Skip to content
Network 7 min read

How to Decode an SSL/TLS Certificate: X.509 Fields Explained

Learn to decode PEM-encoded SSL certificates and understand every field — issuer, subject, validity period, SANs, public key, fingerprint, and certificate chain.

ToolsVito Team

What a PEM Certificate Looks Like

SSL/TLS certificates are most commonly shared in PEM (Privacy-Enhanced Mail) format — Base64-encoded DER data wrapped between header and footer lines:

-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQzP2lVxIyX8xR...
-----END CERTIFICATE-----

The Base64 blob decodes to a binary certificate in DER (Distinguished Encoding Rules) format — an X.509 structure defined by the ITU-T standard. Every field has a specific ASN.1 tag and meaning.

Core Certificate Fields

  • Subject: The entity the certificate was issued to. Can be a domain name (CN = example.com), an organization (O = Example Corp), or both.
  • Issuer: The Certificate Authority (CA) that signed this certificate — e.g., Let's Encrypt (R3), DigiCert, or Sectigo.
  • Validity: Not Before and Not After dates. Browsers reject certificates outside this window. Let's Encrypt certificates are valid for 90 days; commercial CAs typically issue 1-year certificates.
  • Serial Number: Unique identifier assigned by the CA. Used in CRL (Certificate Revocation Lists) to mark revoked certificates.
  • Public Key: The RSA or ECC public key for this certificate. RSA keys are typically 2048 or 4096 bits; ECC keys use curves like P-256.
  • Signature Algorithm: The algorithm the CA used to sign this certificate — e.g., SHA-256 with RSA Encryption.

SANs: Subject Alternative Names

A certificate covers specific domain names listed in the SAN extension. A single certificate can cover multiple domains (SAN certificate) or wildcards (*.example.com). The Common Name (CN) field is largely ignored by modern browsers — they check SANs, not CN. Always verify the SAN list covers every domain and subdomain you need.

Fingerprints

A certificate's fingerprint is the hash of its DER-encoded content — a unique, compact identifier. SHA-256 fingerprints are standard today. You can verify you have the correct certificate by comparing the fingerprint to what the CA publishes.

The Certificate Chain

Browsers don't trust individual certificates — they trust the chain ending at a root CA. A typical chain: Leaf certificate → Intermediate CA → Root CA. The root is embedded in browser trust stores; intermediates are served alongside the leaf. If any link in the chain is missing (incomplete chain), some clients — especially mobile browsers and non-browser TLS clients — will reject the connection.

Decode Any Certificate Instantly

Paste a PEM certificate into ToolsVito's SSL Certificate Decoder to see every field — subject, issuer, validity dates, SANs, public key details, fingerprint, and signature — formatted in a readable tree. All decoded in your browser.

Try it now — free, runs in your browser

SSL Certificate Decoder

Decode X.509 certificates
All articles

More articles

Encode & Decode Base64 Encoding & Decoding: The Complete Developer Guide 7 min Security JWT Explained: Decoding JSON Web Tokens Without a Library 8 min Security MD5, SHA-1, SHA-256: Hash Functions Compared for Developers 9 min