What certificate formats are supported?

Our Certificate Analyzer supports PEM (Base64 encoded, most common), DER (binary format), PKCS#7/P7B (certificate chain format), and can parse any standard X.509 certificate. Simply paste PEM content or upload certificate files (.pem, .crt, .cer, .der).

Is my certificate data safe with this tool?

Yes, completely safe. All certificate parsing happens entirely in your browser using JavaScript. Your certificate data never leaves your device and is not sent to any server. This makes it safe to analyze even sensitive internal or private certificates.

What information does the analyzer show?

The analyzer shows: Subject (CN, O, OU, C), Issuer details, Validity period (Not Before/Not After), Serial number, Signature algorithm, Public key info (algorithm, size), Extensions (Key Usage, Extended Key Usage, SANs, Basic Constraints), and fingerprints (SHA-1, SHA-256).

How do I get my certificate in PEM format?

PEM certificates start with '-----BEGIN CERTIFICATE-----' and end with '-----END CERTIFICATE-----'. Export from browser (click lock icon > Certificate > Details > Export), use OpenSSL ('openssl x509 -in cert.der -inform DER -out cert.pem'), or copy from your server's certificate file.

What is the difference between PEM and DER formats?

PEM is Base64-encoded text with header/footer lines - human-readable and common on Linux/Apache. DER is binary format - smaller but not human-readable, common on Windows/Java. Both contain the same certificate data; PEM is just Base64-encoded DER with headers.

What do certificate extensions mean?

Key extensions: Key Usage defines cryptographic operations allowed (signing, encryption). Extended Key Usage specifies purposes (server auth, client auth, code signing). Basic Constraints indicates if it's a CA certificate. SANs list all domains the cert is valid for.

What is a certificate fingerprint used for?

Fingerprints (SHA-256, SHA-1) are unique hashes that identify a certificate. Use them to verify you have the correct certificate, compare certificates, or for certificate pinning. SHA-256 is preferred; SHA-1 is legacy but still used for backward compatibility.

How do I analyze a certificate chain?

Paste all certificates in the chain (each with its own BEGIN/END markers) into the input. The analyzer will parse each certificate, showing the hierarchy from leaf (your domain) through intermediates to the root CA. Verify the chain is complete and properly ordered.

Certificate Analyzer

Parse and analyze X.509 certificates in your browser

Certificate Input

PEM Certificate

Paste a certificate and click Analyze

Client-side only

Tool Capabilities

Client-Side (Browser)

Files never leave your device

Parse & decode X.509 certificates
Display subject, issuer & validity dates
Show extensions & key usage
Certificate chain analysis
Copy certificate details

Requires Server-Side

Not available — would need cloud processing

OCSP/CRL revocation checking
Certificate Transparency log search
Automated certificate monitoring

Revocation checking (OCSP/CRL) and CT log searches require server-side HTTP requests to certificate authorities.

X.509 Certificate Structure

X.509 is the standard format for public key certificates used in SSL/TLS, code signing, email encryption, and many other security protocols. An X.509 certificate is a structured data object encoded according to ASN.1 (Abstract Syntax Notation One) that binds a public key to an identity (a subject) and is signed by a trusted Certificate Authority (CA). Every HTTPS website uses an X.509 certificate to prove its identity to browsers.

The core fields of an X.509 certificate include the Subject (the entity the certificate belongs to, identified by its Distinguished Name), the Issuer (the CA that signed it), the Validity period (Not Before and Not After dates), the Public Key and its algorithm, and the CA's digital Signature over all the other fields. Extensions added in X.509 v3 carry additional information like Subject Alternative Names, Key Usage constraints, and CRL distribution points.

PEM vs. DER Certificate Formats

X.509 certificates can be encoded in two primary formats, and knowing the difference matters when working with TLS configurations and certificate management tools:

DER (Distinguished Encoding Rules) is the binary format for encoding ASN.1 data. DER files contain raw binary data and cannot be opened in a text editor. They use the .der or .cer extension and are commonly used in Java environments and Windows certificate stores.
PEM (Privacy-Enhanced Mail) is a Base64-encoded version of the DER format, wrapped with header and footer lines (-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----). PEM is the most common format for web servers (Apache, Nginx) and is used by Let's Encrypt. The .pem, .crt, and .keyextensions all typically contain PEM-encoded data.

Our Certificate Analyzer accepts PEM format (paste the text starting with-----BEGIN CERTIFICATE-----) or any binary certificate file. All parsing happens in your browser using the Web Crypto API — your certificate bytes never leave your device, which is critical when analyzing certificates for production systems that may contain sensitive organizational information.

Certificate Extensions and Security Implications

X.509 v3 extensions significantly expand what a certificate can express. The Subject Alternative Name (SAN) extension is the most important for HTTPS: modern browsers require all domain names covered by a certificate to be listed as SANs. The legacy Common Name (CN) field is no longer sufficient and is ignored by Chrome and Firefox for hostname validation.

Key Usage and Extended Key Usage extensions constrain what a certificate can be used for. A certificate with Key Usage of "Digital Signature" and Extended Key Usage of "Server Authentication" (OID 1.3.6.1.5.5.7.3.1) is appropriate for HTTPS servers. If these constraints are absent or misconfigured, a certificate might technically be valid but functionally incorrect — causing connection failures in strict TLS clients.

The Basic Constraints extension identifies whether a certificate is a CA certificate (capable of signing other certificates) or an end-entity (leaf) certificate. A leaf certificate with the CA flag set to true is a major security misconfiguration — it would allow the certificate holder to issue fraudulent certificates. Certificate Transparency logs exist precisely to detect and expose such misissuances.

Features

PEM/DER Support

Parse PEM and DER encoded certificates

Subject & Issuer

View subject and issuer details

Validity Check

Check validity period and expiration

Extensions

View extensions (Key Usage, SANs, etc.)

Fingerprints

Calculate SHA-1 and SHA-256 fingerprints

Client-Side

All processing happens in your browser

How to Use the Certificate Analyzer

Paste certificate Paste PEM certificate starting with -----BEGIN CERTIFICATE-----

Or upload file Upload a certificate file (.pem, .crt, .cer, .der)

Instant parsing Certificate is parsed instantly in your browser

View details View all certificate details and copy fingerprints

TL;DR - Free Certificate Analyzer

Parse and analyze X.509 SSL/TLS certificates instantly. View subject, issuer, validity, extensions, SANs, and fingerprints. Supports PEM and DER formats. 100% client-side - your certificates never leave your browser.

PEM/DER supportSHA-256 fingerprintsExtension parsing100% private

Certificate Analyzer vs SSL Labs vs KeyCDN vs CertLogik

How does JumpTools Certificate Analyzer compare to other X.509 certificate tools?

Feature	JumpTools	SSL Labs	KeyCDN Tools	CertLogik
Price	Free	Free	Free	Free
Privacy	100% local (no upload)	Remote scan only	Remote scan	Remote scan
PEM Input	Yes	No (domain only)	No (domain only)	Yes
Fingerprints	SHA-1 + SHA-256	Yes	Yes	Yes
Extension Parsing	Yes (SANs, Key Usage)	Yes	Partial	Yes
No Signup	Yes	Yes	Yes	Yes

Comparison as of March 2026. Tools compared: SSL Labs, KeyCDN.

Frequently Asked Questions

Related Tools

DNS Lookup

Free DNS lookup tool. Query A, AAAA, MX, NS, TXT, CNAME, SOA, CAA & more for any domain. Check propagation, debug email issues. Fast & accurate.

Email Analyzer

Free email header analyzer. Trace delivery path, analyze delays, verify SPF/DKIM/DMARC. Detect spoofing & troubleshoot delivery issues. No signup needed.

Website Health Check

Free website health checker. Check HTTP status, response time, SSL certificate, security headers & redirect chains. Get security score. No signup needed.

IP Converter

Free IP address converter. Convert between binary, decimal, hex, octal, IPv4 & IPv6 formats instantly. 100% client-side processing. No signup required.

Hash Generator

Free hash generator. Generate SHA-256, SHA-512, SHA-1 hashes from text or files. File checksum verification, HMAC support. 100% client-side. No signup.

SSL Checker

Free SSL certificate checker. Verify SSL/TLS installation, check certificate chain, expiry dates & detect vulnerabilities (Heartbleed, POODLE). 100% client-side.

Loading tool...

X.509 Certificate Structure

PEM vs. DER Certificate Formats

X.509 certificates can be encoded in two primary formats, and knowing the difference matters when working with TLS configurations and certificate management tools:

DER (Distinguished Encoding Rules) is the binary format for encoding ASN.1 data. DER files contain raw binary data and cannot be opened in a text editor. They use the .der or .cer extension and are commonly used in Java environments and Windows certificate stores.

PEM (Privacy-Enhanced Mail) is a Base64-encoded version of the DER format, wrapped with header and footer lines (-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----). PEM is the most common format for web servers (Apache, Nginx) and is used by Let's Encrypt. The .pem, .crt, and .keyextensions all typically contain PEM-encoded data.

Certificate Extensions and Security Implications

Features

PEM/DER Support

Parse PEM and DER encoded certificates

Subject & Issuer

View subject and issuer details

Validity Check

Check validity period and expiration

Extensions

View extensions (Key Usage, SANs, etc.)

Fingerprints

Calculate SHA-1 and SHA-256 fingerprints

Client-Side

All processing happens in your browser

Feature

JumpTools

SSL Labs

KeyCDN Tools

CertLogik

Price

Free

Privacy

100% local (no upload)

Remote scan only

Remote scan

PEM Input

Yes

No (domain only)

Yes

Fingerprints

SHA-1 + SHA-256

Yes

Extension Parsing

Yes (SANs, Key Usage)

Yes

Partial

Yes

No Signup

Yes