TLS certificate-analyzer

// TLS / SSL / X.509

Free Certificate Analyzer
Inspect & Decode TLS Certificates

Paste a PEM certificate to instantly inspect subject, issuer, validity dates, Subject Alternative Names, key algorithm, and expiration status. Runs entirely in your browser.

Subject & Issuer Validity Dates SANs Key Algorithm Expiry Check
// TLS Certificate Inspector
// Paste PEM certificate (BEGIN CERTIFICATE)
// Certificate details
Paste PEM certificate and click
Analyze Certificate
TLS certificate guide

How to get a certificate in PEM format
From a server: openssl s_client -connect example.com:443 -showcerts < /dev/null 2>/dev/null | openssl x509. From a file: if your certificate is in DER format (.cer, .crt binary), convert with openssl x509 -inform DER -in cert.cer -out cert.pem. From a PKCS#12 bundle (.pfx, .p12): openssl pkcs12 -in bundle.pfx -clcerts -nokeys -out cert.pem. The PEM format starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----.

Subject Alternative Names (SANs) — why they matter
Modern browsers require SANs — the Common Name (CN) field alone is no longer trusted. SANs list every hostname the certificate is valid for. A wildcard SAN like *.example.com covers all single-level subdomains but not sub.sub.example.com. Multi-domain (SAN) certificates can include hundreds of hostnames. Let's Encrypt certificates always include SANs. If a browser shows "certificate does not match", it means the hostname is not in the SANs list.

Certificate chain — why a valid cert can still fail
A TLS handshake requires the full chain: your end-entity certificate + all intermediate CA certificates up to a trusted root. If intermediates are missing, some clients (curl, older Android) fail with "certificate verify failed". Check the chain with openssl s_client -connect example.com:443 -showcerts — you should see multiple certificates. Use openssl verify -CAfile chain.pem cert.pem to validate the full chain locally.

FAQ — certificate analyzer
Paste the PEM in the tool above for instant browser-based analysis. From the command line: openssl x509 -in cert.pem -text -noout shows all fields. To inspect a live server: openssl s_client -connect example.com:443 < /dev/null | openssl x509 -text -noout. For quick expiry check: openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates.
PEM (Privacy Enhanced Mail) is the most common certificate encoding format. It's base64-encoded DER with header/footer lines: -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. PEM files can contain a single certificate or a full chain (multiple BEGIN/END blocks). Used by Apache, Nginx, Let's Encrypt, and most modern web servers. Alternative formats: DER (binary), PKCS#12/PFX (includes private key), PKCS#7/P7B (chain without private key).
Four checks: (1) Expiry — not before and not after dates must include today. (2) Hostname match — the domain must be in SANs or match the wildcard. (3) Chain of trust — must chain to a root CA trusted by the browser/OS. (4) Revocation — certificate must not be revoked (OCSP/CRL). This tool checks expiry and shows all fields for manual verification. Use openssl verify or SSL Labs (ssllabs.com/ssltest) for full chain and revocation checks.
SSL (Secure Sockets Layer) is the predecessor to TLS (Transport Layer Security). SSL 2.0 and 3.0 are deprecated and insecure. TLS 1.0 and 1.1 were deprecated in 2021 (RFC 8996). Modern servers should use TLS 1.2 or TLS 1.3. Despite "SSL certificates" being the common term, all modern certificates use TLS. The certificate format (X.509) is the same for both. TLS 1.3 is faster (1-RTT handshake) and more secure than TLS 1.2.
certificate analyzer inspect certificate ssl certificate analyzer tls certificate analyzer pem decoder check tls certificate test tls certificate x509 certificate inspector certificate decoder ssl cert viewer