X.509 is a standard defining the format of public key certificates. An X.509 certificate binds an identity (e.g., a domain name) to a public key and is digitally signed by a Certificate Authority (CA). It's widely used for TLS/SSL, email encryption, code signing, and more.

PEM (Privacy Enhanced Mail) is a Base64-encoded format wrapped between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. DER (Distinguished Encoding Rules) is a binary form of the same certificate data. This tool supports both: paste PEM text or upload .pem/.crt/.cer/.der files.

Once you decode the certificate, scroll to the "Extensions" section. The Subject Alternative Names (SAN) extension lists all domains, IPs, or emails covered by the certificate. Modern certificates often include both the primary Common Name (CN) and multiple SAN entries.

Absolutely. All decoding happens entirely in your browser using client-side JavaScript. Your certificate data is never uploaded to any server. You can even disconnect from the internet after loading the page and the tool will still work.

Common issues: missing or extra whitespace, copy-paste errors, or providing an RSA private key instead of a certificate. Ensure you are using the public certificate (starts with -----BEGIN CERTIFICATE-----). If the certificate is DER-encoded binary, use the file upload tab.

Fingerprints (SHA-1 and SHA-256 digests of the DER-encoded certificate) uniquely identify a certificate and are used for pinning, verification, and manual comparison. This tool displays both SHA-1 and SHA-256 fingerprints.