TLS / X.509
CSR Generator
Runs in your browser using WebCrypto — no network requests.
Key options
EC keys are smaller and fast. RSA is widely compatible.
Subject (who the certificate is for)
Only CN is required. For websites, SANs matter more than CN.
Usually your primary domain name.
Company / org name (optional).
Team or department (optional).
City (optional).
State/province (optional).
2-letter country code.
Optional contact email.
Subject Alternative Names (SAN)
Add all hostnames and IPs the certificate should cover. One per line (or comma-separated).
Output
Copy the CSR to your CA. Store the private key securely.
CSR (PEM)
—Private key (PEM / PKCS#8)
—Public key (PEM)
—Helpful commands
openssl req -in request.csr -noout -text
openssl req -in request.csr -noout -verifyWhat a CSR is
A CSR contains your public key and identifying info (like CN/SAN), and is signed by your private key. A CA uses it to issue a certificate.
SAN vs CN
Modern TLS validation relies on Subject Alternative Names (SAN). Put all domains/IPs you need in SAN; CN alone may be ignored by clients.
Safety notes
- Keep the private key secret; never paste it into chats or tickets.
- Store keys in a secure vault/secret manager for production.
- If you regenerate the key, you must request a new certificate.
How it works
Generates a key pair in your browser, builds a CSR with your subject and SAN entries, and signs it using the private key. Nothing leaves the page.
- SAN values are copied into the CSR extension; clients rely on them over CN.
- Keep the private key safe; only the CSR is meant to be sent to a CA.
Quick examples
Use the copy buttons to export CSR and keys as PEM.
Mini FAQ
Do I need both CN and SAN?
Yes; browsers validate SAN. Keep CN aligned with your primary host.
Can I reuse a private key?
You can, but rotating keys per issuance is safer.
How do I verify the CSR?
Use openssl req -in request.csr -noout -text to inspect fields.
Related tools