Base64 Certificate Decoder
Decode, re-wrap, and convert Base64 / PEM certificates in your browser. Strip or add the -----BEGIN CERTIFICATE----- armor, fix 64-column line wrapping, and download the raw DER bytes. For full field decoding (subject, issuer, validity), use the one-line openssl command shown below. Nothing is uploaded.
How to decode a Base64 certificate
Paste your certificate into the box above — either a full PEM block (with the -----BEGIN CERTIFICATE----- / -----END CERTIFICATE----- armor) or just the raw Base64 body. Then pick a conversion:
- Strip to raw Base64 removes the armor lines and all whitespace, leaving one continuous Base64 string — handy for embedding in JSON, YAML, or an environment variable.
- Wrap as PEM takes raw Base64, re-wraps it at 64 columns, and adds the
-----BEGIN CERTIFICATE-----/-----END CERTIFICATE-----headers to produce a valid PEM file. - Download .der Base64-decodes the body and saves the raw binary DER as
certificate.der.
The tool also sanity-checks your input: if it contains BEGIN CERTIFICATE or decodes to bytes starting with the DER SEQUENCE header (0x30 0x82), the status confirms it looks like an X.509 certificate. What it does not do is parse the fields — the Base64 body decodes to binary DER, not readable text, so to see the subject, issuer, and expiry you use the openssl command below.
PEM vs DER vs Base64
These three are the same certificate at different layers, which is the source of most confusion. DER is the raw binary ASN.1 encoding. Base64 is that DER encoded into printable text. PEM is Base64 wrapped at 64 columns with header/footer armor added. In other words: PEM = Base64 of DER + armor.
| Format | What it is | Looks like | Use for |
|---|---|---|---|
| DER | Raw binary ASN.1 bytes | Non-printable; starts with 30 82 | Java keystores, Windows, compact storage |
| Base64 | DER encoded as text | MIIDdzCCAl+g... (one blob) | Embedding in JSON, env vars, config |
| PEM | Base64 + 64-col wrap + armor | -----BEGIN CERTIFICATE----- … | OpenSSL, nginx, Apache, most tooling |
So "converting a certificate" usually means moving between these three representations — which is exactly what the buttons above do. PEM is already Base64; see Base64 Encode SSH Keys & PEM Files for why DevOps guides then Base64-encode the whole PEM file again for transport.
Decode the full certificate with openssl
To read the actual fields — subject, issuer, validity dates, extensions, public key — use OpenSSL, which understands the ASN.1 structure. The Base64/DER body itself is binary and not human-readable, so no in-browser tool can show it without a heavy X.509 parser. These two one-liners cover both formats:
# From a PEM file:
openssl x509 -in cert.pem -text -noout
# From raw Base64 (DER):
echo "<paste base64>" | base64 -d | openssl x509 -inform DER -text -noout
For just the headline fields instead of the full dump, ask for the subject, issuer, and dates:
openssl x509 -in cert.pem -noout -subject -issuer -dates
Use Strip to raw Base64 above to get the single-line body to paste into the second command. For more OpenSSL Base64 workflows, see OpenSSL Base64 Encode & Decode.
Is this private?
Yes. Every conversion on this page runs fully in the browser with JavaScript — your certificate is stripped, wrapped, or decoded locally and nothing is uploaded to any server. You can confirm in DevTools → Network: clicking a button fires no request. This matters, because certificates and keys are sensitive material.
Never paste a private key into any online tool. A public certificate is not secret, but -----BEGIN PRIVATE KEY----- or -----BEGIN RSA PRIVATE KEY----- material must stay off the web entirely. This tool is local and safe, but treat "never paste private keys online" as an unconditional habit — do the decoding on your own machine with openssl.
Frequently asked questions
How do I decode a Base64 certificate?
Paste it into the tool above. Click Strip to raw Base64 to remove the -----BEGIN CERTIFICATE----- armor and whitespace, Wrap as PEM to add it back at 64 columns, or Download .der to save the raw binary. To read the actual fields, run openssl x509 -in cert.pem -text -noout — the Base64 body decodes to binary DER, not readable text.
What's the difference between PEM and DER?
DER is the raw binary ASN.1 encoding of the certificate. PEM is that same DER data Base64-encoded, wrapped at 64 characters per line, and bracketed with -----BEGIN CERTIFICATE----- / -----END CERTIFICATE----- headers. PEM is text and copy-paste safe; DER is compact binary. Strip the armor and Base64-decode a PEM body and you are back to the DER bytes.
How do I see the certificate's subject and expiry?
Use openssl. From a PEM file: openssl x509 -in cert.pem -text -noout. From raw Base64 (DER): echo "<paste base64>" | base64 -d | openssl x509 -inform DER -text -noout. For just the identity and dates: openssl x509 -in cert.pem -noout -subject -issuer -dates.
Is it safe to paste a certificate here?
Yes — everything runs locally in your browser and nothing is uploaded. Public certificates are not secret anyway. But never paste a private key into any online tool. This one is local, yet keeping -----BEGIN PRIVATE KEY----- material off the web entirely is the right habit; decode keys on your own machine with openssl.
Need plain Base64 encode/decode?
The main base64.dev tool handles text, files, and URL-safe mode with auto-detect.
Open base64.dev →