NetCalc
Dark mode
NC

SSL Decoder

Paste a PEM-encoded X.509 certificate to decode its fields and properties.

Paste the full PEM block including the BEGIN and END lines.

How to use the ssl / tls certificate decoder

  1. Paste a PEM certificate including the -----BEGIN CERTIFICATE----- header.
  2. The tool pulls out the Common Name, grabs every entry in the SAN list, notes when the cert's valid from and to, checks the key size, and identifies the signature algorithm.
  3. Look for weak-key / expired / SHA-1 warning flags before deploying to production.

Frequently asked questions

How do I read an X.509 certificate by hand?

Use openssl x509 -in cert.pem -noout -text to dump everything. The most useful fields are Subject CN, Subject Alternative Name, validity dates, public-key size and signature algorithm.

Why is SHA-1 deprecated for SSL signing?

SHA-1 has demonstrated collision attacks. Browsers reject SHA-1-signed certificates issued after 2016. Always use SHA-256 or stronger.

What is the minimum recommended RSA key size in 2026?

NIST recommends 3072 bits for new RSA keys; 2048 is acceptable for short-lived certs. Anything less is considered weak.

What is a SAN and why is it required?

Subject Alternative Name lists every hostname your certificate covers. Modern browsers skip the old Common Name field entirely—only SAN entries actually matter.