RSA or ECDSA, which one should I pick?

**ECDSA P-256** for modern servers (Nginx, Apache 2.4+, every new stack). Smaller keys (256-bit vs RSA-2048), faster TLS handshakes, same security level. **RSA 2048** for older systems (Windows Server 2008, embedded), universal compatibility. Let's Encrypt recommends ECDSA for new certificates.

What are SANs and why do they matter?

[[SANs||Subject Alternative Names]] are the **extra domains the certificate covers**. Without SANs the cert only works for the CN (e.g. example.com). To also cover www.example.com or api.example.com, add them to SANs. **In 2025** every cert uses SANs, the bare CN is legacy from 1990s SSL.

What is the key passphrase and should I set one?

A **passphrase-encrypted private key** is safe even if the file leaks. Without it, anyone with file access controls your domain. **Trade-off**: the server must know the passphrase to start TLS, so it asks on every restart. Usually you store it in a config file, weakening the protection. **For production** you use HSMs or HashiCorp Vault, not a passphrase.

Is Common Name legacy?

Yes, **CN was deprecated** in favor of SANs by RFC 6125 (2011). Most browsers already ignore CN and only check SANs. But the **CSR still needs a CN** for compatibility (every CA expects one). Put the main domain in CN and repeat it in SANs.

Country C needs a 2-letter code, which?

The standard [[ISO 3166-1 alpha-2||country code standard, uppercase 2 letters]]. US = US, Germany = DE, United Kingdom = GB, Poland = PL. Do not write "USA" or "United States", the CA will reject the CSR.

Do my details (CN, O, email) go to your server?

**No**. Generation runs entirely in your browser (the node-forge library + Web Crypto API). Open **DevTools → Network** during generation, you will see zero requests. The private key **never leaves** your device.

What do I do with the private key after generating?

Save it to a safe path on your server (`/etc/ssl/private/example.com.key` on Linux). Permissions **600 (root-only readable)**. Back it up to a password manager or a safe. **Never commit it to a code repository** (gitignore!). If you lose the key you need a new CSR + renewed certificate (the CA cannot help).

Can I reuse this key for multiple domains?

Yes, the private key **is not tied to a specific domain**, only to a certificate. You can issue multiple certificates for different domains using the same key. **But not recommended**: compromising one server exposes every domain on that key. Best practice: one key, one cert (or one SAN group).

How do I turn the CSR into a signed certificate?

Submit the CSR to your CA (Let's Encrypt, DigiCert, ...). The CA verifies you control the domain (HTTP challenge or DNS challenge), then issues the certificate (.crt). Wire it up with the private key in your web server config (Nginx: `ssl_certificate` + `ssl_certificate_key`). Reload, HTTPS is live.

YourDevToolsPro

CSR Generator

Generate a CSR (Certificate Signing Request) and matching private key in your browser. RSA, ECDSA, SANs, PEM.

LiveRuns in your browser

CSR + Private Key Generator

Generate a CSR (Certificate Signing Request) and matching private key to order an SSL/TLS certificate. Or decode an existing CSR to inspect its subject and SANs.

Common Name (domain)*

example.com

Organization (O)

e.g. Acme Corp

Unit (OU)

e.g. IT, Engineering

City (L)

e.g. San Francisco

State (ST)

e.g. California

Country (C, 2 letters)

ISO 3166: US, DE, GB, PL

Subject Alt Names (SANs)

Comma-separated list of extra domains. Standard for modern certificates.

Key algorithm

Private key passphrase (optional)

Private key and CSR are generated locally in your browser. Nothing leaves your device.

What is a CSR and when do you need one?

A CSR is the standard format used to order an SSL/TLS certificate from a certificate authority (Let's Encrypt, DigiCert, Sectigo). You fill in your domain details, click Generate, and get two files: a CSR (you send it to the CA) and a private key (you keep it on your server, never share it).

Here you generate the pair right in your browser. We support RSA 2048/3072/4096 and ECDSA P-256/P-384 (the modern default, smaller keys). Add SANs if the certificate must include www, api, blog, etc.

The second tab: paste an existing CSR and we will decode the subject, SANs, and algorithm so you can verify it before sending to a CA.

Everything runs locally. The private key is generated in your browser and never transmitted.

How to use

Generate tab: enter the Common Name (CN), the main domain you want the certificate for (e.g. example.com).
Add organization (O), unit (OU), city (L), state (ST) and country (C, a 2-letter ISO code: US, GB, DE).
The SANs field is a comma-separated list of extra domains (e.g. www.example.com, api.example.com). Most certificates cover at least "example.com" and "www.example.com".
Pick the algorithm: RSA 2048 for maximum compatibility, ECDSA P-256 for speed and modern stacks (recommended by Let's Encrypt in 2025).
Click Generate, get two files: a CSR (send to your CA, e.g. paste in the Let's Encrypt control panel) and a private key (keep it on your server, never share).
Decode tab: paste an existing CSR (e.g. one generated by OpenSSL) and see the subject, SANs, and algorithm. Verify it before sending to a CA.

When to use it

Five common situations where you need to generate a CSR:

Let's Encrypt certificate for your own server. Most people use certbot/acme.sh (automatic CSRs), but for manual setups or unusual cases you generate one yourself.
Commercial SSL certificate from DigiCert, Sectigo, GlobalSign. Paid certs always require a CSR from your server.
**Wildcard certificate (*.example.com)**. Set CN = "*.example.com" to cover every subdomain.
Intranet / staging certificate. The CSR will be signed by your company's internal CA.
Migrating a certificate to a new server. New CSR + new key avoids exposing the old key.

To inspect a live certificate, use the SSL Cert Inspector. To generate a JWT signing key, see the JWT Keypair Generator.

Questions and answers

A CSR is a request. It contains your server details + your public key + your signature. A certificate is the CA's response: the same data PLUS the CA's signature, which vouches that you are who you claim to be. Browsers only trust certificates signed by a trusted CA (Let's Encrypt, DigiCert, ...).

Related tools

SSL Certificate Inspector

Type a domain, get the full SSL certificate chain: days to expiry, public key, signature, SANs, fingerprints, security warnings.

Full name

Generate an OpenPGP keypair (Ed25519 or RSA) right in your browser. Armored ASCII format, ready to import.

JWT Keypair Generator

Generate a JWT signing keypair: RS256/RS384/RS512, PS256, ES256/ES384/ES512 or EdDSA. PEM + JWK + sample signed JWT. Server-side, never stored.

DKIM Keypair Generator

Generate an RSA DKIM keypair and a paste-ready DNS TXT record. 1024 / 2048 / 4096-bit, server-side, never stored.

AES Encrypt / Decrypt

Encrypt text with a password (AES-GCM 256). Runs in your browser, nothing leaves the device.