diff --git a/.changelog/13605.txt b/.changelog/13605.txt
new file mode 100644
index 00000000000..48056587b2b
--- /dev/null
+++ b/.changelog/13605.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+resource/aws_dms_certificate: Add base64 decode before sending to aws-sdk-go, so oracle-wallet is not encoded twice
+```
diff --git a/aws/resource_aws_dms_certificate.go b/aws/resource_aws_dms_certificate.go
index 1bae78a6b98..dca37ab8a41 100644
--- a/aws/resource_aws_dms_certificate.go
+++ b/aws/resource_aws_dms_certificate.go
@@ -1,6 +1,7 @@
 package aws
 
 import (
+	"encoding/base64"
 	"fmt"
 	"log"
 
@@ -72,7 +73,11 @@ func resourceAwsDmsCertificateCreate(d *schema.ResourceData, meta interface{}) e
 		request.CertificatePem = aws.String(pem.(string))
 	}
 	if walletSet {
-		request.CertificateWallet = []byte(wallet.(string))
+		byteArray, err := base64.StdEncoding.DecodeString(wallet.(string))
+		if err != nil {
+			return fmt.Errorf("certificate_wallet is not a valid base64-encoded string")
+		}
+		request.CertificateWallet = byteArray
 	}
 
 	log.Println("[DEBUG] DMS import certificate:", request)