plato·cert
Open DevTools → Network, paste a certificate and click Decode. Zero outbound requests from the tool. All ASN.1 parsing, OID lookup, and fingerprint computation (via SubtleCrypto) runs locally in JavaScript. The only external request in the page is the Cloudflare Analytics beacon. View source on GitHub.

SSL Certificate Decoder

Paste a PEM-encoded certificate to decode all X.509 fields — subject, issuer, SANs, key usage, expiry countdown, SHA-256 fingerprint. Supports full chains. Works offline. Nothing uploaded.

How to use

  1. Get your PEM: run openssl s_client -connect example.com:443 -showcerts 2>/dev/null </dev/null | openssl x509 -outform PEM, or export from your certificate manager, hosting panel, or browser's padlock view.
  2. Paste and decode: paste the full PEM block (including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines) into the textarea, then click Decode Certificate or press Ctrl+Enter.
  3. Chain support: paste multiple PEM blocks concatenated — each certificate decodes as a separate card labeled leaf, intermediate, or root.
  4. Copy fields: every field has a copy button. Fingerprints appear within a second, computed asynchronously via the browser's built-in SubtleCrypto API.

Frequently asked questions

What is a PEM certificate and how do I decode it?

PEM (Privacy Enhanced Mail) is a base64-encoded format for X.509 certificates. It begins with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----. To decode it, strip the header and footer lines, base64-decode the rest, and parse the resulting DER bytes as ASN.1. This tool does all that in your browser — paste and the fields appear instantly.

What is the difference between PEM, DER, and CRT?

DER is the binary encoding of an X.509 certificate using ASN.1 Distinguished Encoding Rules. PEM is a text encoding of DER: the binary bytes are base64-encoded and wrapped in header lines. .crt, .cer, and .cert files can contain either PEM or DER — the extension does not tell you which. Open a .crt in a text editor: if you see the BEGIN header it is PEM; if you see binary characters it is DER.

How can I check when an SSL certificate expires?

Paste the PEM here — the expiry countdown appears at the top of each decoded cert. From the command line: openssl x509 -noout -enddate -in cert.pem prints the notAfter date. From a browser: click the padlock icon → Certificate → Validity. Set up monitoring to alert you 30 or 14 days before expiry — expired certs cause hard failures for every visitor.

What are Subject Alternative Names (SANs)?

SANs are the list of hostnames, IP addresses, or email addresses a certificate is valid for. Modern TLS relies entirely on SANs — the Common Name (CN) field is deprecated for hostname matching per RFC 6125. A wildcard SAN like *.example.com covers one subdomain level (api.example.com) but not deeper levels (dev.api.example.com). For HTTPS to work on a domain, that exact domain must appear as a SAN.

What is the difference between SHA-1 and SHA-256 fingerprints?

A fingerprint is a hash of the entire DER-encoded certificate used to uniquely identify it. SHA-1 fingerprints (160 bits, 20 hex bytes) are considered weak for signing but remain safe for identification purposes. SHA-256 (256 bits, 32 bytes) is the current best practice. Changing any certificate field — even just the serial number on a re-issue — produces a completely different fingerprint.

What is a certificate chain and why does it matter?

A chain is the sequence of certificates from your server cert up to a trusted root CA. Your server cert is signed by an intermediate CA; the intermediate is signed by a root CA pre-installed in browsers. If any link is missing when a browser connects, it shows a certificate error even if the leaf cert is valid. Paste multiple concatenated PEM blocks here — each decodes as a separate card.

How do I verify a certificate fingerprint using openssl?

Run openssl x509 -noout -fingerprint -sha256 -in cert.pem for SHA-256 or -sha1 for SHA-1. The output looks like SHA256 Fingerprint=AB:CD:EF:.... Compare this byte-for-byte with this tool's output to confirm you are looking at the same certificate. Fingerprint verification is used in certificate pinning, supply-chain audits, and deployment checks.

What is Key Usage vs Extended Key Usage?

Key Usage (KU) restricts what cryptographic operations the key can perform: Digital Signature, Key Encipherment, Key Agreement, Cert Sign, CRL Sign. Extended Key Usage (EKU) specifies application purposes: TLS Server Authentication, TLS Client Authentication, Code Signing, Email Protection. A typical HTTPS server cert has KU=Digital Signature + Key Encipherment and EKU=TLS Server Authentication. Key usage mismatches cause handshake failures in strict TLS clients.

What is a wildcard certificate and how can I identify one?

A wildcard cert contains a SAN starting with *. — for example *.example.com. It covers exactly one subdomain level: api.example.com and www.example.com are covered; sub.api.example.com is not. This tool highlights wildcard SANs in blue. Note that *.example.com does NOT cover the apex domain example.com itself — you need both listed as SANs.

Why does my certificate decode differently in different tools?

Tools handle the same DER bytes but display differently. Common causes: some show full distinguished names (CN=foo,O=Bar,C=US), others show only CN; serial numbers can be decimal or hexadecimal — same number, very different appearance; less-common extensions may show raw OID notation; certificate dates are UTC internally but tools may convert to local time. This tool always shows dates in UTC and serial numbers in hexadecimal.

Worked examples

Fetch a live server's certificate

Use openssl to download the leaf cert from any HTTPS server:

openssl s_client \
  -connect example.com:443 \
  -servername example.com \
  2>/dev/null </dev/null \
| openssl x509 -outform PEM

# Output: -----BEGIN CERTIFICATE-----
# Paste the full block into this tool.

Decode the full chain at once

Export all certificates in the chain with -showcerts:

openssl s_client \
  -connect example.com:443 \
  -servername example.com \
  -showcerts \
  2>/dev/null </dev/null \
| awk '/BEGIN CERT/,/END CERT/' \
> chain.pem

# Paste chain.pem here — each cert
# appears as a separate decoded card.

Confirm fingerprint before pinning

Cross-verify the SHA-256 fingerprint before embedding it in your app:

# Terminal:
openssl x509 -noout \
  -fingerprint -sha256 \
  -in cert.pem
# SHA256 Fingerprint=AB:CD:...

# This tool shows the same value
# under Fingerprints in each card.
# Byte-for-byte match = same cert.

About SSL certificate decoding

An SSL/TLS certificate is a data structure defined by the X.509 standard (RFC 5280). Every certificate is encoded in DER format — a binary representation of an ASN.1 (Abstract Syntax Notation One) structure. PEM is simply a text-safe wrapper: the binary DER bytes are base64-encoded and surrounded by -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- headers. Most certificate files on Linux servers (.crt, .pem) are in PEM format.

Inside the DER encoding, a certificate is a nested sequence of fields. The outermost structure is a SEQUENCE containing three items: the TBSCertificate (the actual certificate data), the signatureAlgorithm (describing the algorithm used to sign it), and the signatureValue (the CA's digital signature). The TBSCertificate contains the version (v1, v2, or v3), serial number, issuer name, validity window, subject name, public key, and — for v3 certificates — a list of extensions.

The Subject Distinguished Name and Issuer Distinguished Name are sequences of attribute-value pairs identified by OIDs (Object Identifiers). Common attributes include CN (Common Name, OID 2.5.4.3), O (Organization, 2.5.4.10), C (Country, 2.5.4.6), and OU (Organizational Unit, 2.5.4.11). In modern TLS, the CN field is rarely used for hostname validation — Subject Alternative Names (extension OID 2.5.29.17) are what browsers actually check, as mandated by RFC 6125 and the CA/Browser Forum Baseline Requirements.

The fingerprint is computed by hashing the entire DER-encoded certificate — not just the TBSCertificate. This means two certificates with identical fields but different signatures (e.g., signed by different CAs) have different fingerprints. This tool computes both SHA-1 and SHA-256 fingerprints using the browser's built-in SubtleCrypto API — computation is fast and never sends any data over the network.

The privacy claim is literally verifiable: open DevTools (F12) → Network tab, clear the log, paste a certificate and click Decode. You will see zero outbound requests from the tool itself. All ASN.1 parsing, OID lookup, date math, and fingerprint computation runs entirely in JavaScript in your browser tab. You can save this page (Ctrl+S) and run it completely offline.