Secure Sockets Layer (SSL) Certificate Converter

Field	Value	Copy
{{ row[0] }}	{{ row[1] }}
Nothing to show yet.

Digital certificates are structured identity documents for secure connections. They state who a public key belongs to and when that statement is valid. This page reads a certificate and turns it into clear facts so you can check identity and expiry without guesswork.

You provide a certificate as pasted text or a file and then choose a result view. The summary shows the common name for the subject and issuer, the serial number, the not before and not after dates, and the days remaining. Many teams search for a simple certificate converter that explains these details without noise.

When a certificate arrives in a different encoding you can convert it for another system with the same content. Pick PEM or DER and set the line wrap for PEM if you need to match a house style. You can also copy a compact JSON snapshot or download a CSV for quick notes.

Use realistic samples and confirm results with a second source when the stakes are high. Format validity does not prove that a certificate is trusted or active.

Technical Details:

X.509 certificates are signed data structures that bind an identity to a public key for a stated period. The engine extracts the Common Name (CN) for the subject and issuer, the serial number in hexadecimal, and the validity window named Not Before and Not After.

From those dates it computes a countdown that is easy to read. The days remaining value is the whole day count from now to the Not After moment with rounding up, so a half day remaining reports one day.

\begin{array}{l} d & = & ⌈ \frac{t_{na} - t_{now}}{86400000} ⌉ \end{array}

Symbols and units
Symbol	Meaning	Unit/Datatype	Source
t_now	Current timestamp when parsed	ms since epoch	Derived
t_na	Not After timestamp	ms since epoch	Parsed
d	Days remaining	integer day(s)	Derived
Δt	Time difference (t_na − t_now)	ms	Derived

Worked example. Suppose t_now is 2025‑10‑14 10:00:00 and t_na is 2025‑10‑14 10:30:00 (UTC). The difference is 1 800 000 ms.

\begin{array}{l} d & = & ⌈ \frac{1800000}{86400000} ⌉ \\ = 1 \end{array}

Interpretation: the certificate expires later today, so the countdown reports 1 day.

Dates are shown in Coordinated Universal Time with second precision. A negative value means the Not After moment is already in the past.

Processing pipeline:

Detect input as PEM, Base64, or Binary based on content.
Normalize to raw DER bytes.
Parse certificate fields and extract CNs, serial, and validity.
Compute days remaining from the validity end.
Render an info table and JSON; optionally convert to PEM or DER.

Variables & parameters:

Parameters and meanings
Parameter	Meaning	Unit/Datatype	Typical Range	Notes
outputFormat	Target format selection	enum	info, pem, der	Info shows fields; PEM and DER emit encoded output.
pemWrap	Line width for PEM body	integer	16 to any	Neutral default 64 characters per line.
strictB64	Reject non‑Base64 characters when decoding	boolean	false or true	When off, non‑alphabet noise is stripped before decoding.

Units, precision & rounding:

Countdown uses whole days with rounding up from fractional days.
Validity timestamps are displayed in UTC, to the nearest second.
Serial numbers are rendered as uppercase hexadecimal.

Validation & bounds from the implementation:

Validation rules and limits
Field	Type	Min	Max	Step/Pattern	Error Text	Placeholder
Input text	string	—	—	PEM markers, or Base64 letters with length multiple of 4; otherwise treated as binary	Strict parsing error; Parse or conversion error	Paste PEM, base64, or raw…
Output format	enum	—	—	info / pem / der	—	—
PEM wrap	number	16	—	step 1	—	—
Strict Base64	boolean	0	1	Reject any non‑alphabet characters when on	Strict parsing error	—
PEM chain handling	notice	—	—	If multiple blocks are present, only the first is parsed	—	—

I/O formats & encoding:

Accepted inputs and outputs
Input	Accepted Families	Output	Encoding/Precision	Rounding
Paste	PEM block, Base64 body, raw binary string	Info table, JSON, PEM, DER	PEM wrap width configurable; DER download as octet‑stream	Days rounded up to integer
Upload / drop	.pem, .crt, .cer, .der, .txt	Same as above	Binary files read as bytes; text files read as text	Days rounded up to integer

Networking & storage:

All parsing and conversion occur in your browser. No data is transmitted or stored server‑side.

Performance & complexity:

Processing is linear in input size. Large byte arrays are chunked when rendering to text to keep the interface responsive.

Diagnostics & determinism:

Given the same input and settings, outputs are identical. Errors report as strict parsing errors or generic parse and conversion errors.

Security considerations:

Field extraction does not verify signatures or trust chains.
Do not paste secrets or private keys; only certificates are intended.
Days remaining is a convenience indicator and not a compliance decision.

Assumptions & limitations:

Only the first item of a multi‑block PEM chain is parsed and shown.
Only CN fields, serial, and validity dates are surfaced; SANs are not displayed.
DER shown in the Output tab is binary and not human‑readable.
PEM conversion uses the label CERTIFICATE for emitted blocks.
Countdown uses the current device clock; incorrect system time skews results.
Base64 detection expects length divisible by four after whitespace removal.
When strict Base64 is off, non‑alphabet characters are stripped before decode.
Heads‑up Pasting arbitrary binary text may misrepresent bytes; prefer file upload for DER.
Heads‑up Negative days indicate an already expired certificate.

Edge cases & error sources:

Non‑ASCII bytes pasted into the text box can corrupt binary input.
Base64 with stray characters fails when strict mode is enabled.
PEM blocks without matching end markers are rejected.
Certificates not encoded as X.509 will fail to parse.
Very large DER files may be slow to render into text areas.
Zero‑length input produces no results and no output.
Not Before in the future yields positive days even though it is not yet valid.
Device clocks set far from UTC produce surprising countdowns.
Chained PEM with mixed item types may detect a length but only the first is parsed.
Malformed headers or injected whitespace in PEM bodies can break decoding.
Clipboard blocking by the platform prevents one‑click copy actions.
Download permissions or sandboxing may block file saves.

Privacy & compliance:

No data is transmitted or stored server‑side. Outputs are for engineering checks and do not constitute security approval.

Step‑by‑Step Guide:

Certificate inspection and format conversion in a few steps.

Paste a certificate or drop a file into the input area PEM / Base64 / DER.
Check the detected type readout to confirm the input family.
Select the target Output format; for PEM, set PEM wrap if needed.
Enable Strict Base64 when cleaning is undesirable.
Review the summary table or switch to the JSON or Output tabs.
Copy or download the result for your workflow.

Example. Paste a server certificate in PEM, pick DER, and download the certificate.der file for a system that accepts binary only.

You now have a readable summary and a correctly encoded file ready for use.

FAQ:

Is my data stored?

No. Parsing and conversion happen in your browser and nothing is sent to a server or kept after the page is closed.

Use non‑sensitive samples whenever possible.

What fields are shown?

Subject CN, Issuer CN, Serial (hex), Not Before, Not After, and Days remaining. A detected chain length is noted when present.

How accurate is the countdown?

It rounds up to whole days using your device clock and UTC timestamps. Values near zero can flip as time passes or if the device time is off.

Which formats are supported?

PEM and DER. Base64 bodies are accepted and decoded. For multi‑block PEM input, only the first item is parsed and displayed.

Can I work offline?

Yes, after the page loads. All work is performed locally without network calls during parsing or conversion.

Why does DER look unreadable?

DER is binary. Use the download action to save a proper file; the text view is a raw byte rendering for completeness.

How do I validate a CSR?

This tool inspects certificates. It does not parse or validate CSRs. Use a dedicated CSR utility for that workflow.

What about cost or licensing?

Availability and licensing are determined by the host application. This description does not set pricing or usage terms.

Troubleshooting:

“Strict parsing error” — turn off strict Base64 or clean the input.
“Parse or conversion error” — confirm the input is an X.509 certificate.
PEM detected but empty output — ensure both begin and end markers are present.
DER download fails — allow file downloads for this site in your browser.
Clipboard copy does nothing — grant clipboard permission or use the download buttons.
Dates look off — verify your device time and time zone.
Chain count shown but data missing — only the first item is parsed by design.

Blocked downloads or clipboard access can stop exports entirely. Use manual select and copy as a fallback, or try another browser profile.

Advanced Tips:

Tip Keep PEM wrap at 64 for neutral compatibility unless a system specifies another width.
Tip Use the JSON view to script quick checks in other tools.
Tip Prefer file upload for DER to avoid byte corruption from text paste.
Tip Turn on strict Base64 to catch hidden characters when debugging odd failures.
Tip When chains are involved, paste one certificate at a time to examine each element.
Tip Treat negative day counts as expired and schedule renewal checks earlier than the cutoff.

Glossary:

X.509 certificate: A signed structure binding an identity to a public key and validity period.
Common Name (CN): A human‑readable identifier inside the subject or issuer fields.
Serial number: An issuer‑assigned identifier shown here in uppercase hexadecimal.
Not Before: The earliest moment when the certificate is intended to be valid.
Not After: The moment when intended validity ends.
Days remaining: Whole days from now to Not After, rounded up.
PEM: Textual form with header, footer, and Base64‑encoded body.
DER: Binary form of the certificate structure.
Chain: A sequence of certificates, typically end‑entity then issuer(s).
UTC: Time standard used here for displayed timestamps.