CSR Generator

Subject (Distinguished Name)

Common Name (CN) *

Organization (O)

Organizational Unit (OU)

Country (C)

State / Province (ST)

Locality / City (L)

Key Settings

Key Type

Key Size

Digest Algorithm

Subject Alternative Names (SAN)

Modern browsers and clients require SANs. CN alone is often not enough.

DNS Names

IP Addresses

Output

Private Key Filename

CSR Filename

Either Common Name (CN) or at least one SAN DNS name is required.

Generated Commands

generate-csr.sh

openssl genrsa -out private.key 4096

openssl req -new \
  -key private.key \
  -out request.csr \
  -sha256

# Verify CSR
openssl req -in request.csr -noout -verify

# View CSR details
openssl req -in request.csr -noout -text

Step-by-step Breakdown

1. Generate private key

openssl genrsa -out private.key 4096

2. Generate CSR

openssl req -new \
  -key private.key \
  -out request.csr \
  -sha256

3. Verify & view CSR

openssl req -in request.csr -noout -verify
openssl req -in request.csr -noout -text

One-Liner (key + CSR in one command)

openssl req -new \
  -newkey rsa:4096 \
  -nodes \
  -keyout private.key \
  -out request.csr \
  -sha256

Common Recipes

What is a CSR?

A Certificate Signing Request (CSR) is a block of encoded text submitted to a Certificate Authority (CA) when applying for an SSL/TLS certificate. It contains your public key and identifying information (subject), and is signed with your private key to prove ownership.

The CSR includes a Distinguished Name (DN) with fields like Common Name (CN), Organization (O), Country (C), and optionally Subject Alternative Names (SANs) for multi-domain and wildcard certificates.

Why SANs Matter

Modern browsers (Chrome 58+, Firefox, Safari) no longer trust the Common Name (CN) field alone. They require at least one Subject Alternative Name (SAN) entry. If your CSR only has a CN without SANs, many clients will reject the resulting certificate with a name mismatch error.

Always include your domain in both CN and SAN fields. Use DNS SANs for domain names and IP SANs for direct IP access (common in internal/development environments).

RSA vs EC Keys

Feature	RSA 4096	EC P-256
Key size	4096 bits	256 bits
Security level	~128-bit	~128-bit
TLS handshake	Slower	Faster
Compatibility	Universal	Modern clients
Recommendation	Default choice	Performance-critical

Equivalent OpenSSL Commands

This tool generates the exact same commands you would type manually:

# Generate RSA key
openssl genrsa -out private.key 4096

# Generate CSR with SAN
openssl req -new -key private.key -out request.csr \
  -sha256 -subj "/CN=example.com/O=Example Inc/C=US" \
  -addext "subjectAltName=DNS:example.com,DNS:www.example.com"

# Verify CSR
openssl req -in request.csr -noout -verify
openssl req -in request.csr -noout -text

Privacy: This tool runs entirely in your browser. No data is sent to any server. Your private key and CSR are generated locally.

Related Tools & Resources

SSL Certificate Decoder

Decode and view the certificate from your CSR

OpenSSL Command Builder

Build advanced OpenSSL commands

Nginx Config Generator

Configure SSL in Nginx with your new cert

Runbook: Renew expired SSL certificates

Step-by-step troubleshooting guide

Complete guide to SSL/TLS certificates

Blog article

Automate cert issuance with ACME

Blog article