11 min read · Try PEM / Certificate Decoder
What PEM files contain
Privacy-Enhanced Mail format wraps a DER-encoded X.509 certificate between BEGIN CERTIFICATE and END CERTIFICATE lines. The same encoding is used for certificate chains pasted into load balancers, Kubernetes secrets, and CI deploy keys (public material only in repos).
Fields that prevent outages
Check notBefore and notAfter against today’s date in UTC. Confirm the Subject Alternative Name list includes every hostname clients use, including apex and www variants. Verify the issuer matches the CA you purchased from—wrong intermediate bundles are a top cause of “works in browser, fails in Java app.”
- Renew at least two weeks before expiry to survive approval delays and staged rollouts.
- After renewal, confirm old intermediates are removed from the chain you upload.
Chains vs single files
Servers often need the leaf plus intermediate certificates. Clients walk the chain to a trusted root. Missing intermediates produce intermittent errors depending on which client cached what.
Handling private keys
Never paste private keys into public tools, screenshots, or tickets. Store keys in HSMs or secret managers. If a key is exposed, rotate immediately—revocation and reissue are faster than investigating exfiltration months later.
This article is part of the DevToolsHub learning guides—original writing meant to complement our free tools, not replace official documentation from vendors or standards bodies.