Is my certificate uploaded anywhere?

No. All parsing happens in your browser using a JavaScript ASN.1 decoder. The PEM text never leaves your machine, so it is safe to inspect internal or production certificates.

What is the difference between the subject CN and the SANs?

Modern browsers ignore the subject Common Name for hostname matching and use only the Subject Alternative Names. A certificate must list every hostname it should serve in the SAN extension, so the SAN list is what actually matters for validation.

Why does it say the certificate is expired?

The tool compares the notAfter date in the validity field against your computer's current clock. If notAfter is in the past the certificate is expired and browsers will reject it. Check that your system clock is correct if the result looks wrong.

Can it decode a private key or a CSR?

No. This tool only decodes X.509 certificates that begin with BEGIN CERTIFICATE. Private keys and certificate signing requests use different ASN.1 structures and are not parsed here.

Does it verify the certificate chain or signature?

No. It decodes and displays the certificate fields but does not cryptographically verify the signature or build a trust chain to a root CA. Use it for inspection, not for trust decisions.

TLS Certificate Decoder (PEM)

A TLS certificate is a compact binary record that proves a server’s identity. Reading it usually means reaching for openssl x509 -text, but that requires the binary installed and a temp file. This tool decodes a PEM certificate directly in your browser so you can quickly check who it was issued to, when it expires, and which hostnames it covers.

How it works

A PEM certificate is just base64-encoded DER (Distinguished Encoding Rules) wrapped in armor lines. The tool strips the BEGIN/END CERTIFICATE markers, base64-decodes the body to raw bytes, then walks the ASN.1 tag-length-value tree:

The outer SEQUENCE holds tbsCertificate, the signature algorithm, and the signature value.
Inside tbsCertificate it reads the serial number, signature OID, issuer name, validity window, subject name, and the subject public-key info.
Each name is an RDNSequence — a list of attribute-type-and-value pairs whose OIDs map to short labels like CN, O, and C.
The validity dates are decoded from UTCTime or GeneralizedTime and compared against your clock to compute days remaining.
For RSA keys the modulus length gives the key size in bits; for EC keys the named-curve OID gives the curve.
The extensions block is scanned for subjectAltName (OID 2.5.29.17) and basicConstraints (OID 2.5.29.19) to list SANs and report the CA flag.

Example

Paste a server certificate and you will typically see a subject like CN=example.com, O=Example Ltd, C=GB, a signature algorithm of SHA256withRSA, a 2048 bit RSA key, and a SAN list containing DNS:example.com and DNS:www.example.com. If the validity window has passed, the tool flags the certificate as EXPIRED.

Notes and limitations

This is an inspection tool. It decodes fields but does not verify signatures or build a trust chain to a root.
It handles the common RSA and ECDSA certificates you meet in practice. Exotic extensions beyond SAN and Basic Constraints are not displayed.
Only BEGIN CERTIFICATE blocks are supported. Private keys and CSRs use different structures and are not parsed.