PEM ↔ DER Converter
Convert between PEM (base64) and DER (binary/hex) for X.509 and keys.
Overview
The PEM ↔ DER converter flips between the two common encodings for X.509 certificates, RSA / EC private keys, and CSRs. Paste a PEM blob with -----BEGIN ...----- headers and get back the raw DER bytes as hex or base64; paste DER bytes and get back a properly framed PEM block.
It is the tool of choice when one tool only accepts PEM and another only accepts DER — most commonly OpenSSL versus Java keytool, or Linux versus Windows certificate stores. A PEM-to-DER converter avoids the usual openssl x509 -outform DER -in foo.pem -out foo.der dance when you just want the bytes.
How it works
DER (Distinguished Encoding Rules) is a canonical binary encoding for ASN.1 structures, defined in ITU-T X.690. Every X.509 certificate, every PKCS#8 private key, and every PKCS#10 CSR is fundamentally a DER blob. PEM (Privacy-Enhanced Mail, RFC 7468) is that DER blob wrapped in base64 with header and footer lines:
-----BEGIN <LABEL>-----
<base64, 64 chars per line>
-----END <LABEL>-----
The label tells consumers what is inside (CERTIFICATE, RSA PRIVATE KEY, PRIVATE KEY, EC PRIVATE KEY, CERTIFICATE REQUEST, PUBLIC KEY). Conversion is therefore lossless: strip headers, base64-decode for PEM → DER; base64-encode and wrap in headers for DER → PEM. The tool detects the label automatically when generating PEM.
Examples
PEM input:
-----BEGIN CERTIFICATE-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
-----END CERTIFICATE-----
DER output (hex):
30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 ...
DER input (hex): 30 82 01 22 30 0d ...
PEM output:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
-----END PUBLIC KEY-----
PEM input with multiple blocks (cert + chain)
DER output: first block only, plus a note about additional blocks
FAQ
How do I know whether my file is PEM or DER?
PEM is text — open it in an editor and you will see -----BEGIN ...-----. DER is binary; opening it in a text editor shows garbage. By file extension, .pem, .crt, .cer, and .key are usually PEM; .der and sometimes .crt/.cer (on Windows) are DER.
Will the converter handle encrypted private keys?
The encoding round-trip works, but the contents stay encrypted. To use the key you still need the passphrase and a tool that supports PKCS#8 encryption.
What about PKCS#7 or PKCS#12 bundles?
PKCS#7 (.p7b) and PKCS#12 (.pfx, .p12) are container formats that hold multiple certificates and keys. They are not simple PEM ↔ DER conversions; use OpenSSL or a dedicated bundle tool.
Does the label matter when generating PEM?
Yes — many consumers reject a block with the wrong label. CERTIFICATE is for X.509 certs; PRIVATE KEY is the modern PKCS#8 label, while RSA PRIVATE KEY and EC PRIVATE KEY are the older algorithm-specific PKCS#1 / SEC1 labels.