CSR & certificate decoder
Paste a certificate signing request or an SSL/TLS certificate to see exactly what's inside — decoded entirely in your browser, nothing is uploaded.
What does this decoder show?
A CSR or certificate is Base64-encoded ASN.1 — unreadable by eye. This decoder parses it locally and shows the fields that matter: the subject (Common Name, organization, address), Subject Alternative Names, the public key type and size, and the signature algorithm. For certificates it also shows the issuer, serial number, validity window and SHA-256 / SHA-1 fingerprints.
How to use it
- Paste the PEM. The whole block including the
-----BEGIN…-----and-----END…-----lines. CSRs and certificates are both accepted and auto-detected. - Select "Decode". Parsing happens in your browser — nothing is uploaded.
- Check the fields. For a CSR: is the Common Name exact, are OV/EV subject fields present, is the key at least RSA 2048? For a certificate: has it expired, who issued it, do the SANs cover your domains?
Common things to check before submitting a CSR
- Common Name typos — the number one reason CAs reject requests.
- Missing organization fields — OV and EV orders need O, L, ST and C in the subject.
- Key size — every public CA requires RSA 2048 or stronger.
- SAN coverage — a certificate protects exactly the names listed;
example.comandwww.example.comare different names.
Frequently asked questions
Is it safe to paste a CSR or certificate here?
Yes — decoding happens entirely in your browser; nothing you paste is sent to our servers. CSRs and certificates only contain public information anyway (never paste a private key anywhere, including here — this tool will refuse it).
What is the difference between decoding a CSR and a certificate?
A CSR is your request to a certificate authority: it holds the subject and public key you are asking to have signed. A certificate is the CA’s signed answer: it additionally carries the issuer, serial number and validity period. This tool detects which one you pasted and shows the matching fields.
Why should I decode a CSR before submitting it?
Because CAs reject malformed requests: a typo in the Common Name, a missing organization field for OV/EV, or a weak key all mean starting over. Decoding takes seconds and shows exactly what the CA will see.
What are certificate fingerprints used for?
A fingerprint is a hash of the whole certificate — a short value that uniquely identifies it. Fingerprints are used to confirm you are looking at the same certificate on both ends, for certificate pinning, and when reporting a certificate to a provider.
Related tools
- CSR generator — create a new CSR and private key in your browser
- SSL checker — inspect the certificate a live site is serving
- DNS propagation checker — watch DNS validation records spread worldwide
- DNS lookup — see all records for any domain
Never let a certificate expire again
An expired certificate takes your site down in every browser at once. We'll watch your certificates and email you well before they expire — free for your first domains.
Monitor my certificates