Loading tool...
Generate Certificate Signing Requests (CSR) for SSL/TLS certificates with RSA key pairs. Submit to CAs for certificate issuance
Decode and analyze PEM-encoded X.509 SSL/TLS certificates. View subject, issuer, validity, extensions, and fingerprints
Convert images between PNG, JPG, WebP, AVIF, BMP formats. Features quality control, transparency support, and batch conversion for efficient workflow.
Convert SSL/TLS certificates, private keys, and CSRs between PEM and DER formats instantly with automatic format detection and support for all certificate types. Different tools and platforms require different certificate formats—some expect Base64-encoded PEM with readable headers, others require binary DER format. This tool eliminates format incompatibility issues by converting between these standard formats quickly. PEM (Privacy Enhanced Mail) is human-readable, Base64-encoded text with BEGIN/END headers, used by most Unix/Linux tools and web servers. DER (Distinguished Encoding Rules) is compact binary format used by Java applications, Windows systems, and some certificate managers. Drag and drop files or paste certificate content directly—the tool auto-detects format and content type. Select your desired output format and the tool generates proper PEM headers for each content type (certificate, private key, public key, CSR). All conversion happens in your browser with zero data transmission, ensuring certificate privacy.
Convert certificates between formats required by different servers (nginx/Apache want PEM, Java wants DER).
Convert PEM certificates to DER format required for importing into Java keystores and JSSE applications.
Convert binary DER files to readable PEM format for inspection and use in Unix/Linux applications.
Convert certificates to the format required by the specific application or system you're importing into.
Convert certificates between Windows (DER) and Unix/Linux (PEM) formats for cross-platform deployments.
Convert between formats to work with various SSL/TLS tools that support only specific formats.
Certificate encoding formats exist because the same cryptographic data needs to be consumed by different systems with different requirements. The underlying data structure for certificates, keys, and CSRs is defined by ASN.1 (Abstract Syntax Notation One), a formal notation for describing data structures independently of any particular encoding mechanism. ASN.1 defines the schema, while encoding rules specify how that schema is serialized into bytes. Understanding this separation between structure and encoding is key to understanding why multiple formats exist and how conversion between them works.
DER (Distinguished Encoding Rules) is the canonical binary encoding of ASN.1 structures. DER guarantees that each ASN.1 value has exactly one valid encoding, which is essential for digital signatures because the signature is computed over the exact byte sequence of the encoded data. DER files are compact and machine-efficient but cannot be embedded in text files, transmitted through systems that expect ASCII text, or easily inspected by humans. DER is the native format for Java keystores (JKS and PKCS12), Windows certificate stores, and many embedded systems. File extensions for DER-encoded data include .der, .cer, and .crt, though these extensions are not always reliable indicators of the actual encoding.
PEM (Privacy Enhanced Mail) format wraps DER-encoded binary data in Base64 encoding with distinctive header and footer lines. The header identifies the content type: -----BEGIN CERTIFICATE----- for X.509 certificates, -----BEGIN PRIVATE KEY----- for PKCS#8 private keys, -----BEGIN RSA PRIVATE KEY----- for PKCS#1 RSA keys, -----BEGIN PUBLIC KEY----- for public keys, and -----BEGIN CERTIFICATE REQUEST----- for CSRs. Originally defined in RFC 1421 through RFC 1424 for secure email (hence the name), PEM format was widely adopted for SSL/TLS because it can be safely transmitted through text-based protocols, pasted into configuration files, and visually inspected. Multiple PEM objects can be concatenated in a single file, which is how certificate chains are typically distributed.
The PKCS (Public-Key Cryptography Standards) family, originally developed by RSA Laboratories, defines several related formats. PKCS#1 defines RSA-specific key formats, while PKCS#8 defines a more general private key format that can encapsulate keys from any algorithm. PKCS#12 (also known as PFX) is a binary container format that bundles a certificate, its private key, and any intermediate certificates into a single password-protected file, commonly used for importing certificates into Windows and Java environments. Converting between these formats involves extracting the DER-encoded ASN.1 data from one container and re-encoding it for the target format, a purely mechanical transformation that does not alter the cryptographic content.
PEM is Base64-encoded with headers/footers (-----BEGIN CERTIFICATE-----), making it human-readable. DER is binary, smaller, and commonly used by Java applications.
PEM files are text with BEGIN/END headers. DER files are binary and cannot be read in a text editor. File extensions are not always reliable.
DER format has no headers to indicate content type. For PEM output, we need to know whether it's a certificate, key, or CSR to add correct headers.
All processing happens directly in your browser. Your files never leave your device and are never uploaded to any server.