Logo

MonoCalc

/

PEM ↔ DER Converter

Encode/Decode
PEMDER

PEM → DER

PEM Input

PEM Format

Base64-encoded text with BEGIN/END headers. Human-readable, safe for email and config files. Used by OpenSSL, Apache, Nginx, and most Unix tools.

Extensions: .pem .crt .cer .key

DER Format

Compact binary ASN.1 encoding. Machine-readable only, not printable. Required by Java KeyStore (JKS), Windows CertMgr, and many CA portals.

Extensions: .der .cer .crt

About This Tool

🔐 PEM ↔ DER Converter – Bidirectional Certificate Format Conversion

Cryptographic assets — X.509 certificates, RSA/EC private keys, public keys, certificate signing requests (CSRs), and certificate revocation lists (CRLs) — are stored and transmitted in two dominant binary serialization formats: PEM and DER. This tool converts between them instantly, entirely in your browser, with no data ever leaving your device.

What is PEM Format?

PEM (Privacy Enhanced Mail) is a Base64-encoded ASCII text representation of DER-encoded binary data. A PEM file wraps the Base64 payload between recognizable header and footer lines:

-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIUYx...
-----END CERTIFICATE-----

PEM is the default format for OpenSSL, Apache, Nginx, and most Unix-based tools. Because it is plain ASCII text, it can be safely copy-pasted into configuration files, sent over email, and stored in source control.

What is DER Format?

DER (Distinguished Encoding Rules) is the binary wire format defined by the ASN.1 standard. It is compact and machine-readable, but not human-readable — a DER file opened in a text editor will show binary noise. DER is required by Java KeyStore (keytool), Windows Certificate Manager, many CA certificate submission portals, and embedded/IoT platforms.

When Do You Need to Convert?

Common situations requiring a PEM ↔ DER conversion include:

  • Java / Android developmentkeytool and JKS keystores require DER-encoded certificates.
  • CA portal submissions — some certificate authorities accept only DER-format CSRs.
  • Windows environmentscertutil and IIS often produce or consume .cer / .der binary files.
  • Embedded & IoT systems — memory-constrained devices prefer compact DER over the larger Base64 PEM form.
  • Interoperability — when a tool produces PEM but the next step in a pipeline expects DER (or vice versa).

How the Conversion Works

PEM → DER: The tool strips the -----BEGIN-----/-----END----- header lines, concatenates the remaining Base64 lines, and Base64-decodes the result to produce the raw binary DER bytes.

DER → PEM: The binary bytes are Base64-encoded in 64-character (or 76-character) lines, then wrapped with the appropriate -----BEGIN [TYPE]----- and -----END [TYPE]----- headers derived from the detected or user-specified data type.

Supported Input Modes for DER

Because DER is binary, the tool supports three ways to provide DER input without uploading a file:

  • Hex Text — paste the bytes as a continuous, colon-separated, or space-separated hex string (e.g., 3082034b 30820233 ...).
  • Base64 (no headers) — paste the raw Base64 of the DER bytes without any PEM -----BEGIN----- wrapper.
  • File Upload — upload a binary .der, .cer, or .key file directly.

Certificate Chain Support

PEM files often contain multiple concatenated blocks — a full certificate chain including leaf, intermediate, and root CA certificates. The converter automatically detects multiple -----BEGIN----- blocks and offers each one as a separate downloadable DER file.

OpenSSL Equivalent Command

For power users, the tool always displays the equivalent openssl CLI command for the current conversion. For example, to convert a PEM certificate to DER:

openssl x509 -in cert.pem -outform DER -out cert.der

And to reverse (DER to PEM):

openssl x509 -in cert.der -inform DER -out cert.pem

Privacy & Security

All conversion logic runs entirely in your browser. No certificate data, private key material, or file content is sent to any server. It is safe to use with production certificates, sensitive keys, and internal infrastructure assets.

Frequently Asked Questions

Is the PEM ↔ DER Converter free?

Yes, PEM ↔ DER Converter is totally free :)

Can I use the PEM ↔ DER Converter offline?

Yes, you can install the webapp as PWA.

Is it safe to use PEM ↔ DER Converter?

Yes, any data related to PEM ↔ DER Converter only stored in your browser (if storage required). You can simply clear browser cache to clear all the stored data. We do not store any data on server.

What is the difference between PEM and DER formats?

PEM (Privacy Enhanced Mail) is a Base64-encoded, human-readable ASCII text format wrapped in -----BEGIN ...-----/-----END ...----- headers. DER (Distinguished Encoding Rules) is a compact binary encoding of the same ASN.1 data — machine-readable but not human-readable. Both carry identical cryptographic information; only the serialization differs.

How does the PEM ↔ DER Converter work?

For PEM → DER the tool strips the header/footer lines, removes whitespace, and Base64-decodes the body to produce raw binary bytes. For DER → PEM it Base64-encodes the binary (or hex/Base64 input) in 64-character lines and wraps the result with the appropriate BEGIN/END header. All processing runs entirely in your browser — no data is sent to any server.

Which file types and data types are supported?

The converter supports X.509 certificates (.pem, .crt, .cer, .der), RSA/EC/DSA private and public keys (.key, .p8), certificate signing requests (.csr), and certificate revocation lists (.crl). File extensions accepted for upload include .pem, .crt, .cer, .der, .key, .csr, and .p8.

How can I provide DER input when I don't have a binary file?

Switch to the Hex tab and paste the DER bytes as a continuous or colon/space-separated hex string (e.g., 3082034b…). You can also switch to the Base64 tab and paste the raw Base64 without any PEM headers. The tool will decode the bytes and convert them to PEM.

Is my certificate or private key kept private?

Yes — all conversion logic runs locally in your browser using the Web Crypto API and node-forge. No certificate data, key material, or file content is ever transmitted to a server.

What does the OpenSSL command reference show?

Below the output area the tool displays the equivalent openssl CLI command for the current conversion (e.g., openssl x509 -in cert.pem -outform DER -out cert.der). You can copy it directly to reproduce the conversion in a terminal.