certutil -encode and -decode: Base64 encoding files from the Windows command line

certutil is a built-in Windows utility primarily used for certificate management, but it also supports Base64 encoding and decoding of files directly from CMD — no additional software required. It has been available on every version of Windows since Vista and works on Windows 10 and 11 without elevation. This article covers practical encoding and decoding workflows using certutil, explains a critical output format quirk that breaks compatibility with standard Base64 consumers, and shows the PowerShell equivalent for situations where clean RFC 4648 output is required.

Quick Answer

rem Encode a file to Base64
certutil -encode input.txt output_encoded.txt

rem Decode a Base64 file back to the original
certutil -decode output_encoded.txt restored.txt

What it does

certutil -encode reads a source file, converts its binary content to Base64, and writes the result to a new file. certutil -decode does the reverse: it reads a Base64-encoded file and writes the original binary content. Both operations work on any file type — text, scripts, binaries.

Syntax:

certutil -encode  <InputFile> <OutputFile>
certutil -decode  <InputFile> <OutputFile>
Note: certutil is available on all Windows versions since Vista. No installation required. No elevation needed for encode and decode operations on files the current user can read.

Practical Examples

1. Encode a text file

The problem: You need to transfer a config file through a channel that only accepts ASCII text, such as an email body or a ticket field.

The solution: Encode the file to Base64 so it can be pasted as plain text and reconstructed on the other end.

rem Create a sample config file
echo server=SRV-PROD-01 > C:\bat\app.conf
echo port=8443 >> C:\bat\app.conf

rem Encode it to Base64
certutil -encode C:\bat\app.conf C:\bat\app_encoded.txt
Result: certutil reports Input Length and Output Length, then confirms the operation completed successfully. The encoded file is ready to copy and paste.

2. Decode back to the original

The problem: You received an encoded file and need to restore it to its original form before use.

The solution: Run certutil -decode to reconstruct the original file from the Base64 content.

rem Decode the Base64 file back to its original content
certutil -decode C:\bat\app_encoded.txt C:\bat\app_restored.conf
Result: certutil confirms the decode completed successfully. The restored file is identical to the original.

3. Verify integrity with fc

The problem: After encode and decode, you want to confirm that no bytes were lost or altered in the round trip.

The solution: Use the built-in fc command to compare the original and restored files byte by byte.

rem Compare original and restored files
rem fc exits with code 0 if files are identical
fc C:\bat\app.conf C:\bat\app_restored.conf
Result: If the output reads “FC: no differences encountered”, the round trip was clean and the files are identical.

4. Encode a PowerShell script before transfer

The problem: You need to send a .ps1 script through a system that strips or modifies special characters — for example, a monitoring platform alert body, a ticketing system, or a chat tool.

The solution: Encode the script file to Base64 before sending. The recipient decodes it with a single certutil command and runs the original file.

rem Encode a PowerShell script to Base64
rem Useful when transferring through systems that mangle special characters
certutil -encode C:\bat\deploy.ps1 C:\bat\deploy_encoded.txt

rem On the receiving end, decode it back
certutil -decode C:\bat\deploy_encoded.txt C:\bat\deploy_restored.ps1
Warning: This works for any file type, but certutil adds header and footer lines to the encoded output. If the recipient uses a tool that does not strip those lines before decoding, the decode will fail. See the Hidden Gems section below.

5. Encode command output via a temp file

The problem: You want to encode the output of a command — for example, the result of ipconfig /all or systeminfo — without saving it manually first.

The solution: Redirect the command output to a temp file, then encode that file. Two steps, no intermediate editing required.

rem Capture system info to a temp file
systeminfo > C:\bat\sysinfo.txt

rem Encode the captured output to Base64
certutil -encode C:\bat\sysinfo.txt C:\bat\sysinfo_encoded.txt

rem Clean up the plain text temp file when done
del C:\bat\sysinfo.txt

6. Decode a Base64 config snippet received as a text string

The problem: A vendor or colleague sends you a Base64-encoded config block as plain text — for example, a certificate payload, a connection string, or a settings file — and you need to decode it to a usable file.

The solution: Save the encoded string to a text file (with the required certutil header and footer), then decode it. If the string arrives without those lines, add them manually before decoding.

rem If the encoded string lacks certutil headers, wrap it manually
rem The header and footer lines are required for certutil -decode to work

echo -----BEGIN CERTIFICATE----- > C:\bat\received.txt
echo VGhpcyBpcyBhIHRlc3QgY29uZmlnCg== >> C:\bat\received.txt
echo -----END CERTIFICATE----- >> C:\bat\received.txt

rem Decode to restore the original content
certutil -decode C:\bat\received.txt C:\bat\config_restored.txt
Note: If the Base64 string you received was encoded by a tool other than certutil — such as a Linux system, a web tool, or PowerShell — it will not have these headers. You must add them manually before certutil can decode it.

Hidden Gems

certutil output is not standard Base64

The encoded file produced by certutil -encode includes two extra lines that are not part of the Base64 data itself: -----BEGIN CERTIFICATE----- at the top and -----END CERTIFICATE----- at the bottom. These are PEM-format markers borrowed from certificate encoding. They are required for certutil -decode to work, but they break compatibility with any tool that expects clean RFC 4648 Base64 — including most APIs, PowerShell’s [Convert]::FromBase64String(), and Linux utilities like base64 -d.

Common mistake: Passing certutil-encoded output directly to an API or a Base64 decoder in another language will fail or produce garbage output. The header and footer lines must be stripped first, leaving only the encoded data lines in the file.

Output file size is always larger than input

Base64 encoding increases file size by approximately 33%. A 100 KB binary file will produce a roughly 133 KB encoded file. This is expected behavior — Base64 trades size efficiency for text-safe encoding.

certutil is silent about file type

certutil will encode any file you point it at — text, binary, image, executable — without warning. The encoded output looks identical regardless of source file type. Always keep track of what you encoded and use the correct output extension when decoding to avoid confusion.

PowerShell equivalent

PowerShell produces clean RFC 4648 Base64 without the PEM header and footer. Use this when the encoded output needs to be consumed by an API, a Linux system, or any tool outside Windows CMD.

rem Encode a file to clean Base64 using PowerShell
powershell -Command "[Convert]::ToBase64String([IO.File]::ReadAllBytes('C:\bat\app.conf'))" > C:\bat\app_encoded_clean.txt
rem Decode clean Base64 back to a file using PowerShell
powershell -Command "$b=[Convert]::FromBase64String([IO.File]::ReadAllText('C:\bat\app_encoded_clean.txt').Trim()); [IO.File]::WriteAllBytes('C:\bat\app_restored_ps.conf', $b)"
Note: PowerShell output does not include PEM headers and is directly compatible with web APIs, Linux base64 utilities, and other RFC 4648 consumers. For a full walkthrough of Base64 encoding in PowerShell — including multi-line handling, encoding strings vs files, and piping — see the dedicated guide: Base64 encoding in PowerShell.

Where this matters

Transferring scripts through restricted channels — when a ticketing system, monitoring platform, or chat tool strips or escapes special characters in PowerShell or batch script content, encoding the file first preserves it intact for the recipient.

Embedding file content in a config or payload — some deployment tools and API calls accept file content as a Base64 string rather than a binary upload. Encoding the file with certutil (then stripping the headers) produces the required format.

Passing diagnostic data through email — encoding a systeminfo or event log export as Base64 allows it to be pasted into an email body without attachment restrictions or content filtering.

Receiving encoded configs from vendors — vendors occasionally deliver configuration files as Base64 strings. Knowing how to decode them from CMD without additional tools speeds up onboarding and reduces dependency on external software.

Quick verification of round-trip integrity — combining certutil encode, decode, and fc gives a fast, self-contained way to confirm that a file was not altered in transit or storage.

Tips and Limitations

  • File size limit: certutil does not enforce a hard file size limit, but encoding large files (hundreds of MB) is slow and produces proportionally larger output. For large files, consider PowerShell or a dedicated tool.
  • Binary files: certutil can encode any binary file. Decoding will restore the exact original bytes. Use this carefully — a restored executable or DLL must come from a trusted source.
  • Output encoding: The encoded output file is plain ASCII text. It can be opened in any text editor without issues.
  • No streaming: certutil requires a file path as input. It cannot read from stdin or encode a piped command output directly. Use a temp file as shown in Example 5.
  • Cross-platform decoding: If the recipient uses Linux, Python, or a web API to decode, the PEM headers must be stripped from the certutil output first. PowerShell is the better choice when cross-platform compatibility matters.

Related Tool

Need to encode or decode a Base64 string directly in the browser without the command line? Use the Base64 Encoder / Decoder — no installation, no data sent to the server.

Official Reference

certutil — Windows Commands | Microsoft Learn

Related Guides