PEM Viewer
See what is inside a PEM block before you ship it.
How to use the PEM Viewer
PEM (Privacy-Enhanced Mail) is the base64-with-headers format OpenSSL, nginx, curl and most TLS libraries use for certificates and keys. This tool reads each -----BEGIN/END----- block, tells you what kind of object it is, and shows the DER byte length plus a hex preview so you can sanity-check a cert before deploying it.
- 01Paste your PEM block (or a full chain) into the pem input panel.
- 02Each detected block is listed with its label (CERTIFICATE, RSA PRIVATE KEY, etc.) and DER byte count.
- 03Use the hex preview to compare two keys or confirm a block decoded correctly.
tips
- —The label between BEGIN and END matters:
CERTIFICATEis an X.509 cert,RSA PRIVATE KEYis a PKCS#1 key,PRIVATE KEYis PKCS#8. Mixing them up is a common nginx config bug. - —A "full chain" file is just several PEM blocks concatenated. The leaf certificate must come first, then each intermediate.
- —This MVP reports structure only — full ASN.1 field decoding (modulus, issuer, expiry) is on the roadmap. For now, pair it with
openssl x509 -textwhen you need the fields.
frequently asked
What does the tool actually parse?+
It finds the -----BEGIN/END----- markers, extracts the label in between (e.g. CERTIFICATE, RSA PRIVATE KEY), base64-decodes the body and reports the DER byte length plus the first 16 bytes as hex. It does not yet do full ASN.1 decoding of the fields inside.
Is it safe to paste a private key here?+
The parsing happens entirely in your browser — the key is never sent over the network. Still, treat private keys carefully and avoid pasting production material into random tools. For auditing a real key, an air-gapped machine is safest.
Why does my file have multiple PEM blocks?+
A single file often chains a certificate and its intermediate (a "full chain"). The tool reads every BEGIN/END block it finds and lists them separately so you can tell which is the leaf, which is the intermediate, and so on.