key Usage, Extended Key Usage, Basic Constraints, Authority Information Access, CRL Distribution Points, and more), and SHA-1 / SHA-256 fingerprints used for certificate pinning.

How to Use the X.509 Certificate Inspector

  1. 1

    Get the certificate in a supported format

    Most certificates are already in PEM format (a base64 block wrapped in -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----). To export a TLS server cert run openssl s_client -connect example.com:443 -showcerts. To convert DER (.der / .cer) to PEM run openssl x509 -inform DER -in cert.der -out cert.pem.

  2. 2

    Paste, upload, or load the sample

    Paste the certificate into the input box, click Paste to pull from your clipboard, click Upload .crt / .pem to load a file, or click Sample to inspect the public GlobalSign Root R2 certificate.

  3. 3

    Click "Inspect Certificate"

    The parser decodes the ASN.1 / DER tree locally and renders the structured result in the right panel, with a green badge if the certificate is currently valid or a warning if it is expired or expires soon.

  4. 4

    Review and copy what you need

    Each section has a copy button, including the Subject and Issuer DN, the SHA-1 / SHA-256 fingerprints (for pinning), and the full PEM or DER hex. Extensions like Subject Alternative Name expand to show every covered DNS name, IP, and URI.

Common Use Cases

TLS troubleshooting

Confirm which CA signed a certificate, which hostnames are covered by SAN, and how long until the certificate expires before users see a browser warning.

Certificate pinning

Capture the SHA-256 fingerprint to pin in mobile apps, HSTS pre-load entries, or configuration management.

Audit private CAs

Inspect internal or self-signed certificates issued by your own PKI without uploading them to a third-party service.

JWT and OIDC keys

Decode the x5c certificate from a JWKS endpoint to confirm the embedded public key matches expectations.

Code signing review

Verify the issuer, subject, and Extended Key Usage of a code-signing certificate attached to a binary or installer.

Compliance & reporting

Capture key fields for inventory, expiration tracking, and security audits without running command-line tools.

Frequently Asked Questions

Is my certificate uploaded anywhere?

No. Parsing happens entirely in your browser using JavaScript. Nothing is sent to a server, which makes the tool safe for internal certificates issued by a private CA.

What input formats are supported?

PEM blocks labelled CERTIFICATE, TRUSTED CERTIFICATE, or X509 CERTIFICATE; bare base64 bodies without the BEGIN/END markers; and raw DER as a hex dump (with or without spaces).

What about PKCS#7, PKCS#12, or certificate chains?

This inspector decodes a single X.509 certificate at a time. Convert PKCS#7 (.p7b) or PKCS#12 (.p12 / .pfx) bundles to individual PEM certificates first using openssl pkcs7 -in chain.p7b -print_certs or openssl pkcs12 -in store.pfx -nokeys -out chain.pem.

Does it verify the certificate's signature or trust chain?

No. The inspector only decodes and displays fields. It does not validate the signature against the issuer's public key or check revocation. Use it as a quick decoder, then rely on your TLS stack or openssl verify for chain validation.

Which signature and key algorithms are recognized?

RSA (PKCS#1 v1.5 with SHA-1 / 256 / 384 / 512 and RSA-PSS), ECDSA on the P-256, P-384, P-521, and secp256k1 curves, and Ed25519 / Ed448. Unknown OIDs are still shown so you can identify legacy or proprietary algorithms.

Why are some extensions shown as raw bytes?

Extensions whose contents are not part of the standard set (for example, vendor OIDs or signed certificate timestamps) are displayed as a length and a hex dump. The OID and critical flag are still parsed so you can look the extension up in an OID registry.

Why does my certificate fail to parse?

The most common causes are accidentally including the private key block, truncated base64 (often from copy-paste), or a non-X.509 file like a CERTIFICATE REQUEST (CSR). Make sure the input contains exactly one CERTIFICATE block and try again.