Home/Security Tools/CSR generator

TLS / X.509

CSR Generator

Runs in your browser using WebCrypto — no network requests.

Local only CSR + key pair

Key options

EC keys are smaller and fast. RSA is widely compatible.

CurveP-256 default
Hashfor signature

Subject (who the certificate is for)

Only CN is required. For websites, SANs matter more than CN.

Common Name (CN)required

Usually your primary domain name.

Organization (O)optional

Company / org name (optional).

Org Unit (OU)optional

Team or department (optional).

Locality (L)optional

City (optional).

State/Province (ST)optional

State/province (optional).

Country (C)optional

2-letter country code.

Emailoptional

Optional contact email.

Subject Alternative Names (SAN)

Add all hostnames and IPs the certificate should cover. One per line (or comma-separated).

DNS namesrecommended
IP addressesoptional

Output

Copy the CSR to your CA. Store the private key securely.

CSR (PEM)

Private key (PEM / PKCS#8)

Public key (PEM)

Helpful commands

openssl req -in request.csr -noout -text
openssl req -in request.csr -noout -verify

What a CSR is

A CSR contains your public key and identifying info (like CN/SAN), and is signed by your private key. A CA uses it to issue a certificate.

SAN vs CN

Modern TLS validation relies on Subject Alternative Names (SAN). Put all domains/IPs you need in SAN; CN alone may be ignored by clients.

Safety notes

  • Keep the private key secret; never paste it into chats or tickets.
  • Store keys in a secure vault/secret manager for production.
  • If you regenerate the key, you must request a new certificate.

How it works

Generates a key pair in your browser, builds a CSR with your subject and SAN entries, and signs it using the private key. Nothing leaves the page.

  • SAN values are copied into the CSR extension; clients rely on them over CN.
  • Keep the private key safe; only the CSR is meant to be sent to a CA.

Quick examples

Single domain
CN=example.com; SAN: example.com
CSR ready for a basic TLS cert
Multi-SAN
SAN: api.example.com, www.example.com, 203.0.113.10
Covers hostnames + IP in one request

Use the copy buttons to export CSR and keys as PEM.

Mini FAQ

Do I need both CN and SAN?

Yes; browsers validate SAN. Keep CN aligned with your primary host.

Can I reuse a private key?

You can, but rotating keys per issuance is safer.

How do I verify the CSR?

Use openssl req -in request.csr -noout -text to inspect fields.