PEM Base64 Encoder (64-char Lines)

OpenSSL-style Base64 wrapped at 64 chars with header/footer

Free PEM Base64 encoder and decoder — wraps standard Base64 at 64 characters per line and frames it with -----BEGIN/END LABEL----- headers, exactly like OpenSSL certificates and keys. Decodes PEM blocks too, all in your browser. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

How is PEM Base64 different from MIME Base64?

Both use the standard Base64 alphabet, but PEM (RFC 7468) wraps lines at 64 characters while MIME (RFC 2045) wraps at 76. PEM also frames the data with -----BEGIN LABEL----- and -----END LABEL----- header lines.

PEM (Privacy-Enhanced Mail) is the text wrapping you see around TLS certificates, SSH keys and signing requests — a Base64 body framed by -----BEGIN LABEL----- and -----END LABEL----- lines. Standardised in RFC 7468, it is the format OpenSSL emits by default. This tool builds a PEM block from your text with the correct 64-character line wrapping and headers, and decodes PEM blocks back to their contents.

How it works

To encode, the text is converted to UTF-8 bytes and Base64-encoded with the standard alphabet and = padding. The continuous Base64 string is then split into lines of at most 64 characters, joined with line feeds. If you supply a label, the body is wrapped with matching -----BEGIN LABEL----- and -----END LABEL----- lines; leave the label blank to get just the wrapped body.

To decode, the tool removes any -----BEGIN…----- and -----END…----- header lines, strips whitespace and line breaks, validates the remaining characters and length, then reconstructs the bytes and reads them as UTF-8.

Example

Encoding Gera Tools demo payload with the label CERTIFICATE produces a block like:

-----BEGIN CERTIFICATE-----
R2VyYSBUb29scyBkZW1vIHBheWxvYWQ=
-----END CERTIFICATE-----

The body would only break onto a second line once it exceeds 64 characters.

Notes

Real certificates and private keys contain binary DER data, so decoding them here yields raw bytes rather than readable text — but the Base64 framing is handled exactly as OpenSSL expects. Everything runs locally in your browser; nothing is uploaded.