How is PEM Base64 different from MIME Base64?

Both use the standard Base64 alphabet, but PEM (RFC 7468) wraps lines at 64 characters while MIME (RFC 2045) wraps at 76. PEM also frames the data with -----BEGIN LABEL----- and -----END LABEL----- header lines.

What goes in the LABEL part of the header?

The label describes the contents — common values are CERTIFICATE, PUBLIC KEY, PRIVATE KEY, RSA PRIVATE KEY and CERTIFICATE REQUEST. It is uppercased and must match in the BEGIN and END lines.

Can I decode a real certificate or key with this?

It will strip the PEM headers and decode the Base64 body to raw bytes, then try to show them as UTF-8 text. Certificates and keys are binary (DER), so they will not display as readable text, but the Base64 itself decodes correctly.

Does it accept Base64 without the headers?

Yes. When decoding, both a full PEM block and a bare Base64 body are accepted — headers, line breaks and whitespace are removed before decoding.

Why are PEM lines 64 characters?

The 64-character line length comes from the original PEM specification and is preserved in RFC 7468 for interoperability. It keeps lines short enough to survive older mail and terminal systems while staying a clean multiple of four.

PEM Base64 Encoder (64-char Lines)

PEM (Privacy-Enhanced Mail) is the text wrapping you see around TLS certificates, SSH keys and signing requests — a Base64 body framed by -----BEGIN LABEL----- and -----END LABEL----- lines. Standardised in RFC 7468, it is the format OpenSSL emits by default. This tool builds a PEM block from your text with the correct 64-character line wrapping and headers, and decodes PEM blocks back to their contents.

How it works

To encode, the text is converted to UTF-8 bytes and Base64-encoded with the standard alphabet and = padding. The continuous Base64 string is then split into lines of at most 64 characters, joined with line feeds. If you supply a label, the body is wrapped with matching -----BEGIN LABEL----- and -----END LABEL----- lines; leave the label blank to get just the wrapped body.

To decode, the tool removes any -----BEGIN…----- and -----END…----- header lines, strips whitespace and line breaks, validates the remaining characters and length, then reconstructs the bytes and reads them as UTF-8.

Example

Encoding Gera Tools demo payload with the label CERTIFICATE produces a block like:

-----BEGIN CERTIFICATE-----
R2VyYSBUb29scyBkZW1vIHBheWxvYWQ=
-----END CERTIFICATE-----

The body would only break onto a second line once it exceeds 64 characters.

Notes

Real certificates and private keys contain binary DER data, so decoding them here yields raw bytes rather than readable text — but the Base64 framing is handled exactly as OpenSSL expects. Everything runs locally in your browser; nothing is uploaded.