Convert certificates and keys between PEM (Base64) and DER (binary) formats. Supports certificates, keys, and CSRs
Convert certificates and keys between PEM (Base64 text) and DER (binary) formats. Some servers and tools require one format; others require the other. Drop a file in, pick the target format, and download the converted result.
Initializing in your browser…
Generate Certificate Signing Requests (CSR) for SSL/TLS certificates with RSA key pairs. Submit to CAs for certificate issuance
Decode and analyze PEM-encoded X.509 SSL/TLS certificates. View subject, issuer, validity, extensions, and fingerprints
Convert images between PNG, JPG, WebP, AVIF, BMP formats. Features quality control, transparency support, and batch conversion for efficient workflow.
A Java keytool import rejects your .pem file because it wants binary DER, and you need to convert without installing OpenSSL.
Input
certificate.pem (Base64 text, "-----BEGIN CERTIFICATE-----")
Output
certificate.der (binary, 1,214 bytes) First bytes: 30 82 04 BA 30 82 03 A2 … (DER SEQUENCE) Direction is reversible: drop a .der back in to get PEM.
PEM and DER hold the same X.509 data: DER is the raw ASN.1 binary, and PEM is just that binary Base64-encoded and wrapped in `-----BEGIN-----` headers. Some tools (Java keystores, certain embedded stacks) accept only one form. The converter strips or adds the Base64 armor in your browser, no key material is uploaded.
Convert certificates and keys between PEM (Base64 text) and DER (binary) formats. Some servers and tools require one format; others require the other. Drop a file in, pick the target format, and download the converted result.
PEM and DER are two encodings of the same X.509/PKCS data, and this converter treats the relationship literally: a DER blob is the canonical ASN.1 binary encoding, and a PEM file is that exact same binary, Base64-encoded and wrapped in -----BEGIN .../-----END ... armor lines. Conversion is therefore lossless in both directions and does no cryptographic work - PEM-to-DER strips the header/footer lines and runs the remaining Base64 through atob() to recover the raw bytes, while DER-to-PEM Base64-encodes the bytes with btoa() and re-wraps them. The PEM output is re-flowed to the standard 64-character line width (via a /.{1,64}/g split), so the result matches the formatting OpenSSL and most tooling expect rather than one long unbroken line.
Format detection is automatic and based on real structural cues. Text input containing -----BEGIN is treated as PEM; otherwise the tool Base64-decodes it and checks whether the first byte is 0x30, the ASN.1 SEQUENCE tag that every DER certificate, key, and CSR begins with - the same 0x30 check is applied to raw binary input. For PEM input the content type is read straight from the armor label: CERTIFICATE maps to an X.509 Certificate, PRIVATE KEY / RSA PRIVATE KEY / EC PRIVATE KEY to a Private Key, PUBLIC KEY / RSA PUBLIC KEY to a Public Key, and CERTIFICATE REQUEST / NEW CERTIFICATE REQUEST to a CSR. Because a bare DER file carries no such label, when you convert DER to PEM you pick the type yourself from the Certificate / Private Key / Public Key / Certificate Signing Request buttons, which decides which BEGIN/END header gets written. Note that the tool only swaps the label text - it does not parse the key internally, so a PKCS#1 vs PKCS#8 private-key structure is preserved as-is and you must choose the label that genuinely matches your data.
Input arrives by drag-and-drop, file browse, or pasting text, and the file reader branches on extension: .pem, .crt, .key, and .csr files are read as text (UTF-8), while anything else (e.g. .der, binary .cer) is read as an ArrayBuffer so the raw bytes survive intact; the picker accepts .pem, .der, .crt, .cer, .key, and .csr. Output handling reflects each format's nature - DER is binary, so the on-screen textarea shows it as Base64 for readability with a note to download for the actual binary file, and the Download button writes a real Blob with the application/x-x509-ca-cert MIME type. Filenames are chosen from the content type: DER downloads become converted.der for certificates, converted.key for private keys, or converted.bin otherwise; PEM downloads become converted.crt, converted.key, converted.csr, or converted.pem. This is exactly the format split you hit in practice - Java keytool and many Windows tools want DER (.cer/.der), whereas nginx, Apache, and OpenSSL want PEM - and all of it runs in the browser with no upload.
Convert PEM certificates to DER format for import into Java KeyStore (JKS) files.
Convert between formats when working with the Windows Certificate Manager, which often expects DER.
Convert certificates to the format required by embedded devices with limited format support.
PEM is Base64-encoded text wrapped in -----BEGIN/END----- markers. DER is the raw binary encoding. They contain the same data, just represented differently.
If you can open the file in a text editor and see -----BEGIN CERTIFICATE-----, it's PEM. If it's unreadable binary, it's DER.
This runs as client-side JavaScript. Keys, tokens, payloads, and other inputs never leave your device.