Decode X.509 Certificate PEM — Expiry & Fingerprint
Decode PEM or DER X.509 certificates: subject, issuer, SANs, expiry, fingerprints. Multi-PEM supported. Not a trust store or TLS verifier.
Developer notes
• Order: private key only → error; CERT blocks → decoded; else try DER/base64. • CERT + PRIVATE KEY → certs decoded + warning (key ignored). • Fingerprint = digest of full certificate DER. • No chain / trust-root validation. • 512 KB limit.
Options
When teams pick this route
• Check leaf PEM expiry before deploy. • Compare SHA-256 fingerprints with a ticket. • Read SANs from a staging certificate.
Worked examples
Leaf PEM → JSON summary
Before
After (summary)
Private key only → error
Before
After (summary)
Related security tools
Inspect JWKS via inspect-jwks. Hub: security tools.
Decode certificate FAQ
Local PEM / X.509
Does this tool validate the TLS chain / trust roots?
No. This tool decodes fields; it does not validate the chain against trust roots and does not prove TLS trustworthiness.
When should I use jwt-decode?
jwt-decode is for JWT tokens. For PEM certificates use this tool; for JWK/JWKS use inspect-jwks.
What about private keys?
A private key alone is rejected. Mixed with CERT blocks, certificates are decoded and the key is ignored (never shown).
Size limit?
512 KB per paste.
More security tools in this cluster
Looking for converters, encoders, formatters, and minifiers in one place? Developer tools hub Open the curated developer tools catalogue.