Is it safe to generate a CSR in my browser?

Yes, when using a client-side tool like ours that uses the Web Crypto API. All cryptographic operations happen entirely in your browser - no data is ever sent to any server. Your private key never leaves your device. You can verify this by using the tool while offline or by inspecting the network traffic.

What's the difference between RSA and ECDSA?

RSA is the traditional algorithm that has been used for decades and is universally supported. ECDSA (Elliptic Curve Digital Signature Algorithm) is a modern alternative that provides equivalent security with smaller key sizes, resulting in faster operations and smaller certificates. For example, a 256-bit ECDSA key provides similar security to a 3072-bit RSA key.

What key size should I choose for RSA?

For RSA, 2048 bits is the minimum recommended today. 3072 bits provides a good balance of security and performance, while 4096 bits offers maximum security but with slower operations. Most CAs accept 2048-4096 bit RSA keys. Choose based on your security requirements and certificate validity period - longer validity may warrant larger keys.

What are Subject Alternative Names (SANs)?

SANs allow a single certificate to secure multiple domain names, subdomains, IP addresses, and email addresses. Modern browsers require the domain to be listed in the SAN field (not just the Common Name) for proper validation. Always include your primary domain as a SAN, and add any additional domains or subdomains you need to secure.

Can I generate a wildcard certificate CSR?

Yes, to create a wildcard certificate CSR, set the Common Name to *.yourdomain.com or add *.yourdomain.com as a DNS SAN entry. Wildcard certificates secure all first-level subdomains of a domain. Note that a wildcard for *.example.com will cover www.example.com but not sub.domain.example.com.

How do I verify my generated CSR?

You can verify your CSR using OpenSSL with the command: openssl req -text -noout -verify -in your.csr. This will display the CSR contents including the subject, public key algorithm, and any SANs. It will also verify the signature is valid. Most CAs also have online CSR decoders.

What should I do with my private key?

Your private key is extremely sensitive and must be kept secure. Store it on your server with restricted permissions (chmod 600 on Linux), never share it, don't send it via email, and don't upload it to third parties. If your private key is compromised, your certificate must be revoked. Consider using a hardware security module (HSM) for high-security applications.

csr-generator

CSR Generator

Generate Certificate Signing Requests (CSR) for SSL/TLS certificates entirely in your browser. Supports RSA and ECDSA algorithms, custom subject fields, and Subject Alternative Names (SANs).

Key Algorithm

Key Size

Certificate Subject

Common Name (CN)*

Common Name is required

Organization (O)

Organizational Unit (OU)

Locality / City (L)

State / Province (ST)

Country (C)

Email Address

Subject Alternative Names (SANs)

0 entries

No SANs added. Click a button above to add DNS names, IPs, or emails.

Configure your CSR and click Generate

Your CSR and keys will appear here

How to Use This CSR Generator

Choose Algorithm

Select RSA for maximum compatibility or ECDSA for modern, efficient certificates. Choose your preferred key size or curve.

Enter Subject Details

Fill in your Common Name (domain) and optional organization details. The Common Name is required and should match your domain.

Add SANs (Optional)

Add Subject Alternative Names for additional domains, subdomains, IP addresses, or email addresses your certificate should cover.

Generate & Download

Click Generate to create your CSR and private key. Download the CSR for your CA and store the private key securely.

CSR & SSL Certificate FAQ

A CSR is a block of encoded text that contains information about your organization and the domain you want to secure. It's sent to a Certificate Authority (CA) when applying for an SSL/TLS certificate. The CSR includes your public key which will be embedded in the certificate, while you keep the private key secure on your server.

Related Tools

Password Generator

Hash Generator

Base64 & JWT Decoder

About This CSR Generator

This free online CSR generator creates Certificate Signing Requests using the Web Crypto API, ensuring all cryptographic operations happen securely in your browser. Unlike traditional tools that require OpenSSL installation or online services that process your data on servers, this tool keeps your private key completely local and private.

The tool supports both RSA (2048, 3072, 4096 bits) and ECDSA (P-256, P-384, P-521 curves) key algorithms. RSA remains the most widely compatible choice, while ECDSA offers equivalent security with smaller keys and faster operations - increasingly important for mobile and IoT applications.

Subject Alternative Names (SANs) are fully supported, allowing you to create multi-domain and wildcard certificates. Modern browsers require domains to be listed in the SAN extension rather than relying solely on the Common Name field, making SAN support essential for any production certificate.