Decode any PEM formatted X.509 certificate by pasting its content in the following text field and clicking the Decode button. You can also decode multiple certificates or certificate chains at once.

You can drag and drop files above
Certificate information will never leave your browser. Decoding happens using client-side JavaScript.

What is an X.509 certificate?

An X.509 certificate is an electronic document that proves the ownership of a cryptographic public key. The certificate includes information about the key, its owner (subject), issuer, and the digital signature of the issuer that verifies the content of the certificate. If the certificate signature is valid and the software trusts the issuer, then the public key can be used to communicate securely with the certificate subject. The most common format for a certificate is defined in the X.509 standard and further detailed in RFC 5280.

How are certificates issued?

In public key infrastructure (PKI), the certificate is issued by a certificate authority (CA) that is usually a company that charges its customers for issuing certificates for them. Certificates can also be issued by individuals in a web of trust scheme.

What are the uses of a certificate?

A certificate can be used for Transport Layer Security (TLS) over HTTPS, email encryption, code signing, digital signatures and other purposes. A certificate can have one or more purposes.

What is the structure of a certificate?

The structure of an X.509 certificate is as follows:

Note: Thumbprints are not part of the encoded certificate. They are generated by calculating the hash of the encoded certificate.

Following is the description of each field:

How is a certificate encoded?

An X.509 certificate is a data structure in binary form encoded in Abstract Syntax Notation One (ASN.1) based on Distinguished Encoding Rules (DER). ASN.1 defines the serialization format for each of the fields within a certificate while DER defines the structure of these fields. The DER is specified in X.690 ITU-T standard.

A certificate can be either distributed in its raw binary form or further encapsulated into a Privacy-Enhanced Mail (PEM) file which includes the base64 encoding of the DER binary message preceded by "-----BEGIN CERTIFICATE-----" and followed by "-----END CERTIFICATE-----". The PEM file is usually stored with .pem, .cer or .crt file extensions.

The PEM file may contain multiple certificates. For example, an operating system might provide a file containing the list of trusted CA certificates, or a web server might be configured with a certificate chain file that contains the end-entity certificate plus the list of intermediate certificates.