πŸ”„

SSL Certificate Format Converter

Convert SSL/TLS certificates between PEM, DER (binary), and Base64 formats β€” entirely in your browser, nothing uploaded.

About SSL Certificate Format Converter β€” PEM, DER, and Base64 Converter Online

The same X.509 certificate data can be encoded in several different formats, and different platforms require different ones. PEM is a text format using base64 encoding with header/footer lines β€” the format that Apache, Nginx, and most Unix-based tools expect. DER is the binary encoding of the same ASN.1 data β€” the format Java keystores, Windows certificate stores, and IIS use. Base64 (raw, no headers) is the PEM base64 content stripped of its header and footer lines, sometimes required by APIs or configuration files that expect raw base64 rather than the PEM wrapper. This converter handles all three directions, running entirely in your browser without uploading anything.

The conversion need comes up at predictable points: a CA issues a certificate as a .cer file (which could be PEM or DER β€” you have to check), and you need PEM for your Linux server; a Java application needs DER format and you have only PEM; a REST API expects a raw base64 certificate string and you need to strip the PEM headers. Each of these conversions is trivial to perform with OpenSSL but requires that OpenSSL be installed and that you remember the right flags. This browser tool provides the same conversion with a file picker or paste, on any device, in seconds.

How to Use SSL Certificate Format Converter

  1. Select your Input Format β€” PEM (text), DER (binary file), or Base64 (raw, no headers). If you're not sure, open the file in a text editor: PEM starts with -----BEGIN CERTIFICATE-----, DER is binary and won't be readable as text.
  2. Select your Output Format β€” the format you need the certificate in.
  3. For PEM or Base64 input, paste the certificate text in the text area. For DER input, upload the binary file using the file picker that appears.
  4. Click Convert. The converted certificate appears in the output area.
  5. For PEM or Base64 output, click Copy to copy to clipboard. For DER output, click Download to save the binary file.

Certificate Formats Explained

Understanding which format a file is in β€” and which format your target system needs β€” is the main challenge with certificate format conversion.

  • PEM (Privacy Enhanced Mail): The most widely used format for SSL/TLS certificates. Text file, base64-encoded, wrapped in -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- headers. Used by Apache, Nginx, HAProxy, most Linux tools, and the OpenSSL command line. PEM files can contain a single certificate or a chain of certificates (multiple PEM blocks concatenated). File extensions: .pem, .crt, .cer (confusingly, .cer can be either PEM or DER).
  • DER (Distinguished Encoding Rules): The binary encoding of the same ASN.1 certificate data that PEM base64-encodes. DER is used by Java applications (before importing into a keystore), Windows certificate stores, IIS, and some older network appliances. DER files cannot be opened in a text editor β€” they appear as binary data. File extensions: .der, .cer, .crt.
  • Base64 (raw, no headers): The base64 payload of a PEM file with the -----BEGIN CERTIFICATE----- header and -----END CERTIFICATE----- footer removed. Required by some APIs, configuration files, and tools that process base64 certificate data directly without the PEM wrapper. Functionally identical to PEM β€” adding the header and footer converts it back.

Tips for Certificate Format Conversion

A few things to check when converting between formats to avoid common errors.

  • Verify the format before converting: .cer and .crt file extensions can be either PEM or DER. Before selecting your input format, open the file in a text editor. If it starts with -----BEGIN CERTIFICATE-----, it's PEM. If the first characters are binary (non-printable), it's DER. Selecting the wrong input format will produce an error or garbled output.
  • Convert the leaf certificate only, not the full chain: PEM chain files contain multiple concatenated certificate blocks (leaf + intermediates + sometimes root). This converter handles one certificate at a time. If you have a chain file and need to convert the leaf certificate to DER, extract just the first PEM block (between the first -----BEGIN CERTIFICATE----- and the first -----END CERTIFICATE-----) and convert that.
  • DER output requires download, not copy: DER is binary data that cannot be represented as text or clipboard content. When converting to DER, use the Download button to save the .cer file, then provide that file to your Java application, IIS installation, or other system that requires DER format.
  • Java keystores need an intermediate step: Converting a certificate to DER is part of getting it into a Java keystore, but it's not the whole process. After converting to DER, use the keytool -import command to add the DER certificate to the keystore. The converter handles the format step; the keystore import is a separate Java tool operation.

Why Use a Certificate Format Converter Online

The standard way to convert certificate formats is OpenSSL: openssl x509 -in cert.pem -outform DER -out cert.der. This requires OpenSSL installed and knowing the right flags for each conversion direction. On Windows, OpenSSL isn't installed by default, and on any machine the command varies by conversion type. A browser tool handles all directions with a simple dropdown and works on any OS without installation.

Developers setting up Java applications, Windows servers, or IIS encounter format conversion as a routine step that shouldn't take more than a minute. Security teams auditing configurations on unfamiliar machines need tools that work without installation. Sysadmins provisioning infrastructure for clients on-site need to be able to handle certificate format issues without asking the client to install OpenSSL. Browser-based conversion handles all these cases from any machine with a browser.

Frequently Asked Questions about SSL Certificate Format Converter

Yes. All conversion happens in your browser using JavaScript β€” no data is sent to any server. Certificates contain only public information (domains, public key, issuer, validity dates), so there is no sensitive data in a certificate file. The private key is a separate file and is never part of the certificate. You can safely paste or upload certificate files here without any security concern.

DER certificates typically use .der, .cer, or .crt file extensions β€” but .crt and .cer can also be PEM format. The extension alone doesn't determine the format. To tell them apart: open the file in a text editor. PEM starts with -----BEGIN CERTIFICATE-----. DER is binary and the text editor will show garbled or non-printable characters. Always check the actual content, not just the extension, before selecting the input format.

No. This tool is for certificates only β€” X.509 public certificate files that contain a public key, issuer, and validity information. Private keys (PEM files starting with -----BEGIN PRIVATE KEY----- or -----BEGIN RSA PRIVATE KEY-----) are not supported. For private key format conversion, use OpenSSL directly, as private keys should be handled with extra care and not processed by browser-based tools.

PEM to DER: openssl x509 -in cert.pem -outform DER -out cert.der. DER to PEM: openssl x509 -in cert.der -inform DER -out cert.pem. PEM to Base64 (strip headers): the PEM content minus the header and footer lines is already raw base64 β€” you can do this manually in a text editor. Base64 to PEM: add -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- around the base64 content with line breaks every 64 characters.

Apache and Nginx use PEM. IIS and Windows certificate stores use DER (or PFX, which is a different format combining certificate and private key). Java applications typically use DER before importing to a keystore, or PKCS12/PFX for the full keystore. HAProxy, certbot, and most Linux tools use PEM. If you're unsure, check the documentation for the specific software or platform you're configuring β€” the expected format is almost always specified in the configuration file examples.

Yes, completely free. No account, no sign-up, and no usage limits. You can convert as many certificates as you need. Because the converter runs entirely in your browser using JavaScript, there are no API costs and no premium tier.