Skip to main content
ToolsRunbooksBlogDocs

rawops.dev

Skip to tool content

SSL Certificate Decoder

Decode PFX/P12 files, view certificate details, and build certificate chains. Everything runs in your browser — no data is sent to any server.

Drop a .pfx or .p12 file here, or browse

What is an SSL/TLS Certificate?

An SSL/TLS certificate is a digital document that binds a cryptographic key to an organization's or individual's identity. Certificates are used to secure HTTPS connections (server certificates), sign emails (S/MIME), sign code, and authenticate clients. They follow the X.509 standard and contain fields like subject, issuer, validity dates, public key, and extensions.

PFX / PKCS#12 Files Explained

A PFX (Personal Information Exchange) or P12 file is a binary archive that bundles a certificate, its private key, and optionally the full certificate chain into a single password-protected file. The format is defined by PKCS#12 standard.

Common uses for PFX files:

  • S/MIME email signing — Your email client (Outlook, Thunderbird) imports a .pfx to sign and encrypt emails
  • Code signing — Signing executables, drivers, or scripts with a code signing certificate
  • IIS / Windows servers — Microsoft IIS uses PFX format for SSL certificate import/export
  • Client certificates — mTLS authentication where both server and client present certificates
  • Certificate backup — Exporting a cert + key for safekeeping or migration

Certificate Chain / Chain of Trust

A certificate chain (or chain of trust) connects your end-entity certificate to a trusted root CA through a series of intermediate certificates. When a browser or mail client verifies a certificate, it walks the chain from end-entity → intermediate(s) → root CA. If the root CA is in the trust store, the certificate is trusted.

A correct chain order is: end-entity → intermediate → root. If you configure an incomplete chain on your server, clients may fail to verify the certificate, resulting in SSL errors.

Equivalent OpenSSL Commands

This tool replaces common OpenSSL commands you'd run on the terminal:

# Decode PFX to PEM
openssl pkcs12 -in cert.pfx -out cert.pem -nodes

# View certificate details
openssl x509 -in cert.pem -text -noout

# Extract private key from PFX
openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes

# View certificate chain
openssl s_client -connect example.com:443 -showcerts

Check Any Website's SSL Certificate

The Remote Check tab lets you enter any domain name (e.g. google.com) and instantly fetch its live TLS certificate chain. This is the equivalent of running openssl s_client -connect example.com:443 -showcerts from your terminal. The fetched certificates are displayed using the same detailed viewer as the other tabs — subject, issuer, validity, SAN, fingerprints, and PEM export. You can also check non-standard ports (e.g. 8443) and inspect self-signed or expired certificates.

Privacy-First Design

PFX decoding and certificate viewing run entirely in your browser — your private keys and certificates are never uploaded to any server. The Chain Builder fetches intermediate certificates from public CA URLs (extracted from the certificate's AIA extension) via our server proxy to avoid CORS restrictions. Only the public CA download URL is sent through our server — your certificate content stays in the browser.

Related Tools & Resources

OpenSSL Command Builder
Generate certs and keys with OpenSSL
Nginx Config Generator
Configure SSL in Nginx
Hash Generator
Verify certificate fingerprints
DNS Lookup
Check DNS records and email security for the domain
CSR Generator
Generate CSRs for certificate requests
HAProxy Config Generator
Configure SSL termination in HAProxy
Runbook: Fix expired SSL certificates
Step-by-step troubleshooting guide
Complete SSL/TLS guide for DevOps
Blog article
How certificate chains work
Blog article
Convert PFX to PEM format
Blog article
Automate cert issuance with ACME
Blog article
Set up mTLS with client certificates
Blog article
Compare cloud certificate services
Blog article