SSL / X.509 Certificate Parser
Paste a PEM certificate to instantly inspect all fields: subject, issuer, SANs, validity, key algorithm, and fingerprint.
About X.509 Certificates
X.509 is the standard format for public key certificates used in TLS/SSL, S/MIME, and code signing. Certificates are encoded in DER (binary) or PEM (Base64-wrapped DER) format. PEM is the most common form you'll encounter — it's what you copy from Let's Encrypt, DigiCert, or openssl output.
Subject Alternative Names (SANs) list all hostnames a certificate covers. Since 2017, browsers require SANs — the CN field is ignored for hostname matching. Wildcard certs cover one subdomain level (e.g., *.example.com). Multi-domain (SAN) certs list multiple explicit hostnames.
To check certificate expiry in production: openssl s_client -connect example.com:443 | openssl x509 -noout -dates. The SHA-256 fingerprint is a reliable way to verify a specific certificate — two identical fingerprints guarantee the same cert.
Certificate text between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- headers
PEM armor stripped, remaining Base64 content decoded to raw DER binary bytes
DER is a binary encoding of ASN.1 — recursively decoded into TBSCertificate, algorithm, and signature
Subject (CN, O, C, OU), Subject Alternative Names (SANs), validity period, issuer, serial, public key
SHA-256 of the raw DER bytes — a unique identifier for the certificate (shown in browser cert viewers)
Spec: RFC 5280 (X.509 v3), ITU-T X.690 (DER encoding), RFC 2459 (extensions)