What's inside a certificate
An X.509 certificate is a signed statement binding a public key to a set of names for a period of time. This decoder parses the DER structure inside the PEM wrapper and surfaces the fields that answer real questions: who it's for (subject and, more importantly, the Subject Alternative Names, browsers ignore the CN and match only SANs), who vouches for it (issuer), when it stops working, and what key and signature algorithm it uses.
The checks that matter on-call
When TLS breaks, three fields explain most incidents. Expiry, the status row does the date math and flags anything inside 30 days. SAN coverage, "certificate name mismatch" errors mean the hostname being requested isn't in the SAN list; a cert for example.com does not cover www.example.com unless both are listed (or a wildcard matches, and *.example.com covers exactly one label: not the bare domain, not a.b.example.com). Issuer chain, if the issuer shown here isn't a CA your clients trust, the server is probably serving the leaf without its intermediate certificate; browsers often paper over that, while curl, Java and monitoring probes do not.
Getting a cert to paste
From a live server: openssl s_client -connect host:443 -servername host </dev/null | openssl x509, the -servername matters, or SNI-based hosts hand you the wrong (often default/self-signed) certificate, which is itself a useful diagnostic. From disk, any .crt/.pem file works. Certificates are public by design (only the private key is secret) but this parser runs locally regardless, consistent with everything else on this site.