CSR Generator

Create a PKCS#10 Certificate Signing Request and matching RSA private key — generated entirely in your browser. Nothing is uploaded.

What is a Certificate Signing Request?

A Certificate Signing Request (CSR) is the first step in obtaining an SSL/TLS certificate. It is an encoded block of text, defined by the PKCS#10 standard, that bundles your public key together with identifying details about the entity requesting the certificate — the domain name, organization, and location. You send the CSR to a Certificate Authority (CA), which verifies the information and returns a signed certificate that pairs with the private key generated alongside the CSR.

This tool generates the keypair and the CSR entirely inside your browser using JavaScript. Your private key is never transmitted, so you stay in full control of it — but that also means you are responsible for saving it.

How to Use This Tool

  1. Fill in the Common Name (your primary domain) and any organization details your CA requires.
  2. List every hostname the certificate should cover under Subject Alternative Names — including the Common Name itself.
  3. Choose a key size (RSA 2048 is the standard default).
  4. Click Generate CSR & Key. Save both the CSR and the private key.
  5. Submit the CSR to your Certificate Authority; keep the private key safe on your server.

Which Fields Matter?

Security Notes

Because key generation happens locally, no third party — including this site — ever sees your private key. Store it securely (correct file permissions, restricted access) and never email it or paste it into untrusted services. If you lose the private key, the issued certificate becomes unusable and you must generate a new CSR and reissue.

Frequently Asked Questions

A CSR is a block of encoded text that you send to a Certificate Authority (CA) to apply for an SSL/TLS certificate. It contains your public key and identifying information such as the domain name (Common Name), organization, and location. The CA uses it to create a signed certificate that matches your private key. The CSR follows the PKCS#10 standard and is usually shared in PEM format beginning with -----BEGIN CERTIFICATE REQUEST-----.
Yes. The keypair and CSR are generated entirely in your browser using JavaScript. Nothing is sent to any server, logged, or stored. That said, you must save the generated private key yourself and keep it secret — the certificate you receive back from the CA will only work with this exact private key, and it cannot be recovered if lost.
The Common Name is the primary domain the certificate is for, such as example.com or www.example.com. Modern browsers ignore the CN and rely on the Subject Alternative Name (SAN) extension, so any domain the certificate should cover — including the CN itself — must be listed as a SAN. For a multi-domain certificate, add each hostname as a separate SAN entry.
RSA 2048-bit is the industry standard and is accepted by every CA — it offers strong security with fast performance and is the right default for almost all websites. RSA 4096-bit doubles the key size for a higher security margin at the cost of slower TLS handshakes and key generation. Use 4096 only when a specific policy requires it; otherwise 2048 is recommended.
Submit the CSR (the CERTIFICATE REQUEST block) to your Certificate Authority when ordering the certificate. Keep the private key on your server and never share it. When the CA returns your signed certificate, install it alongside the private key in your web server configuration. The private key generated here is the only key that will work with the issued certificate.

Related Tools

CSR Decoder

Verify the contents of a CSR before submitting it to a CA.

Certificate Decoder

Decode an X.509 certificate and inspect all its fields.

SSL Certificate Checker

Check a live site's certificate expiry and chain.
Copied to clipboard!