CSR generated for {{ cn || '[no CN]' }}

{{ downloadNotice }}
Enter a valid domain, wildcard, or IP.
Comma-separated valid domains or IPs.
Two-letter country code.
Invalid email address.
Categories: DevOps & SRE , Generator , Security
Export to PDF Fullscreen

Certificate Signing Requests (CSRs) are standardized files used within public-key infrastructure to prove control of a domain or identity when applying for a digital certificate. Each CSR bundles a newly generated public key with descriptive subject attributes, then cryptographically signs the package so certificate authorities can validate its integrity before issuing TLS, S/MIME, or code-signing credentials.

By combining the details you enter—common name, alternative names, organization data, and a preferred RSA key size—the generator produces a fresh key-pair in the browser, assembles a PKCS #10 request with your attributes, signs it with a SHA-256 digest, and presents both the base64-encoded CSR and the matching PEM-formatted private key for immediate download.

For example, a system administrator can create a wildcard CSR for *.example.com seconds before uploading it to a certificate authority, guaranteeing the private key never leaves their workstation or transient browser memory. Always store the generated key securely; anyone with that file can impersonate your site, server, application, or code.

Technical Details:

Concept Overview

RSA public-key cryptography relies on modular exponentiation: a private exponent d is chosen such that e·d ≡ 1 (mod φ(n)) where n = p·q. The algorithm’s hardness derives from the difficulty of factoring n. A CSR follows the PKCS #10 specification, embedding an ASN.1 structure that encapsulates subject attributes, the DER-encoded public key, and a SHA-256 signature so certificate authorities can verify integrity and identity before issuing a certificate.

Core Process

  1. Generate two strong primes p and q; compute modulus n=p×q.
  2. Select public exponent e (commonly 65 537) and derive private exponent d.
  3. Assemble subject attributes and optional Subject Alt Names into a CSR structure.
  4. Hash the structure with SHA-256 and sign it using the private key.
  5. Output PEM-encoded CSR plus PEM-encoded private key for storage.

Key-Size Guidance

Key Size (bits)Approximate Security Window
2048Suitable for most public websites until 2030
3072Extra margin for high-value assets into mid-2030s
4096Long-term archival or sensitive code-signing

Inputs & Parameters

  • Common Name (CN) – primary fully-qualified domain or IP.
  • Subject Alt Names – comma-separated additional domains.
  • Country (C) – two-letter ISO 3166 code.
  • State, Locality, Organization, Org Unit – optional identity fields.
  • Email – administrative contact address.
  • Key Size – 2048, 3072, or 4096-bit RSA modulus.

Example (CN = example.com, key size = 2048):

n=2048 bit modulus
e=65537d>210242

The resulting CSR hashes to SHA-256 and signs in ≈2 seconds on a modern laptop.

Assumptions & Limitations

  • Browser entropy must be adequate for true randomness.
  • RSA security assumes factoring remains computationally infeasible.
  • Only DNS and IPv4 names are validated; IPv6 and internationalized domains are unsupported.
  • Outputs exclude certificate extensions other than Subject Alt Name.

Edge Cases & Error Sources

  • Wildcard CN without leading asterisk causes validation failure.
  • Comma-separated SAN list containing spaces rejects CSR creation.
  • Two-character country code set to lowercase is rejected by some authorities.
  • Browser tab closure before download discards the private key permanently.

Scientific Validity & References

Concepts align with RFC 2986 (PKCS #10), RFC 5280, and NIST SP 800-57 Pt 1. Security margins draw on Lenstra & Verheul (2001) and ECRYPT-CSA (2023) key-size recommendations.

Privacy & Compliance

The generator processes all data locally, and no sensitive information leaves the user’s browser, satisfying GDPR principles on data minimisation.

Step-by-Step Guide:

Follow these steps to obtain a ready-to-submit CSR and its matching private key.

  1. Enter the Common Name for the certificate.
  2. Optionally provide Subject Alt Names separated by commas.
  3. Fill in organization, locality, and contact fields as required by your authority.
  4. Select a key size suited to your security needs.
  5. Click Generate CSR and wait for on-screen confirmation.
  6. Copy or download the CSR to submit, and store the private key in a secure location.

FAQ:

Is my data stored?

No. All calculations occur in your browser and disappear once the page is closed.

Which key size is best?

2048-bit suits typical websites; choose 3072 or 4096 for long-term or high-risk deployments.

Can I reuse a key?

Reusing private keys undermines security. Generate a fresh pair for each new certificate request.

Does it support IPv6?

No. Current validation accepts IPv4 or DNS names only.

Why is copy disabled?

If your browser blocks clipboard access, use the download buttons instead to save the files.

Glossary:

CSR
Request file containing public key and identity.
PKCS #10
Standard defining CSR structure.
RSA
Widely used public-key algorithm based on factoring.
Subject Alt Name
Extension listing additional identities.
SHA-256
Secure hash used to sign the request.

No data is transmitted or stored server-side.

Embed this tool into your website using the following code: