How to decode a PEM, PFX, CRT, or CSR certificate online

Yellorn decodes every X.509 PKI file type in your browser — no upload, no server. Drop a certificate and get expiry status, fingerprint, and algorithm details at a glance.

Drop a certificate — Yellorn decodes it locally

Yellorn supports every common X.509 PKI file type. Drag any of the following onto the editor and it decodes in your browser — nothing is uploaded to a server, and private-key material is never decoded or displayed:

  • PEM (.pem, .crt, .cer, .key) — base64-encoded certificate or key wrapped in -----BEGIN CERTIFICATE----- headers. A single PEM file may contain a chain of certificates; Yellorn decodes all of them.
  • DER (.der, .cer) — the binary (non-base64) encoding of an X.509 certificate.
  • PKCS#12 / PFX (.pfx, .p12) — a bundle containing a certificate plus its private key. If the bundle is password-protected, Yellorn prompts for the password and unlocks the certificate details in the browser. The password and the file never leave your device.
  • PKCS#7 (.p7b, .p7c) — a certificate chain or signed message without private-key material.
  • PKCS#10 CSR (.csr, .req) — a Certificate Signing Request; Yellorn decodes the requested subject, key algorithm, and any requested extensions.
  • Bare keys (.key, .pub) — public or private keys in PEM or DER form; Yellorn shows the key's algorithm and format only — raw key material is never decoded.

What the insight summary tells you

Every certificate file opens with a computed __insight__ object at the top of the JSON preview — the same at-a-glance summary regardless of which file type you dropped. A typical certificate looks like this:

{
  "__insight__": {
    "kind": "X.509 Certificate",
    "source": "PEM",
    "summary": "example.com · valid for 74 days · RSA 2048",
    "status": "valid",
    "common_name": "example.com",
    "issuer": "R10",
    "expires": "2026-09-07T12:00:00.000Z",
    "days_remaining": 74,
    "key": "RSA 2048",
    "serial_number": "03:A1:…",
    "sha256_fingerprint": "AB:CD:EF:…",
    "self_signed": false,
    "contains": {
      "certificates": 1, "certificate_requests": 0,
      "public_keys": 0, "private_keys": 0, "crls": 0
    }
  }
}
  • kind — what the file is, e.g. X.509 Certificate, Certificate Chain, PKCS#12 Bundle, Certificate Signing Request.
  • status — one of valid, expiring_soon (within 30 days), expired, not_yet_valid, or password_protected. The matching expires and days_remaining fields give the exact window.
  • common_name / issuer — the leaf certificate's subject and the signing authority, as readable names.
  • key — the public-key label, e.g. RSA 2048, EC P-256, Ed25519.
  • sha256_fingerprint — the SHA-256 fingerprint of the DER-encoded certificate, as upper-case colon-separated hex.
  • self_signed — whether the certificate is signed by its own key.
  • warnings — present only when something needs attention. Each entry is a plain-language sentence, for example “Self-signed certificate (not issued by a trusted CA).”, “Weak RSA key — below 2048 bits.”, “Weak signature algorithm (SHA-1 / MD5).”, or “Certificate expired on 2025-06-14.”

Below the insight object you get the full per-certificate detail under certificates: the complete subject / issuer distinguished names, a validity block (not_before, not_after, days_remaining, status), public_key, signature_algorithm, Subject Alternative Names, key usage, extended key usage, basic constraints, and both SHA-1 and SHA-256 fingerprints.

Opening a password-protected PFX / P12

When Yellorn detects a PKCS#12 bundle that requires a password, it shows an in-editor prompt before decoding. Type the password and press Unlock. The certificate details appear immediately — the password is used only in the browser's cryptography API and is never sent anywhere.

If the password is wrong, Yellorn surfaces a clear error so you can retry. If you close the prompt without entering a password, the raw (undecoded) binary is shown instead.

Tips for common tasks

Check whether a certificate is expired

Drop the .pem or .crt file onto the editor. The __insight__ object at the top shows "status": "expired" or "expiring_soon" alongside the exact expires timestamp and a days_remaining count, and adds a plain-language warnings entry such as “Certificate expires within 30 days”. No login needed.

Verify the SHA-256 fingerprint

The sha256_fingerprint field in the insight summary is the SHA-256 fingerprint of the DER-encoded certificate, formatted as upper-case colon-separated hex — the same value openssl prints for openssl x509 -fingerprint -sha256 -noout -in cert.pem. Compare it against a pinned value or a CA's published fingerprint to confirm you have the right certificate.

Inspect a certificate chain in a PEM bundle

A PEM file can contain multiple -----BEGIN CERTIFICATE----- blocks. Yellorn decodes all of them and presents each as a separate entry in the certificates array, so you can verify the full chain from the leaf certificate to the root CA at once. If the chain is out of order or a link is missing, the insight warnings say so.

Read the key details from a PFX

Drop the .pfx and enter the password. The decoded output reports the public key's algorithm, size / curve, and format (under each certificate's public_key, and in the public_keys array) — but never the raw key bytes. Private-key material is deliberately never decoded or displayed; only the private key's algorithm and format are reported.

Related

← All help articles · Usage guide · About Yellorn

Where to go next

Try a fix in the editor or browse more articles.

Open editorAll articlesUsage guideAbout Yellorn