Skip to content
Marvin's Toolbox.

Search tools

Type to filter all tools

X.509 Certificate Decoder

Paste a PEM certificate to see its subject, issuer, validity dates, subject alternative names, key details, fingerprints and extensions in plain view.

Everything runs locally in your browser. Your data never leaves your device.

Accepts one or more PEM blocks (a full chain), a PKCS#10 CSR, or bare base64 or hex DER.

Nothing decoded yet
Paste a PEM certificate above, or use the example chain, to see its subject, issuer, validity, SANs, key details and fingerprints.

About the X.509 Certificate Decoder

This tool decodes an X.509 certificate and shows every field in plain view: subject and issuer with each attribute spelled out, the validity window with a clear valid or expired verdict and the days remaining, subject alternative names, serial number, public key details, key usages, basic constraints and the SHA-256 and SHA-1 fingerprints.

Paste a single certificate, a whole chain or a PKCS#10 certificate request. A chain decodes into one card per certificate in order, so you can follow a leaf up to its root. Base64 or hex DER without the PEM armor works too, and every value has its own copy button.

What you can do

  • Decode a PEM certificate and read its subject, issuer and validity dates.
  • Check when an SSL/TLS certificate expires and how many days are left.
  • List a certificate's subject alternative names (DNS, IP, email and URI).
  • Get a certificate's SHA-256 and SHA-1 fingerprints.
  • Decode a full certificate chain into one readable card per certificate.
  • Inspect a CSR before sending it to a certificate authority.
  • See key usages, extended key usages and whether a certificate is a CA.

How to use the X.509 Certificate Decoder

  1. 1Paste the certificate, chain or CSR. The example chain gives you something to explore.
  2. 2Read the status card for a quick valid, expired or not yet valid verdict.
  3. 3Check subject, issuer, SANs and key details, and copy any value with its copy button.
  4. 4Grab the SHA-256 fingerprint when you need to pin or compare a certificate.

What gets decoded

Each certificate shows its subject and issuer with every attribute labeled (common name, organization, country and so on), the notBefore and notAfter dates in UTC and local time, all subject alternative names, the serial number, the X.509 version, the public key (RSA modulus size and exponent, or the EC curve), the signature algorithm, key usages, extended key usages, basic constraints and the subject and authority key identifiers. Extensions the tool has no dedicated field for are listed by name and OID, with critical ones flagged.

PKCS#10 certificate requests decode too: the requested subject, key details and requested subject alternative names, plus a check that the request's own signature verifies.

Accepted formats and honest limits

The input can hold several PEM blocks at once, so pasting a fullchain.pem just works. Private key blocks mixed into the file are ignored, never decoded. Without PEM armor the tool also accepts a certificate's raw DER as base64 or hex.

The tool reads certificates, it does not validate chains. It tells you whether a certificate is expired and what it claims about itself, but it does not verify signatures against issuers, check revocation or build a trust path.

Verify a checksum online: drop a file, paste the expected checksum and see instantly whether they match. The hash type is detected from the checksum itself, covering MD5, SHA-1, SHA-256, SHA-512, BLAKE3, CRC-32 and more, and sha256sum lines or whole checksum files can be pasted as-is.

Hash text or a file with MD5, SHA-1, SHA-256, SHA-512, SHA-3, BLAKE2, BLAKE3, CRC32 and more, all computed live as you type. Compare against an expected checksum and copy any digest.

Paste a JSON Web Token to see its header and payload as formatted JSON, with the token color coded so each part maps to its output. Explains the registered claims, shows expiry as readable dates, flags expired tokens and can verify the signature with a secret or public key.

Decode Base64 to text or encode text to Base64. Paste into the top box, read the result below, and flip the direction with one click. Handles Unicode correctly, reads URL-safe Base64, and shows binary payloads as a hex dump you can download.

See what your clipboard really holds. One press lists every format on it, from plain text and HTML to Excel tables and images, each with its type, size and a preview. Pasting works too, and can reveal even more formats.

Format code in JavaScript, TypeScript, JSON, JSON5, HTML, Vue, CSS, SCSS, LESS, Markdown, YAML, GraphQL, XML and SQL. Pick tabs or spaces, set the indent width, and format the input in place with one click.