What are Subject Alternative Names (SANs)?

Subject Alternative Names are a certificate extension that lists additional domain names and IP addresses the certificate is valid for. Modern browsers require SANs and ignore the Common Name (CN) for domain validation. A single certificate can cover multiple domains (e.g., example.com, www.example.com, api.example.com) through SANs, which is how wildcard and multi-domain certificates work.

What does a self-signed certificate mean?

A self-signed certificate is one where the issuer and subject are the same entity, meaning the certificate was signed by its own private key rather than by a trusted Certificate Authority (CA). Self-signed certificates are not trusted by browsers by default and will trigger security warnings. They are commonly used for development, testing, and internal services where public trust is not required.

Why do SSL certificates expire?

Certificates expire to limit the damage from compromised private keys, ensure organizations regularly verify their identity, allow adoption of stronger cryptographic algorithms, and maintain an accurate certificate ecosystem. Maximum certificate lifetimes have been reduced over the years. As of 2024, publicly trusted certificates can have a maximum validity of 398 days (approximately 13 months). Shorter lifetimes reduce the window of vulnerability.

SSL Certificate Decoder - Free Online PEM Certificate

Q: What is a PEM-encoded certificate?

PEM (Privacy-Enhanced Mail) is the most common format for SSL/TLS certificates. A PEM certificate is Base64-encoded and wrapped between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- markers. The encoded data contains the certificate in ASN.1 DER binary format. PEM files typically have .pem, .crt, or .cer extensions. You can view PEM certificates in any text editor.

Q: What is the difference between DV, OV, and EV certificates?

Domain Validation (DV) certificates only verify domain ownership and are issued within minutes. Organization Validation (OV) certificates additionally verify the organization's legal identity. Extended Validation (EV) certificates require the most thorough vetting, including legal, physical, and operational checks. All three provide the same level of encryption. The difference is in the identity assurance. DV is most common due to free issuers like Let's Encrypt.

Paste a PEM-encoded certificate to decode its contents. View subject, issuer, validity dates, Subject Alternative Names, key information, fingerprints, and expiry status.

Understanding SSL/TLS Certificates

SSL/TLS certificates are digital documents that bind a cryptographic key pair to an identity. They serve two essential functions: authenticating the identity of a server (proving that you are connected to the real example.com, not an impersonator) and enabling encrypted communication between the client and server. Every HTTPS connection relies on a certificate. When your browser shows the padlock icon, it means a valid, trusted certificate was presented and the connection is encrypted.

Certificates follow the X.509 standard and are typically encoded in PEM format, which is a Base64 representation of the binary ASN.1 DER encoding. A PEM certificate is a text file that starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----. Between these markers is the Base64-encoded certificate data. This tool decodes that data and displays the certificate fields in a readable format, including the subject, issuer, validity period, key information, and extensions.

Certificate Chain of Trust

Certificates operate within a chain of trust. At the top are root Certificate Authorities (CAs), whose certificates are pre-installed in operating systems and browsers. Root CAs sign intermediate CA certificates, which in turn sign the leaf certificates used by websites. When your browser receives a server certificate, it builds and verifies this chain back to a trusted root. If any link in the chain is missing, expired, or invalid, the browser shows a security warning. Self-signed certificates have no chain because they signed themselves, which is why browsers do not trust them by default.

How Certificates Are Issued

To obtain a certificate, a server administrator generates a key pair and a Certificate Signing Request (CSR). The CSR contains the public key and the identity information (domain name, organization). This is submitted to a Certificate Authority, which verifies the identity through domain validation (proving domain ownership via DNS or HTTP challenges), organization validation (verifying the legal entity), or extended validation (thorough vetting of the organization). After verification, the CA signs the certificate with its private key and returns it. Free CAs like Let's Encrypt have made domain-validated certificates accessible to everyone.

Key Certificate Fields Explained

The Subject identifies the certificate holder, typically including the Common Name (CN) which is the domain name. The Issuer identifies the CA that signed the certificate. The Validity Period (Not Before / Not After) defines when the certificate is valid. Subject Alternative Names (SANs) list all domains the certificate covers, and modern browsers use SANs instead of CN for domain matching. The Serial Number uniquely identifies the certificate within the CA's records. The Signature Algorithm specifies how the CA signed the certificate (typically SHA-256 with RSA). Fingerprints are hash digests of the entire certificate used for identification and pinning.

Why Certificates Expire

Certificate expiration serves multiple security purposes. It limits the exposure window if a private key is compromised, since the stolen key becomes useless after the certificate expires. It forces organizations to periodically verify their identity with the CA. It enables the ecosystem to adopt stronger cryptographic algorithms over time by preventing indefinite use of older standards. The industry has steadily shortened maximum certificate lifetimes: from five years, to three, to two, and now 398 days. Automation tools like ACME (used by Let's Encrypt) and certbot make frequent renewals practical.

Certificate Types: DV, OV, and EV

Domain Validation (DV) certificates verify only that the applicant controls the domain. They are issued in minutes, often for free, and are sufficient for most websites. Organization Validation (OV) certificates additionally verify the legal identity of the organization, requiring documentation. Extended Validation (EV) certificates involve the most rigorous vetting, including legal existence, physical address, and operational status checks. All three types provide the same encryption strength. The difference lies in identity assurance: DV proves domain ownership, OV proves organizational identity, and EV provides the highest level of trust verification.

Frequently Asked Questions

What is a PEM-encoded certificate?

A Base64-encoded X.509 certificate wrapped between BEGIN and END CERTIFICATE markers. The most common certificate format, readable in any text editor.

What are Subject Alternative Names?

A certificate extension listing additional domains and IPs the certificate covers. Modern browsers use SANs instead of the Common Name for domain validation.

What does self-signed mean?

A certificate where the issuer and subject are the same. Not trusted by browsers by default because there is no third-party CA verification.

Why do certificates expire?

To limit compromise exposure, force identity reverification, and enable adoption of stronger cryptography. Maximum validity is currently 398 days.

What is the difference between DV, OV, and EV certificates?

DV verifies domain ownership. OV additionally verifies the organization. EV requires the most thorough vetting. All provide the same encryption strength.

SSL Certificate Decoder

Subject

Issuer

Validity Period

Certificate Details

Subject Alternative Names (SANs)

Fingerprints

Embed This Calculator