Use this X.509 to PEM Converter to instantly convert your base64-encoded certificate string from SAML metadata (typically inside <ds:X509Certificate>...</ds:X509Certificate>) to a valid PEM format. This format is required by platforms such as GitHub Enterprise, Okta, Azure AD (Microsoft Entra ID), and many more identity providers.
This tool is optimized for developers, IT administrators, and security engineers who configure SAML SSO or work with certificate-based authentication systems.
🔄 Why Convert X.509 Certificates to PEM Format?
X.509 is a standard for digital certificates used in public key infrastructure (PKI). While the certificate structure stays consistent, the encoding format varies. Many platforms expect the certificate in a specific format.
A typical certificate in XML (SAML metadata) appears like this:
xmlCopyEdit<ds:X509Certificate>MIIDdzCCAl+gAwIBAgIEbN...</ds:X509Certificate>
This must be converted to PEM format, which includes:
sqlCopyEdit-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIEbN...
...wrapped every 64 characters...
-----END CERTIFICATE-----
If not formatted properly, systems like GitHub or Okta will reject it with an error like:
Must be a valid X.509 formatted certificate
đź“‚ Common Certificate Formats: PEM vs DER vs PFX
| Format | Extension | Description |
|---|---|---|
| PEM | .pem, .crt, .cer | Base64 encoded with headers. Human-readable. Used by GitHub, Okta, Apache, etc. |
| DER | .der | Binary form of a certificate. Used by Java and Windows. Not human-readable. |
| PFX / PKCS#12 | .pfx, .p12 | Binary format that can include the private key. Used for SSL and Windows Certificate Stores. |
This X.509 to PEM Converter only handles PEM output, which is what most web platforms require for SAML authentication.
🧑‍💻 How to Use the X.509 to PEM Converter
- Copy the certificate string from your SAML metadata file (inside
<ds:X509Certificate>). - Paste the content into the input box on this page.
- Click “Convert to PEM”
- Copy the output, which includes
-----BEGIN CERTIFICATE-----and-----END CERTIFICATE----- - Paste it into your GitHub SSO or IdP configuration
No server-side processing, no installation — this tool is 100% browser-based and private.
đź“Ś Common Use Cases
- Configure SAML SSO in GitHub Enterprise
- Upload certificate in Okta IdP settings
- Set up SAML or OAuth 2.0 trust with Azure AD
- Paste PEM certificate in Google Workspace or Zoom SSO settings
- Use in certificate pinning or JWT validation
âť“ Frequently Asked Questions
Q: What is an X.509 certificate?
A: It’s a digital certificate based on the X.509 standard used to verify identity in systems like SAML, TLS, and VPNs.
Q: What is PEM format?
A: PEM is a Base64-encoded format wrapped with BEGIN/END lines. It is the most widely accepted certificate format for cloud platforms.
Q: Is this converter secure?
A: Yes. It runs completely in your browser. No data is sent to a server.
Q: What if my certificate is already PEM?
A: You don’t need to convert it. If it begins with -----BEGIN CERTIFICATE-----, it’s already in PEM format.
