Secure Sockets Layer (SSL) Certificate Converter

Certificate or bundle:

Paste PEM text, base64 DER/P7B/PFX, or drop one certificate/key file.

Drop PEM, CRT, CER, DER, P7B, PFX, P12, KEY, or TXT onto the textarea.

Output format:

Info shows details; PEM, DER, P7B, and PFX create downloadable output.

PEM line wrap:

Accepted: 16 or more characters per line.

chars

Private key:

Paste PEM private key text; leave blank for certificate-only inspection or P7B.

Passphrase:

Stored only in this browser session; leave blank for unencrypted PEM.

PKCS#12 friendly name:

Example: example.com or api-prod-2026.

Include full certificate chain:

Keep intermediates with the leaf certificate for import-ready bundles.

Include private key in PEM:

Keep off for certificate-only PEM files.

Strict base64 parsing:

Turn on to catch copied base64 corruption; leave off for whitespace-tolerant paste.

Field	Value	Copy
{{ row[0] }}	{{ row[1] }}
Nothing to show yet.

Check	Status	Detail	Copy
{{ row.area }}	{{ row.status }}	{{ row.detail }}

#	Role	Subject	Issuer	Expires	Days	Status	Public key	Copy
{{ row.position }}	{{ row.role }}	{{ row.subject }}	{{ row.issuer }}	{{ row.notAfter }}	{{ row.daysRemaining }}	{{ row.status }}	{{ row.keyProfile }}

{{ artifactPreview }}

Export to PDF Fullscreen

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

SSL certificate conversion usually starts with a packaging mismatch, not a broken certificate. One system wants PEM text, another expects DER bytes, a certificate store wants PKCS#12, and a CA handoff arrives as a PKCS#7 bundle. The certificate itself can describe the same identity in every case. What changes is the container, the encoding, and whether a private key travels with it.

This converter accepts pasted material and uploaded files, then tries to identify whether the input is PEM text, Base64 DER, PKCS#7, or PKCS#12. When it can read a certificate, it summarizes the likely leaf certificate with subject common name, issuer common name, serial number, not-before, not-after, and a whole-day days-left estimate. If a private key is parsed, the summary also shows that key material was found and whether encrypted input was successfully opened.

That makes the page useful for migration work, certificate handoffs, and first-pass review of unfamiliar files. You can inspect the material before exporting it, convert a leaf certificate to DER, keep a chain together in PEM or PKCS#7, or build a PKCS#12 file when a destination needs certificate and key in one importable bundle. The details tab, JSON tab, and CSV or DOCX exports also help when the practical job is documentation or review rather than conversion alone.

All parsing and conversion happen locally in your browser. The certificate text, private key text, passphrase, and generated output stay on your machine while the tab is open. That is still sensitive data. If you paste a private key or create a PFX file, handle the copied text and downloaded file with the same care as the original secret material.

A successful conversion only means the data could be read and re-encoded. It does not prove that the certificate chains to a trusted root, matches the intended hostname or IP address, has not been revoked, or even that the private key you supplied belongs to the certificate you exported with it.

Technical Details

The familiar phrase "SSL certificate" survives in operations, but the certificate being converted here is an X.509 certificate used by modern TLS systems. PEM is a text envelope around encoded certificate or key material. DER is a binary encoding. PKCS#7 is a certificate-oriented container that can carry one or more certificates without a private key. PKCS#12 packages certificates with a private key and optional bag attributes, which is why PFX files are common in import workflows.

The tool treats those wrappers as transport formats around a certificate chain. It tries to read the input, extract certificates, place the likely leaf certificate first, and then build the export you selected from that parsed set. The summary and downloads are driven by that parsed result, not by the original filename or extension.

Input material

PEM text, Base64 DER, PKCS#7, PKCS#12, and an optional private key

→

Parsing and ordering

Detect container type, extract certificates, and choose a likely leaf first

→

Outputs

Leaf summary, certificate details, JSON export, and converted PEM, DER, PKCS#7, or PKCS#12 output

Certificate and container families handled by the converter
Format family	What the tool can read from it	Operational meaning
PEM	Certificate blocks, PKCS#7 content, PKCS#12 content, and PEM private keys	Best when the material already exists as readable text or a pasted bundle
Base64 DER or binary upload	Single X.509 certificate first, then PKCS#7, then PKCS#12	Useful when a file or pasted blob is binary or only looks like raw encoded bytes
PKCS#7	One or more embedded certificates	Good for chain transport when you want certificates together without a private key
PKCS#12	Certificate bags plus the first available private key bag	Common import bundle for certificate plus key workflows

PEM handling is block-based, so one pasted text input can contain several certificate blocks, an embedded PKCS#7 or PKCS#12 structure, and a private key. For text-style output the wrap width defaults to 64 characters, which aligns with the standard PEM line width, but the tool lets you choose another width as long as it is at least 16 characters. The strict Base64 option changes a separate part of the flow: when it is off, stray non-Base64 characters are stripped before decode; when it is on, the decoder uses the supplied text as-is and fails sooner on noisy input.

Export behavior by selected output
Selected output	What gets emitted	Important limit
Info	Summary table plus JSON export	No converted certificate file is generated
PEM	Leaf certificate or full chain, with an optional appended private key	If you provide only a private key, PEM output is available only when key inclusion is enabled
DER	The first ordered certificate as binary DER	Only one certificate is exported, never the full chain
PKCS#7	The selected certificate set as PEM or DER `.p7b`	No private key is added
PKCS#12	The selected certificate set plus a parsed private key as `.pfx`	Both a certificate and a private key must be present

days_left = ceil((notAfter - current_time) / 86,400,000)

The days-left badge is therefore an operational counter, not a formal certificate field. Because it rounds up, a certificate that expires later today still shows 1 day left, and a certificate that expired less than one day ago can still show 0. Negative values appear only after the expiry time is more than a day in the past.

Private key handling is intentionally narrower than certificate handling. The page accepts PEM private keys, including encrypted PKCS#8 and encrypted RSA private keys when you supply the correct passphrase. For PKCS#12 export it can store a friendly name and use that label, after filename-safe cleanup, as the downloaded .pfx name. What it does not do is confirm that the supplied private key matches the certificate's public key, so that final compatibility check still belongs to you.

Everyday Use & Decision Guide

Start with the destination, not the source. Certificate conversion is usually about satisfying the import rules of the next system in the chain. If the destination wants readable text or you may need to review the bundle by eye, PEM is the safest first choice. If the destination wants one raw binary certificate, DER is the right fit. If the destination accepts a certificate bundle but must not receive a private key, use PKCS#7. If the destination expects certificate and key together, use PKCS#12.

The full-chain switch matters more than many people expect. Leave it on when you want the leaf certificate to travel with its intermediates in PEM, PKCS#7, or PKCS#12. Turn it off only when the receiving system wants the leaf certificate alone or already has the intermediate chain installed elsewhere. DER export is simpler because it always writes the first ordered certificate only.

Use Info first when you are unsure what you received. The summary is the fastest way to confirm subject, issuer, serial number, validity window, and whether key material parsed at all.
Use PEM when copy-and-paste workflows matter. It is the only output that can append the private key directly to the certificate text.
Use PKCS#7 when you need certificates only. It keeps the chain together without exposing or embedding a private key.
Use PKCS#12 for import wizards and certificate stores. Add a friendly name if you want a clearer label in the imported bundle.
Keep passphrases scoped to the job in front of you. The same passphrase field is used both for reading encrypted input and for protecting PKCS#12 output.

The extra export tabs are useful when the conversion is part of a larger handoff. CSV and DOCX exports give you a quick audit trail for the visible summary. JSON is better when another person or script needs structured facts about the parsed certificate and the selected output settings.

Step-by-Step Guide

Paste the certificate material into the input box or upload a file. Text uploads such as .pem, .crt, .cer, .key, and .txt are read as text, while other uploads are inspected as binary data.
If the conversion may need a private key, open the advanced options and paste the key separately. Provide a passphrase when the input key or PKCS#12 file is encrypted.
Read the summary before choosing an output. Confirm the detected input type, subject common name, issuer common name, and validity dates so you do not repackage the wrong certificate.
Choose the target output format. Use Info for inspection only, PEM for text output, DER for a single binary certificate, PKCS#7 for a certificate-only bundle, or PKCS#12 for certificate plus key.
Adjust the options that actually change the export: full chain on or off, private key included in PEM or not, strict Base64 parsing when input quality is questionable, PEM wrap width for text output, and a friendly name for PKCS#12 when you want a labeled bundle.
Use the details and JSON tabs if you need review evidence, then use the converted-output controls to copy or download the final payload.

Interpreting Results

The first thing to read is the difference between detection and meaning. The detected-input badge tells you how the material was recognized, such as PEM or Base64. The type label tells you what the parsed content appears to be, such as a PEM bundle, PKCS#7 container, or PKCS#12 bundle. Neither label says anything about trust, hostname coverage, or whether the certificate belongs in your environment.

The summary fields are best treated as a quick identity check. Subject common name and issuer common name help you spot obvious surprises, but they are not a full certificate audit. Modern TLS service identity checks rely on the certificate identifiers defined for that purpose and on full certification-path validation. A conversion that looks clean in this tool can still fail in a browser, load balancer, or client library.

A positive days-left value is a rounded operational estimate. It is useful for triage, but it is not a replacement for reading the exact not-after timestamp.
A key badge only confirms successful key parsing. It does not confirm that the private key matches the certificate.
Parser notes usually point to bad passphrases or unsupported structure. That is especially common with encrypted key material and PKCS#12 imports.
Binary formats still show text in the output pane. For DER, PKCS#7 DER, and PKCS#12, the visible output is a Base64 representation of the binary bytes. The download button writes the actual binary file.

If you are close to a renewal deadline, trust the exact timestamps more than the rounded counter. If you are packaging certificate and key together, verify the key match separately before import. If you are preparing a public-facing service, finish with a real chain and hostname validation step after conversion.

Worked Examples

Building a PFX file for a certificate-store import

A team receives a PEM certificate chain from a CA and already has the matching PEM private key. They paste the certificate bundle, add the private key in the advanced section, keep full-chain export enabled, choose PKCS#12, and set a friendly name that matches the service hostname. The result is a single .pfx file that is easier to import into systems that expect certificate and key together.

Extracting one certificate from a chain bundle

A device import only accepts a single DER certificate, but the available file is a chain-style bundle. After the bundle is parsed, the tool orders the certificates so the likely leaf comes first. Choosing DER writes just that first certificate as binary output, which is often exactly what embedded devices and APIs expect.

Checking an unfamiliar blob before deployment

An administrator is handed a file with no trustworthy extension and no explanation. They upload it, review the detected type and summary fields, and confirm that the issuer and validity window match the intended service before exporting anything. That quick inspection step prevents a very common mistake: repackaging the wrong certificate simply because the format conversion appeared to succeed.

FAQ:

Does the page send my certificate or private key anywhere?

No. The conversion logic runs locally in your browser, and the tool makes no network requests while parsing, summarizing, or exporting the certificate material.

Can it open password-protected PFX files or encrypted PEM private keys?

Yes, when the input uses one of the supported formats and you provide the correct passphrase. If the passphrase is wrong or the structure is unsupported, the tool keeps the failure visible in its notes instead of producing a silent bad export.

Will PKCS#7 output ever include a private key?

No. PKCS#7 output in this tool is certificate-only. If you need certificate and key together, use PEM with key inclusion enabled or build a PKCS#12 file.

Why do DER or PKCS#12 results look like Base64 text in the output pane?

The visible output pane shows a text representation of the binary bytes so you can inspect or copy them. The download action writes the real binary .der, .p7b, or .pfx file.

Does it verify that the private key matches the certificate?

No. It can parse both pieces and bundle them together, but it does not compare the certificate's public key with the supplied private key.

Does a matching common name mean the certificate is ready for a public TLS service?

No. The common name is only a quick label in the summary. Real service-identity checks depend on the certificate identifiers intended for hostname or address matching and on full path validation.

Glossary:

X.509 certificate: A structured certificate format that binds a subject identity to a public key for a defined validity period.
PEM: A text envelope that carries Base64-encoded certificate or key material between BEGIN and END markers.
DER: A binary ASN.1 encoding often used when a system expects one certificate as raw bytes rather than as text.
PKCS#7: A container syntax commonly used to distribute one or more certificates together without embedding a private key.
PKCS#12 / PFX: A bundle format that can carry certificates, a private key, and optional attributes such as a friendly name.
Leaf certificate: The end-entity certificate presented for a service or device, as opposed to an intermediate or root certificate in the chain.

References:

RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, IETF, May 2008.
RFC 7468: Textual Encodings of PKIX, PKCS, and CMS Structures, IETF, April 2015.
RFC 7292: PKCS #12: Personal Information Exchange Syntax v1.1, IETF, July 2014.
RFC 2315: PKCS #7: Cryptographic Message Syntax Version 1.5, IETF, March 1998.
RFC 9525: Service Identity in TLS, IETF, November 2023.