NetCalc
Dark mode
NC

SSL Decoder

Paste a PEM-encoded X.509 certificate to decode its fields and properties.

Paste the full PEM block including the BEGIN and END lines.

How to use the ssl / tls certificate decoder

  1. Paste a PEM certificate including the -----BEGIN CERTIFICATE----- header.
  2. The tool extracts Common Name, SAN list, validity window, key size and signature algorithm.
  3. Look for weak-key / expired / SHA-1 warning flags before deploying to production.

Frequently asked questions

How do I read an X.509 certificate by hand?

Use openssl x509 -in cert.pem -noout -text to dump everything. The most useful fields are Subject CN, Subject Alternative Name, validity dates, public-key size and signature algorithm.

Why is SHA-1 deprecated for SSL signing?

SHA-1 has demonstrated collision attacks. Browsers reject SHA-1-signed certificates issued after 2016. Always use SHA-256 or stronger.

What is the minimum recommended RSA key size in 2026?

NIST recommends 3072 bits for new RSA keys; 2048 is acceptable for short-lived certs. Anything less is considered weak.

What is a SAN and why is it required?

Subject Alternative Name lists every hostname the certificate is valid for. Modern browsers ignore the legacy Common Name field — only SAN entries count.