Certificate Decoder CLI

x509dump: Certificate Decoder CLI

A fast offline CLI for decoding X.509 certificates and CSRs into stable JSON. Use the free edition in scripts today. Upgrade to planned pro capabilities when you need deeper validation and analysis.

Download Free Join Pro Waitlist

Free CLI for developers. Windows, macOS, Linux x64, and Linux arm64 release packages. 

$ x509dump cert.pem | jq '.subject_display, .fingerprints.sha256'
"CN=api.example.com,O=Example Corp,L=London,C=GB"
"9F:1A:4A:5E:47:4B:3D:14:32:61:2F:7F:16:95:54:06:25:8B:8F:16:0E:0A:53:89:7E:74:2E:69:26:2D:EA:41"

$ x509dump request.csr | jq '.public_key.algorithm.name, .extensions'
"RSA"
[{"name":"Subject Alternative Name","value":"DNS:api.example.com"}]

What x509dump does

x509dump is built for engineers who need certificate data in a form they can trust in scripts, CI jobs, and support workflows. It decodes certificates and CSRs locally, emits JSON only, and avoids the parsing friction of OpenSSL text output.

  • Decode X.509 certificates and PKCS#10 CSRs from PEM, DER, files, or stdin
  • Produce stable JSON output for automation, audit tooling, and shell pipelines
  • Run fully offline with no telemetry and no network dependency
  • Fit cleanly into secure or air-gapped developer workflows

Install + usage

Free release packages are published for Windows, macOS, Linux x64, Linux arm64, and Alpine-compatible Linux musl builds. Install the binary for your platform, put it on your PATH, and run it directly.

Quick start

x509dump cert.pem
x509dump request.csr
cat cert.pem | x509dump -
x509dump --version

Current downloads

Tick the checkbox before downloading.

Use the musl builds for Alpine Linux. Standard Linux packages target glibc distributions such as Ubuntu, Debian, RHEL, and Rocky.

Why teams use it

  • Faster than remembering the right OpenSSL flags
  • Structured output for shell scripts, CI, and support tooling
  • Safer for sensitive material because nothing leaves the machine
  • Easy entry point into Red Kestrel's broader certificate tooling

Good fit for

  • Platform engineers and SREs
  • PKI and security teams
  • Build and release pipelines
  • Air-gapped and high-control environments

Common certificate decoder questions

How do I convert an X.509 certificate to JSON?

Run x509dump cert.pem for PEM files or x509dump cert.der for DER files. x509dump emits structured JSON directly, which makes it easier to feed certificate data into scripts and automation than parsing OpenSSL text output.

How do I decode a CSR to JSON from the command line?

Use x509dump request.csr to decode a PKCS#10 certificate signing request into JSON. That gives you machine-readable subject, public key, and extension data without extra text parsing.

Can x509dump parse PEM and DER files?

Yes. x509dump handles PEM and DER input for both certificates and CSRs, and it can read from files or stdin. That makes it practical for local debugging, build pipelines, and support workflows that need predictable JSON output.

What is the best OpenSSL alternative for JSON output?

If you specifically want certificate or CSR data as JSON, x509dump is a simpler OpenSSL alternative. It is designed for offline use, stable JSON output, and shell-friendly workflows instead of human-oriented text dumps.

Free vs Pro

Capability Free Pro
Decode certificates and CSRs into JSON Included Included
Offline operation with no data leaving the machine Included Included
Strict PEM and DER input handling for automation safety Included Included
Validation results and richer certificate analysis Not included Planned
More forgiving input normalisation for messy real-world input Not included Planned
Expanded object support and advanced developer workflows Not included Planned

Start with the free CLI. Plan for Pro.

x509dump is the low-friction way to get structured certificate data into your workflow today. If you want deeper validation and expanded capabilities, join the waitlist and shape the pro roadmap.

Download Free Join Pro Waitlist