SSL Certificate Decoder

Frequently Asked Questions

What information is stored in an SSL/TLS certificate?

An X.509 certificate contains: the subject (domain/organization it was issued to), the issuer (Certificate Authority that signed it), the validity period (not before / not after dates), the public key and algorithm, Subject Alternative Names (SANs — additional domains covered), key usage extensions, and a digital signature from the CA.

What is PEM format and how do I get my certificate in PEM format?

PEM (Privacy Enhanced Mail) is the most common certificate encoding format — a base64-encoded DER certificate wrapped between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" markers. You can export PEM from most servers: nginx and Apache store certs as PEM files. Use openssl x509 -in cert.der -inform DER -out cert.pem to convert from DER format.

How do I check if an SSL certificate is expired?

Paste the PEM certificate into this decoder to see the "Not After" (expiry) date highlighted. From the command line: openssl x509 -enddate -noout -in cert.pem. Or for a live server: echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -enddate.

What are Subject Alternative Names (SANs)?

SANs are additional domain names covered by a single certificate. Modern certificates must list all covered domains in the SAN extension — browsers no longer use the Common Name (CN) for hostname verification. A wildcard SAN like *.example.com covers all immediate subdomains (api.example.com, www.example.com) but not nested ones (a.b.example.com).

What is the difference between DV, OV, and EV certificates?

DV (Domain Validated) — the CA verifies only that you control the domain. Fast and cheap, used for most websites. OV (Organization Validated) — the CA also verifies your organization identity. EV (Extended Validation) — the highest level, requiring thorough legal and operational vetting. All three use the same encryption strength — they differ only in identity verification.