PEM Viewer

Paste a PEM block, or load a .pem, .crt, .cer, .key or .csr file, and decode it into a readable structure. The viewer detects the PEM type from its -----BEGIN----- header, base64-decodes the body to DER, and walks the binary with a built-in ASN.1 parser that resolves object identifiers to names like commonName, rsaEncryption and prime256v1. Multiple blocks in one file are all decoded. Everything runs in your browser, so even private keys never leave your machine.

PEM block

How to use the PEM Viewer

Paste a PEM block into the box or load a certificate or key file. The viewer scans for every -----BEGIN X----- … -----END X----- pair, reports the detected type of each (certificate, public key, private key, certificate request and so on), and decodes the base64 body to its underlying DER bytes. It then renders the ASN.1 structure as an indented tree where each node shows its type, byte length and, for primitive values, the decoded content. Constructed types like SEQUENCE and SET nest their children beneath them, mirroring the structure exactly.

Object identifiers are resolved to readable names wherever known, so a signature algorithm reads sha256WithRSAEncryption rather than a string of numbers, and the attributes inside a subject become commonName, organizationName, countryName and the like. Integers are shown in decimal when small and hex when large, the various string types are decoded by their tag, and [n] markers denote the context-specific tagged fields common in certificates. The decoder peeks inside BIT STRING and OCTET STRING wrappers when their contents are themselves DER, which is how it reveals the key inside a SubjectPublicKeyInfo or the value inside an extension. The whole parse runs locally with no network calls, so it is safe to inspect private keys and internal certificates.

PEM, DER and ASN.1 — the three layers

The files at the heart of TLS and PKI are built from three nested layers, and it helps to keep them straight. ASN.1 (Abstract Syntax Notation One) is the abstract schema — it describes what fields a certificate or key has and how they relate, independently of any byte layout. DER (Distinguished Encoding Rules) is the concrete binary serialisation of that schema, a canonical, unambiguous stream of bytes. PEM (Privacy-Enhanced Mail, the name a historical accident) is a text wrapper around DER: it takes the binary, base64-encodes it, and frames it with -----BEGIN X----- and -----END X----- lines so the result is copy-pasteable plain text. So PEM contains base64, which decodes to DER, which is an encoding of an ASN.1 structure.

The label in the header tells you what the block holds, and a single file can stack several. CERTIFICATE is an X.509 certificate; chains often place the leaf, intermediates and root in one file. CERTIFICATE REQUEST (or NEW CERTIFICATE REQUEST) is a PKCS#10 CSR. PUBLIC KEY is a SubjectPublicKeyInfo, while PRIVATE KEY is an unencrypted PKCS#8 key, RSA PRIVATE KEY and EC PRIVATE KEY are the older algorithm-specific PKCS#1 and SEC1 forms, and ENCRYPTED PRIVATE KEY wraps a password-protected key. There are also DH PARAMETERS, X509 CRL and others. The header is not just decoration: tools dispatch on it to decide how to parse the bytes inside.

Reading the structure underneath the wrapper is a practical skill. It lets you confirm the algorithm and key size of a key, read the subject and the subject-alternative-name entries in a certificate, check the constraints in an extension, verify a CSR contains what you expect before sending it to a CA, or debug an interoperability bug where two systems disagree about a field. Because DER is self-describing — every element announces its type and length — you do not need to know in advance what a blob is; the tags reveal it. The common failure modes are equally visible in the tree: a base64 body that will not decode usually means a copy-paste truncation or a DER file mislabelled as PEM, while a parse that stops early points to a corrupted or non-canonical encoding.

Common use cases

Identifying a mystery file. Find out whether a .pem holds a certificate, a public key, a private key or a CSR, and read its contents.
Inspecting certificates. Read the subject, issuer, validity, algorithms and SAN entries inside an X.509 cert.
Checking a key. Confirm the algorithm, RSA modulus size or EC curve of a public or private key from its structure.
Splitting a chain. See each certificate in a bundle that stacks leaf, intermediate and root in one file.
Private debugging. Inspect internal or private cryptographic material locally without uploading it.

Frequently asked questions

What is the difference between PEM and DER?

DER is the binary encoding of an ASN.1 structure. PEM is that same binary base64-encoded and wrapped in -----BEGIN X----- / -----END X----- text lines so it can be pasted as plain text. PEM decodes to DER. This viewer reads the base64 inside a PEM block and decodes the DER underneath.

Which PEM types can it decode?

Any block whose body is DER-encoded ASN.1: certificates, certificate requests (CSRs), public keys, unencrypted private keys (PKCS#8, PKCS#1 RSA, SEC1 EC), CRLs and more. It detects the type from the header label and decodes the structure. It does not decrypt password-protected ENCRYPTED PRIVATE KEY blocks.

Can it handle a file with several PEM blocks?

Yes. Certificate chains and bundles often place multiple blocks in one file. The viewer finds every BEGIN/END pair and decodes each one in turn, labelling it with its detected type.

What do the [0], [1] markers in the tree mean?

They are context-specific tagged elements — the optional or positional fields ASN.1 uses, very common in certificates, such as the version field and the extensions block. The number is the tag. Their meaning depends on the surrounding structure rather than a universal type.

Is my PEM or key uploaded anywhere?

No. The block is base64-decoded and the ASN.1 is parsed entirely in your browser with no network calls. Certificates, CSRs and private keys you paste never leave your device, so it is safe for internal or private material.