Certificate Converter
Convert SSL certificates between PEM, DER, P7B and PFX formats
Certificate Converter
Pick your formats, then paste or upload your certificateHow to Convert a Certificate
Move a certificate between PEM, DER, P7B and PFX in four steps.
Choose your formats
Pick the format you have and the one your server needs — for example PEM → PFX for Windows/IIS, or PFX → PEM for Apache and Nginx.
Paste or upload
Paste a text certificate (PEM or P7B), or upload the file. Binary formats like DER and PFX must be uploaded rather than pasted.
Add password or key
Reading a PFX needs its password. Building a PFX also needs the matching PEM private key so it can be bundled with the certificate.
Convert & download
Click Convert. Copy text output straight to your clipboard, or download the file with a name you choose — the right extension is added for you.
Frequently Asked Questions
Common questions about certificate format conversion.
PEM is Base64 text wrapped in "-----BEGIN CERTIFICATE-----" markers, used by Apache, Nginx and OpenSSL. DER is the same certificate as raw binary, common on Java and Windows. PKCS#7 (.p7b / .p7c) holds a certificate chain but no private key. PKCS#12 (.pfx / .p12) is an encrypted, password-protected bundle containing the certificate, its chain and the private key together — the format Windows/IIS and many load balancers expect.
Windows servers (IIS), Microsoft Azure and many appliances import certificates as a single password-protected .pfx that contains both the certificate and its private key. If your CA gave you a PEM certificate and a separate key file, convert them into a PFX to import them together.
A PFX bundles the certificate and its private key in one file. When you build a PFX from a format that doesn't carry the key (PEM, DER or P7B), you must supply the matching PEM private key so it can be included. Converting away from a PFX extracts the key automatically — no key input needed.
No. Conversion runs in server memory only — your certificate and private key are never written to disk, logged or retained, and are discarded as soon as the response is sent. For maximum control you can also convert locally with OpenSSL, e.g. "openssl x509 -in cert.pem -outform der -out cert.der".
The usual causes are an incorrect PFX password, a missing or mismatched private key when building a PFX, or an encrypted/EC private key. Check the password is correct, and that the PEM private key is unencrypted, RSA, and matches the certificate.
Yes. Paste a full PEM chain or upload a P7B/PFX that contains several certificates, and they're carried through to formats that support chains (PEM, P7B, PFX). DER holds a single certificate, so only the leaf certificate is exported when converting to DER.