How to Read an SSL Certificate: Every Field Explained

Not sure what all those fields in an SSL certificate mean? This guide walks through every field — CN, SANs, fingerprint, key usage — in plain English.

When you paste a certificate into a decoder or run openssl x509 -text, you're met with a wall of fields. Here's what each one means.

Subject

The subject identifies who the certificate was issued to. At minimum it contains a Common Name (CN) — usually the domain name. OV and EV certificates also include an Organization (O), City (L), State (ST), and Country (C).

Issuer

The issuer is the Certificate Authority that signed the certificate. Your browser trusts certificates because it trusts a known set of root CAs. See how certificate chains connect leaf certificates back to a trusted root.

Validity Period

The Not Before and Not After timestamps define the window during which the certificate is valid. A certificate used outside that window triggers a certificate expired error. As of 2024, most certificates are issued for 90 days (Let's Encrypt) or up to 397 days (commercial CAs).

Subject Alternative Names

The Subject Alternative Name (SAN) extension lists every domain name the certificate protects. Modern certificates use SANs exclusively — the legacy Common Name field is no longer the authoritative source for domain matching in browsers. Learn more about the difference between SAN and CN.

Public Key

This is the public key used during the TLS handshake. You'll see the key type (RSA, EC/ECDSA) and bit length (e.g. RSA-2048, RSA-4096, P-256). Larger keys are more secure but slightly slower; EC keys offer equivalent security at shorter lengths.

Signature Algorithm

The signature algorithm describes how the issuing CA signed the certificate — for example, sha256WithRSAEncryption. Older algorithms like SHA-1 are deprecated. If you see a weak signature algorithm warning, the certificate needs replacing.

Key Usage and Extended Key Usage

Key Usage specifies what the key can be used for — signing, key encipherment, etc. Extended Key Usage (EKU) adds higher-level purposes like TLS Web Server Authentication or Code Signing. Most end-entity TLS certificates have serverAuth in EKU.

Fingerprint

A certificate fingerprint is a hash (SHA-256 or SHA-1) of the certificate's DER-encoded bytes. It's a compact unique identifier — useful for pinning, auditing, and confirming you have the right certificate.

Serial Number

The serial number is a unique integer assigned by the CA. It's used in Certificate Revocation Lists and OCSP responses to identify which certificate has been revoked.

Try the Decoder

See all these fields in action: paste any PEM certificate into the SSL Certificate Decoder and every field above will be extracted and explained instantly.

Decode any SSL certificate instantly

Paste any PEM certificate into the free decoder — see subject, issuer, SANs, fingerprints, validity dates, and all X.509 extensions explained in plain English.

Open the Decoder
All articles