CSR Generator
Generate a certificate signing request with an RSA key pair online, add subject alternative names, choose hash and key size, then copy or download files for enrollment.CSR Generator
| Field | Value | Copy |
|---|---|---|
| {{ r.k }} | {{ r.v }} | |
| No data. | ||
1. The web tool provided is for general informational purposes only and should not be considered as professional advice.
2. We do not guarantee the accuracy, completeness, or reliability of the tool.
3. The use of this tool is at your own risk, and we are not liable for any damages or losses resulting from its use.
4. We reserve the right to modify or discontinue the tool without prior notice.
5. By embedding the tool, you agree to indemnify us from any claims arising from its use.
6. We may use Google Analytics or similar tools for data collection and analysis.
7. Please review this disclaimer periodically, as we may update it without notice.
If you do not agree with any part of this disclaimer, please refrain from embedding the tool on your website.
Introduction:
Certificate signing requests are structured messages that present a public key and the subject information that a certificate should include. They let you prepare names and options in a consistent way so the issuer can verify details and produce a matching certificate.
You provide a primary host name or an IP address and, when needed, alternate names for the same service. The generator creates a fresh key pair, assembles the request, and signs it so the result can be submitted to your certificate authority.
A common pattern is a site that answers for one name and a short alias. Enter a domain for the main field and add a second name as an alternate so both resolve to the same identity without separate certificates.
A valid request proves format and signature only, not control of the names. Use test data in shared environments and keep private keys in trusted storage.
Technical Details:
The request encodes subject identity fields and a freshly generated public key, then computes a digital signature over the request body. The result is a PEM text block that certificate services can inspect and accept.
Key material uses an RSA modulus with a selectable size of 2048, 3072, or 4096 bits. The signature digest can be SHA‑256, SHA‑384, or SHA‑512, with SHA‑256 as the default. A hash of the Subject Public Key Info (SPKI SHA‑256) is also computed for quick fingerprinting.
Subject Alternative Names capture additional DNS hosts or IP addresses. Optional Key Usage and Extended Key Usage flags can be requested, although many issuers ignore these hints and apply their own profiles.
Private keys are exported as PKCS #8. When encryption is enabled, the file is wrapped with PBES2 using PBKDF2‑HMAC‑SHA‑256 at 100 000 iterations and AES‑256‑CBC with a random salt and IV.
Processing pipeline
- Validate Common Name as hostname, wildcard hostname, IPv4, or IPv6.
- Parse a comma‑separated SAN list into DNS and IP entries.
- Generate an RSA key pair with the chosen modulus length and digest.
- Assemble subject fields and optional email into the distinguished name.
- Attach extensions: SAN, Key Usage, Extended Key Usage as requested.
- Build the certification request info and sign it with the private key.
- Export CSR and private key in PEM with 64‑character line breaks.
- Compute SPKI SHA‑256 fingerprint from the public key.
- Optionally encrypt the PKCS #8 key with the passphrase.
- Optionally trigger automatic downloads of the CSR and key files.
example.com. SAN: DNS:example.com,DNS:www.example.com. Key size: 2048. Digest: SHA-256.Outputs: CSR PEM, PRIVATE KEY PEM, SPKI SHA‑256 as a 64‑hex‑character fingerprint. Interpretation: both names are bound to the same key and subject.
Validation & bounds extracted from code
| Field | Type | Min | Max | Step/Pattern | Error Text | Placeholder |
|---|---|---|---|---|---|---|
| Common Name | string (DNS, wildcard, IPv4, IPv6) | — | 253 chars for DNS | Labels 1–63 chars, letters/digits/hyphen, no edge hyphens; wildcard only as *.example |
Enter a valid domain, wildcard, or IP. | example.com |
| Subject Alt Names | comma‑separated tokens | — | — | Each token must be a valid DNS or IP | Comma-separated valid DNS names or IPs. | example.com,www.example.com,203.0.113.10 |
| Country (C) | string | 2 | 2 | A–Z only | Two-letter country code. | US |
| string | — | — | ^[^\s@]+@[^\s@]+\.[^\s@]+$ |
Invalid email address. | admin@example.com |
|
| Encrypt key | boolean | — | — | Passphrase length ≥ 4 and must match | Shown when enabled | Min 4 chars |
| Key size | enum | 2048 | 4096 | 2048, 3072, 4096 | — | — |
| Digest | enum | — | — | SHA‑256 (default), SHA‑384, SHA‑512 | — | — |
| Auto‑add CN to SAN | boolean | — | — | Adds CN if SAN list is empty | — | — |
Constants & OIDs present in code
| Constant | OID | Notes |
|---|---|---|
| subjectAltName | 2.5.29.17 | DNS and IP entries |
| keyUsage | 2.5.29.15 | Marked critical when present |
| extendedKeyUsage | 2.5.29.37 | serverAuth, clientAuth |
| emailAddress (RDN) | 1.2.840.113549.1.9.1 | IA5String |
| extensionRequest | 1.2.840.113549.1.9.14 | Carries CSR extensions |
| challengePassword | 1.2.840.113549.1.9.7 | Optional |
| sha256WithRSAEncryption | 1.2.840.113549.1.1.11 | Also 1.1.12, 1.1.13 for SHA‑384/512 |
| PBES2 | 1.2.840.113549.1.5.13 | Key protection scheme |
| PBKDF2 | 1.2.840.113549.1.5.12 | 100 000 iterations |
| HMAC‑SHA‑256 | 1.2.840.113549.2.9 | PRF for PBKDF2 |
| AES‑256‑CBC | 2.16.840.1.101.3.4.1.42 | With random IV |
I/O formats & encoding
| Input | Accepted Families | Output | Encoding/Precision | Rounding |
|---|---|---|---|---|
| Text fields | DNS, IPv4, IPv6, printable strings | CSR PEM | Base64, 64‑column lines | N/A |
| Options | Booleans and enums | PKCS #8 key PEM | Plain or PBES2‑encrypted | N/A |
| — | — | JSON summary | Inputs, CSR, key, SPKI hash | N/A |
Networking & storage behavior
All operations run in the browser. No network requests are made by the generator, and files are offered for local copy or download only.
Security considerations
- Generate and keep private keys on trusted machines.
- Prefer strong passphrases when encrypting PKCS #8 files.
- Issuer policies may override requested KU and EKU.
- Do not paste private keys into untrusted forms or consoles.
Assumptions & limitations
- RSA keys only; elliptic‑curve keys are not generated.
- Digest choices limited to SHA‑256, SHA‑384, and SHA‑512.
- Wildcard allowed only in the leftmost DNS label.
- Heads‑up KU is marked critical when present.
- Auto‑add places CN into SAN only when SAN is empty.
- Issuer may ignore KU and EKU hints.
- Email RDN is optional and uncommon in public TLS use.
- Large key sizes increase CPU time noticeably.
Edge cases & error sources
- Opening over HTTP disables Web Crypto in many environments.
- Country codes must be exactly two letters.
- IPv4 octets must be integers from 0 to 255.
- IPv6 rejects triple colons and non‑hex groups.
- Hostnames cannot start or end with a hyphen.
- A single
*is not a valid hostname. - Passphrase must be at least four characters and match confirmation.
- Empty SAN tokens or stray commas are ignored only when tolerated by parsing.
- Very long subject lines may exceed issuer limits even if locally valid.
- Clipboard access can be blocked by browser permissions.
Privacy & compliance
No data is transmitted or stored server‑side. Generated keys and requests remain on your device unless you copy or download them.
Step‑by‑Step Guide
Certificate signing requests package a new public key and subject details for later issuance.
- Enter the Common Name as a host or IP.
- Add SAN entries for any other names that must work.
- Select a key size and digest appropriate for your policy.
- Optionally set KU, EKU, and email if your issuer uses them.
- Enable encryption and provide a passphrase if required.
- Generate and then copy or download the CSR and key.
Example. CN example.com with SAN example.com,www.example.com yields one CSR that covers both names.
- Use auto‑add to mirror CN into SAN when only one name is needed.
- Larger keys improve margin but slow issuance steps and handshakes.
FAQ
Is my data stored?
No. Generation and formatting run locally, and files are offered for copy or download only.
Which key sizes are supported?
RSA 2048, 3072, and 4096 bits. Larger sizes increase CPU time during generation and use.
Can I include wildcards and IPs?
Yes. A wildcard is allowed only at the leftmost label. SAN entries accept DNS names plus IPv4 and IPv6.
What does a “borderline” result mean?
When inputs barely meet format rules, an issuer may still reject them. Keep names simple and within length limits.
How do I validate a CSR?
Inspect the PEM text and fingerprint, then submit it to your certificate authority or verify with your preferred tooling.
Are KU and EKU required?
They are optional hints. Many issuers apply their own profiles regardless of the request.
Does it work offline?
It runs entirely in the browser once loaded. Some features, like clipboard access, depend on permissions.
What about cost or licensing?
CSR generation itself does not imply licensing. Any certificate issuance terms come from your chosen authority.
Troubleshooting
- “Web Crypto requires a secure context.” Open the page over HTTPS or on
localhost. - CSR missing SANs. Ensure SAN entries are valid and not empty.
- Issuer rejects request. Remove unusual fields and retry.
- Copy buttons do nothing. Grant clipboard permissions.
- Encrypted key will not import. Verify passphrase and PBES2 compatibility.
- Slow generation. Choose a smaller key size or wait for completion.