CSR Decoder
Paste a PKCS#10 Certificate Signing Request to verify its Common Name, SANs, organization, key size, and signature — before you send it to a Certificate Authority.
What is a CSR Decoder?
A CSR decoder reads a Certificate Signing Request — the PKCS#10 block you generate before ordering an SSL/TLS certificate — and shows you the information packed inside it in plain, readable form. Before a Certificate Authority issues your certificate, it builds it from the CSR's contents, so any error in the CSR carries straight into the certificate. Decoding first is a quick sanity check that saves time and money.
This tool parses the CSR locally in your browser. Nothing is uploaded.
How to Use This Tool
- Paste the full CSR, including the
-----BEGIN CERTIFICATE REQUEST-----and-----END CERTIFICATE REQUEST-----lines. - Click Decode CSR.
- Confirm the Common Name and every Subject Alternative Name are correct, and that the key size and organization match what you expect.
What to Check Before Submitting
- Common Name — Is the primary domain spelled exactly right (including
wwwif needed)? - Subject Alternative Names — Are all the domains you intend to secure present? Missing SANs are the most common CSR mistake.
- Organization details — For OV/EV certificates, the O, L, ST and C fields must match your verified business records.
- Key size — At least RSA 2048-bit; CAs reject weaker keys.
- Signature — A valid self-signature confirms the CSR was not corrupted when copied.
Frequently Asked Questions
Decoding lets you confirm the CSR contains exactly the right information before the Certificate Authority issues a certificate from it. The most common mistakes are a missing or misspelled domain, forgotten Subject Alternative Names, or an incorrect organization name. Catching these before submission avoids paying for and installing a certificate that does not match what you need.
A CSR contains the public key and the subject details: Common Name (the primary domain), and optionally Organization, Organizational Unit, Locality, State, Country, and email. It can also carry requested extensions such as Subject Alternative Names. It does not contain the private key — that stays with you — though it is signed by the private key to prove you control it.
No. A CSR contains only your public key plus identifying information, and is self-signed by the corresponding private key to prove possession. The private key itself is never part of the CSR and should never be shared. This decoder reads only the public information in the request.
A CSR is signed with the private key that matches the public key inside it. Verifying that signature confirms the request is internally consistent and was not corrupted in transit. A valid result means the public key and the signature agree; an invalid result usually means the CSR text was truncated, altered, or copied incorrectly.
No. The CSR is decoded entirely in your browser using JavaScript. It is never uploaded, logged, or stored anywhere. A CSR contains only public information, but keeping the processing client-side is still the right approach, which this tool follows.