ops@toolbox:~$ sslcertificatedecoder --run

SSL Certificate Decoder

Paste a PEM certificate and see subject, SANs, validity, issuer and key details.

Subject
SANs
Issuer
Valid from
Valid until
Status
Serial
Signature algorithm
Public key

Certificates are public data, but parsing happens locally anyway. To fetch a live server's cert: openssl s_client -connect host:443 -servername host </dev/null | openssl x509

What's inside a certificate

An X.509 certificate is a signed statement binding a public key to a set of names for a period of time. This decoder parses the DER structure inside the PEM wrapper and surfaces the fields that answer real questions: who it's for (subject and, more importantly, the Subject Alternative Names, browsers ignore the CN and match only SANs), who vouches for it (issuer), when it stops working, and what key and signature algorithm it uses.

The checks that matter on-call

When TLS breaks, three fields explain most incidents. Expiry, the status row does the date math and flags anything inside 30 days. SAN coverage, "certificate name mismatch" errors mean the hostname being requested isn't in the SAN list; a cert for example.com does not cover www.example.com unless both are listed (or a wildcard matches, and *.example.com covers exactly one label: not the bare domain, not a.b.example.com). Issuer chain, if the issuer shown here isn't a CA your clients trust, the server is probably serving the leaf without its intermediate certificate; browsers often paper over that, while curl, Java and monitoring probes do not.

Getting a cert to paste

From a live server: openssl s_client -connect host:443 -servername host </dev/null | openssl x509, the -servername matters, or SNI-based hosts hand you the wrong (often default/self-signed) certificate, which is itself a useful diagnostic. From disk, any .crt/.pem file works. Certificates are public by design (only the private key is secret) but this parser runs locally regardless, consistent with everything else on this site.

Related tools

Password Generator
Cryptographically secure passwords and passphrases, generated locally in your browser.
Hash Generator
MD5, SHA-1, SHA-256, SHA-384 and SHA-512 checksums of any text, computed locally.
JWT Decoder
Decode JSON Web Tokens locally: header, payload, expiry check and human-readable claims.
htpasswd Generator
Generate bcrypt htpasswd entries for Apache and nginx basic auth, locally.