| Field | Value | Copy |
|---|---|---|
| {{ row[0] }} | {{ row[1] }} | |
| Nothing to show yet. | ||
Transport Layer Security certificates are identity records for encrypted connections. They bind a public key to a subject name and validity dates, but the same certificate can travel in several different containers and encodings. This converter is useful when the certificate itself is fine and the real problem is that another system expects the material in a different wrapping.
The page accepts pasted text, uploads, and dropped files. It can read PEM blocks, base64 DER input, PKCS#7 bundles, and PKCS#12 bundles, then summarize the likely leaf certificate with subject common name, issuer common name, serial number, not-before and not-after timestamps, and a whole-day countdown to expiry. If a private key is present or supplied separately, the summary also shows whether the key parsed cleanly.
That covers the handoff cases administrators run into all the time: a reverse proxy wants PEM, a certificate store wants PFX, a chain needs to be handed over as P7B, or an unfamiliar blob needs to be inspected before anyone imports it. The tool can also keep the full chain together for PEM, PKCS#7, and PKCS#12 exports, which matters when an intermediate certificate needs to travel with the leaf.
For this slug the parsing and conversion stay in the browser. There is no server-side helper file, so the certificate text, key text, passphrase, and generated output are handled on the client side while the page is open. That still does not make private keys casual data. If you paste a key, treat the resulting exports with the same care you would give the original file.
A successful conversion is only a format result. It does not prove that the certificate chains to a trusted root, that the hostname is right for your service, or that the certificate has not been revoked.
Most certificate conversion work is less about cryptography than about matching the packaging a destination expects. This tool is at its best when you already have the certificate material and need to repackage or inspect it without opening a command-line workflow.
When the input is messy, the Detected field and parser notes are often more useful than the export itself. They tell you whether the page read PEM text, base64 DER, a PKCS#7 bundle, a PKCS#12 bundle, or something it could not confidently classify.
The common label "SSL certificate" survives in everyday operations, but the parsed certificate here is an X.509 certificate. The tool reads container formats around that certificate, extracts a small set of high-value identity and validity fields, and then re-encodes the material into the output family you choose.
| Format family | How the tool reads it | What it can emit |
|---|---|---|
| PEM | Scans PEM blocks for certificates, PKCS#7 content, PKCS#12 content, and private keys | PEM, DER, PKCS#7, PKCS#12, info table, JSON |
| Base64 DER | Decodes the body, then tries X.509 first, PKCS#7 next, and PKCS#12 after that | Same export set as above once parsing succeeds |
| PKCS#7 | Extracts contained certificates as a chain-style bundle | PEM, DER leaf export, PKCS#7 PEM or DER, info table, JSON |
| PKCS#12 | Extracts certificate bags and the first available private key bag | PEM, DER leaf export, PKCS#7, PKCS#12, info table, JSON |
The parser treats PEM input as block-oriented text. A PEM upload can therefore contain a certificate bundle, an embedded PKCS#7 or PKCS#12 structure, a private key, or a mix of those blocks. Base64 DER input follows a simpler path: the text is decoded to bytes and then tested against the supported ASN.1 structures in order.
When multiple certificates are present, the tool tries to order the chain so the likely leaf certificate appears first. It does that by comparing subject and issuer distinguished names and picking a certificate whose subject is not itself listed as another certificate's issuer. The summary card, certificate table, and default DER export all follow that first ordered certificate.
The displayed countdown is a convenience value rather than a standards field. It is calculated as the ceiling of the time gap between the parsed Not After timestamp and the current time, measured in 86,400,000 millisecond days. That means a certificate expiring later today still shows 1 day remaining until the expiry moment has passed.
| Selected output | What the tool includes | Important condition |
|---|---|---|
| Info | Certificate detail table and JSON payload | No file conversion is emitted |
| PEM | Leaf certificate or full chain, with optional appended private key | If no certificate is parsed, key-only PEM is possible only when a private key is present and the key-in-PEM option is enabled |
| DER | Binary export of the first ordered certificate | Chain members beyond the first are not included |
| PKCS#7 | Selected certificate set as PEM or DER .p7b |
No private key is added |
| PKCS#12 | Selected certificate set plus private key as binary .pfx |
Both certificate and private key must be present before export |
The PEM wrap control affects only PEM-style text output. The shipped logic floors the wrap width to an integer and never allows a value below 16, falling back to 64 characters when the input is missing or invalid.
Strict base64 parsing changes how noisy DER text is handled. With the option off, non-base64 characters are stripped before decoding. With it on, the page attempts to decode the supplied text as-is, so stray characters are more likely to produce an explicit parse failure instead of being silently ignored.
Private key handling is intentionally narrower than certificate handling. The tool accepts PEM-encoded private keys, including encrypted PKCS#8 and encrypted RSA private keys when you provide a passphrase. For PKCS#12 export it writes the bundle with an AES-128 option, and if you provide a friendly name the tool stores that label in the PKCS#12 output and also uses a sanitized form of it for the downloaded filename.
The interface exposes CSV, DOCX, and JSON exports for the parsed summary in addition to the converted certificate payload itself. That is useful when the practical task is documentation or review rather than re-encoding.
.pem, .crt, .cer, .key, and .txt are read as text, while binary uploads are converted to base64 first so the parser can inspect them.Detected field before exporting. That confirms whether the page read a single certificate, a PEM bundle, PKCS#7 content, PKCS#12 content, or something it could not classify.Info when you only need inspection, PEM or DER for certificate conversion, PKCS#7 for a certificate-only bundle, and PKCS#12 when a certificate and key must travel together.Advanced if you need to paste a private key, provide a passphrase, add a PKCS#12 friendly name, limit export to the leaf certificate, or append the key to PEM output.Certificate Details and JSON when you want structured review output, then use Converted Output to copy or download the actual emitted payload.A clean run should leave you with both a converted file and enough summary information to verify that you did not repackage the wrong certificate.
The most useful output is often the combination of the parsed summary and the selected export mode. The summary tells you what the page believes it found, while the output mode tells you how that material will be re-encoded.
Detected says PEM or Base64, that describes the input path, not the certificate's trust status.PKCS#12 or PKCS#7, the tool extracted certificates from a bundle container rather than from a bare single-certificate file.Days left is negative, the parsed Not After date is already in the past.Do not read a smooth conversion as a complete certificate audit. Trust chains, revocation, hostname matching, key usage, and application-specific import requirements still need their own checks.
No server-side helper is shipped for this slug. The parsing, inspection, and conversion logic run in the browser, and there is no lambda.mjs file attached to this tool.
Yes, when the format matches the supported PKCS#12 or PEM key paths and you provide the correct passphrase. If the passphrase is wrong or the key format is unsupported, the parser surfaces an error or a note instead of emitting output.
No. DER export writes the first ordered certificate only. If you need the full chain, use PEM, PKCS#7, or PKCS#12 with chain inclusion enabled.
No. The tool reads and repackages certificate material. It does not perform trust-store validation, revocation checking, or hostname matching.