Don't like ads? Go Ad-Free Today 

CSR (Certificate Signing Request) Generator

DeveloperNetworkingSecurity

ADVERTISEMENT · REMOVE?

[iotools_csr_generator]

ADVERTISEMENT · REMOVE?

Guide

CSR (Certificate Signing Request) Generator

Generate a PKCS#10 Certificate Signing Request and matching RSA private key entirely in your browser. Fill in the subject fields, add Subject Alternative Names, pick a key size, and click Generate. Both files are produced locally — the private key is never transmitted to any server, never logged, and never stored.

How to Use

Enter the Common Name (CN) — typically the fully-qualified hostname (e.g. example.com). This field is required.
Optionally fill in Organization, Organizational Unit, Country (2-letter ISO code), State, Locality, and Email.
Add any Subject Alternative Names, one per line. DNS names, IPv4 addresses, URIs, and emails are auto-detected.
Choose an RSA key size (2048-bit is the industry standard) and a signature hash (SHA-256 is recommended).
Click Generate. Key generation runs in a Web Worker and may take a few seconds for 4096-bit keys.
Copy or download the resulting .key.pem (private key) and .csr.pem (CSR). Submit the CSR to your Certificate Authority and keep the private key safe.

Features

100% client-side — RSA key generation runs in the browser via node-forge and a Web Worker. No data leaves your machine.
Multiple key sizes — 2048-bit, 3072-bit, and 4096-bit RSA keys.
Signature hash choice — SHA-256, SHA-384, and SHA-512.
Complete subject fields — CN, O, OU, C, ST, L, and email address.
Subject Alternative Names — DNS, IPv4, URI, and email entries with automatic type detection.
CSR self-verification — the generated CSR is verified against its public key before display, catching corruption immediately.
Standard PEM output — directly compatible with OpenSSL, Apache, nginx, AWS Certificate Manager, Let’s Encrypt commercial APIs, and every public CA.
Free downloads — both files are downloadable with sensible filenames derived from the Common Name.

Privacy & Security

The private key is generated by the Web Crypto-backed RSA implementation inside your browser tab. It never touches our servers, is never written to any analytics endpoint, and disappears the moment you close the tab. Always store private keys in a secrets manager or encrypted at rest. If a private key has been pasted into a chat tool, log file, or remote service, treat it as compromised and revoke any certificate issued from it.

ADVERTISEMENT · REMOVE?

 FAQ

What is a Certificate Signing Request (CSR)?

A CSR is a PKCS#10-formatted message sent to a Certificate Authority to apply for a digital certificate. It contains the public key and identifying information (subject) about the requesting entity, signed by the corresponding private key to prove possession.
Why does a CSR need a private key?

The private key signs the CSR to prove that the requester actually controls the matching public key. Without this signature, anyone could request a certificate for someone else's public key. The signature is verified by the CA before issuance.
What are Subject Alternative Names (SANs)?

SANs let a single certificate cover multiple identities — additional DNS names, IP addresses, email addresses, or URIs. Modern browsers ignore the Common Name field for TLS hostname matching and rely exclusively on the SAN extension, so a usable TLS certificate must list every hostname in SANs.
Is RSA 2048-bit still safe in 2026?

Yes. RSA 2048 is the current industry baseline and is considered safe through at least 2030 against classical attacks. RSA 4096 offers a larger margin but is roughly 5x slower for signing. For new deployments, 2048 is standard; high-security or long-lived roots typically use 4096.
What signature hash should I choose?

SHA-256 is the universal default and is accepted by every modern CA. SHA-384 and SHA-512 offer marginally stronger collision resistance but are not required for typical web certificates. Avoid SHA-1 entirely — it has been deprecated by all public CAs since 2017.