StackAtlas
Home/Security Tools/CSR generator

TLS / X.509

CSR Generator

Runs in your browser using WebCrypto — no network requests.

Local only CSR + key pair

Key options

EC keys are smaller and fast. RSA is widely compatible.

CurveP-256 default
Hashfor signature

Subject (who the certificate is for)

Only CN is required. For websites, SANs matter more than CN.

Common Name (CN)required

Usually your primary domain name.

Organization (O)optional

Company / org name (optional).

Org Unit (OU)optional

Team or department (optional).

Locality (L)optional

City (optional).

State/Province (ST)optional

State/province (optional).

Country (C)optional

2-letter country code.

Emailoptional

Optional contact email.

Subject Alternative Names (SAN)

Add all hostnames and IPs the certificate should cover. One per line (or comma-separated).

DNS namesrecommended
IP addressesoptional

Output

Copy the CSR to your CA. Store the private key securely.

CSR (PEM)

Private key (PEM / PKCS#8)

Public key (PEM)

Helpful commands 

openssl req -in request.csr -noout -text
openssl req -in request.csr -noout -verify

What a CSR is

A CSR contains your public key and identifying info (like CN/SAN), and is signed by your private key. A CA uses it to issue a certificate.

SAN vs CN

Modern TLS validation relies on Subject Alternative Names (SAN). Put all domains/IPs you need in SAN; CN alone may be ignored by clients.

Safety notes

  • Keep the private key secret; never paste it into chats or tickets.
  • Store keys in a secure vault/secret manager for production.
  • If you regenerate the key, you must request a new certificate.