DiffCheck

PEM証明書デコーダー

X.509 PEM証明書を解析し、サブジェクト、発行者、有効期限、SANなどを表示します。

PEM証明書

What Is a PEM Certificate Decoder?

A PEM certificate decoder parses an X.509 certificate in PEM format and displays its fields in a human-readable form. This tool extracts the subject, issuer, validity period, Subject Alternative Names (SAN), signature algorithm, public key type, and basic constraints. It uses a pure JavaScript ASN.1 DER parser — no data is sent to any server.

How to Use the PEM Certificate Decoder

  1. Paste a PEM-encoded certificate (starting with -----BEGIN CERTIFICATE-----) into the input field.
  2. Click Decode Certificate to parse and display all fields.
  3. Use Load Sample to try the decoder with a built-in example.
  4. Review the subject, issuer, SANs, and validity dates in the results panel.

Features

  • Parses X.509 certificates in PEM (Base64 DER) format
  • Displays version, serial number, signature algorithm, and public key type
  • Shows subject and issuer distinguished names (DN)
  • Lists Subject Alternative Names (DNS names and IP addresses)
  • Shows validity period (Not Before / Not After)
  • Detects CA certificates via basicConstraints extension
  • 100% client-side — no server, no upload

FAQ

What is a PEM certificate?

PEM (Privacy Enhanced Mail) is a Base64-encoded format for storing cryptographic objects such as X.509 certificates, private keys, and certificate chains. PEM files are identified by header lines like -----BEGIN CERTIFICATE-----. They are the most common certificate format used by web servers (Apache, Nginx) and TLS/SSL configurations.

What is a Subject Alternative Name (SAN)?

Subject Alternative Names (SANs) are X.509 certificate extensions that list the DNS names and IP addresses the certificate is valid for. Modern browsers require SANs and no longer rely on the Common Name (CN) field alone for hostname validation.

Is my certificate data sent to a server?

No. The certificate is parsed entirely in your browser using a pure JavaScript ASN.1 DER parser. No data leaves your device.

What does basicConstraints isCA mean?

The basicConstraints extension with cA=TRUE indicates the certificate is a Certificate Authority (CA) certificate — it is allowed to sign other certificates. End-entity (leaf) certificates used by websites have cA=FALSE or omit this extension.