How to Decode an SSL Certificate or CSR

Updated 2026-06-21

To decode an SSL certificate, paste its PEM block — the text starting with the BEGIN CERTIFICATE line — into a decoder, and it parses the X.509 structure into readable fields: who it's for, who issued it, which hostnames it covers, and when it expires. A certificate signing request (CSR) decodes the same way and shows what you asked a certificate authority to sign. The Certificate & CSR Decoder does this entirely in your browser, so the file is never uploaded.

What a PEM certificate actually contains

A certificate looks like a wall of Base64 between BEGIN and END markers, but inside it is a structured X.509 record. Decoding turns that opaque block into the fields that matter:

• Subject — the entity the certificate identifies, including the Common Name (CN), and often the organization and country.
• Issuer — the certificate authority that signed it. For a self-signed cert, the issuer equals the subject.
• Subject Alternative Names (SANs) — the real list of hostnames and IPs the certificate is valid for. Modern browsers check SANs, not the CN, so this is the field to inspect when a site throws a name-mismatch error.
• Validity — the not-before and not-after dates that bound when the cert is trusted.
• Serial number and the signature algorithm used to sign it.

Decode a certificate step by step

1. Open the Certificate & CSR Decoder.
2. Paste the full PEM block, including the BEGIN CERTIFICATE and END CERTIFICATE lines.
3. Read the parsed panel: subject, issuer, the SAN list, and the validity window.
4. Check the expiry date against today — an expired cert is the single most common cause of browser trust warnings.

If you only have a binary DER file, it's the same data without the Base64 wrapper; convert it to PEM first, or paste the PEM you exported from your server. To grab a live site's certificate as PEM, click the padlock in your browser, view the certificate, and use its export option.

Decoding a CSR before you submit it

A CSR is what you generate and hand to a certificate authority. Decoding it before submission catches mistakes that are expensive to fix after issuance:

• Verify the CN and SANs — make sure every hostname you intend to secure is present and spelled correctly. A missing SAN means a reissue.
• Confirm the organization details — for OV and EV certificates, the O, OU, and country fields must match your validated records exactly.
• Check the public key — confirm the key size and algorithm are what your policy requires.

A CSR contains your public key and subject details, but never your private key, so it is safe to inspect and share. The private key stays on your server.

Why decode it locally

Certificates and CSRs are not secret in the way a private key is, but they reveal your internal hostnames, infrastructure naming, and organizational details. Pasting them into a random server-side tool leaks that map needlessly. The Certificate & CSR Decoder parses everything in the page using your browser — no upload, no signup, no logging — so even production certificates are safe to inspect.

Have a PEM block to read? Paste it into the Certificate & CSR Decoder and see exactly what's inside in seconds.

Try the Certificate & CSR Decoder →