What's Inside an SSL Certificate? How to Read Any Certificate with a Certificate Decoder

At first glance, an SSL/TLS certificate looks like an unreadable block of text. But inside it your domain name, who issued it, when it is valid and much more are written in plain structure. To see this information, all you need is a certificate decoder. In this article we explain in plain language exactly what lives inside a certificate, what each field is for, and when you should decode your own.

What is a certificate decoder?

A certificate decoder is a tool that takes a PEM certificate (the text starting with -----BEGIN CERTIFICATE-----) and displays every field inside it in a readable form. Most importantly, our certificate decoder tool runs 100% in your browser: your certificate stays in your browser and is never uploaded to any server. That matters for privacy, because a certificate can reveal details about your domains and infrastructure.

The fields inside an SSL certificate

Subject

The Subject tells you who the certificate represents. Its most important field is the CN (Common Name), which is the primary domain name. Other fields include O (organization), OU (organizational unit), L (locality/city), ST (state/province) and C (country code). Free certificates like Let's Encrypt usually contain only the CN, with no organization details.

Issuer

The Issuer shows who signed the certificate, that is, which Certificate Authority (CA) issued it. For Let's Encrypt certificates the Issuer is usually a Let's Encrypt intermediate. Understanding the difference between Subject and Issuer is key: the Subject is your site, the Issuer is the trusted party that vouches for it. If the two are identical, you are holding a self-signed certificate.

Validity

Every certificate has a start date (not before) and an end date (not after). Outside this window the certificate is invalid and browsers show a warning. Let's Encrypt certificates are valid for 90 days, so tracking the expiry date and renewing on time is essential.

SANs (Subject Alternative Names)

The SAN list contains every domain name the certificate covers. Modern browsers no longer look only at the CN; they read the SAN list. So for both example.com and www.example.com to be covered, both must appear in the SANs. In a wildcard certificate you will see *.example.com here.

Serial number and signature algorithm

The serial number is the unique identifier the CA assigns to each certificate; it is used to look a certificate up in revocation lists. The signature algorithm tells you how the certificate was signed; today you will typically see SHA-256 with RSA or an ECDSA-based algorithm.

Public key (type and size)

The public key is the foundation of the encryption. Its type may be RSA or EC (elliptic curve). The size indicates strength: for RSA, 2048 bits is the minimum considered safe and 4096 bits is stronger; an ECDSA 256-bit key offers strong protection roughly equivalent to RSA 3072. A bigger key is not always faster, EC keys deliver high security at small sizes.

Fingerprints (SHA-1 / SHA-256)

A fingerprint is a unique digest computed over the whole certificate. It is used to confirm that two parties hold the same certificate. For example, when pinning in a mobile app or verifying a certificate with a support team, you compare the SHA-256 fingerprint. Because SHA-1 is now considered weak, prefer SHA-256 for verification.

When should you decode a certificate?

  • To verify what the CA issued: confirm the certificate you received really contains the domain you wanted.
  • To check SANs and expiry: make sure all your subdomains are covered and the certificate is not about to expire.
  • To match a fingerprint: prove the certificate on the server is the same one you expect.
  • While troubleshooting: diagnose errors like "the wrong certificate is being served."

How to use it

  1. Open your certificate file (.crt, .pem or fullchain.pem) in a text editor.
  2. Copy the block between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.
  3. Paste it into the certificate decoder tool and review the decoded fields.

If you do not have a certificate yet, you can create a free 90-day Let's Encrypt certificate in minutes with our get certificate wizard, then verify the result with the decoder.

Summary

An SSL certificate consists of the Subject, Issuer, validity window, SANs, serial number, signature algorithm, public key and fingerprints. Reading these fields requires no special expertise, only the right tool. A certificate decoder shows all of this information in seconds and with full privacy, because your certificate stays in your browser. Before renewing, deploying or troubleshooting, decode your certificate quickly to make sure everything is correct.