Loading tool...
Generate self-signed SSL/TLS certificates for local development and testing. Includes Subject Alternative Names support
Generate secure SSH key pairs (Ed25519, RSA) for server authentication and Git. Creates public/private keys with fingerprints
Decode and analyze PEM-encoded X.509 SSL/TLS certificates. View subject, issuer, validity, extensions, and fingerprints
Generate Certificate Signing Requests (CSRs) directly in your browser for obtaining SSL/TLS certificates from Certificate Authorities. CSRs are the standard format for requesting certificates, containing public key information and subject details that the CA uses to issue your certificate. This tool generates RSA key pairs in 2048, 3072, or 4096-bit sizes with customizable subject fields (Common Name for domain, Organization, Organizational Unit, City, State, Country), creating complete CSRs ready to submit to any Certificate Authority. The tool uses SHA-256 signing algorithm—modern and secure—and generates output in standard PEM format compatible with all major certificate authorities and web servers. All key generation occurs entirely in your browser using WebCrypto API, ensuring your private keys are never transmitted or exposed. Download the private key securely, submit the CSR to your CA, and when your certificate arrives, pair it with the private key for HTTPS deployment. The tool includes setup instructions and best practices for key management.
Generate CSRs to submit to Certificate Authorities (Let's Encrypt, Sectigo, GoDaddy, etc.) when requesting new certificates.
Create CSRs for domain validation certificates that are quick and affordable for securing websites.
Generate CSRs with organization details for OV certificates that include business verification.
Generate new CSRs and key pairs when renewing certificates, optionally changing keys as part of renewal.
Create CSRs for multi-domain (SAN) and wildcard certificates covering multiple domains.
Generate CSRs with complete organization details for EV certificates requiring thorough business verification.
A Certificate Signing Request (CSR) is a formally structured message sent to a Certificate Authority (CA) to request the issuance of a digital certificate. Defined by the PKCS#10 standard (RFC 2986), a CSR contains the applicant's public key, identifying information (the subject distinguished name), and a digital signature created with the applicant's private key. This self-signature proves that the requester possesses the private key corresponding to the public key in the request, a critical security property that prevents attackers from requesting certificates for keys they do not control.
The public key cryptography underlying CSR generation relies on asymmetric encryption, where mathematically related key pairs are generated such that data encrypted with one key can only be decrypted with the other. RSA (Rivest-Shamir-Adleman), introduced in 1977, derives its security from the computational difficulty of factoring the product of two large prime numbers. RSA key sizes of 2048 bits are currently considered secure for most applications, providing approximately 112 bits of security strength. The 4096-bit option doubles the key length for higher security margins but increases computational cost during TLS handshakes. ECDSA (Elliptic Curve Digital Signature Algorithm) achieves equivalent security with much shorter keys: a 256-bit ECDSA key provides comparable security to a 3072-bit RSA key, resulting in faster handshakes and smaller certificates.
The CA workflow upon receiving a CSR depends on the validation level requested. Domain Validation (DV) certificates require only proof that the applicant controls the domain, typically verified through an email to the domain registrant, a DNS TXT record, or an HTTP challenge file. Organization Validation (OV) certificates additionally verify the legal existence and identity of the requesting organization through business registration databases and phone callbacks. Extended Validation (EV) certificates require the most thorough verification, including legal identity confirmation, physical address verification, and operational existence checks, historically resulting in a green address bar indicator in browsers.
The subject distinguished name in a CSR follows the X.500 naming convention, with fields for Common Name (CN, traditionally the domain name), Organization (O), Organizational Unit (OU), Locality (L, city), State (ST), and Country (C, two-letter ISO code). Modern certificates rely primarily on the Subject Alternative Names (SAN) extension rather than the Common Name for domain identification, as RFC 6125 deprecated CN matching in favor of SAN. This means that while the CN field remains conventionally populated, the SAN extension is what browsers actually check when validating that a certificate matches the requested domain. Multiple domains can be included in a single certificate through SAN entries, and wildcard certificates (*.example.com) cover all first-level subdomains of a domain.
Store it securely! You will need it to install your certificate once the CA issues it. Never share your private key with anyone.
2048 bits is sufficient for most purposes and is widely supported. Use 4096 bits for maximum security, though it will be slightly slower.
All processing happens directly in your browser. Your files never leave your device and are never uploaded to any server.