Certificate Signing Request Generator

An up-to-date, well-tested tool to generate a CSR for your SSL certificate.

CSR Generator
Fill in the form below to generate a CSR for your SSL certificate.

Select the intended usage for this certificate

This is fully qualified domain name that you wish to secure

The hash algorithm used for the certificate signature

The algorithm used to sign the certificate

The length of the RSA key in bits. Longer keys provide more security but may be slower.

Automated Certificate Management

Need to Manage SSL Certificates?

Try our certificate management platform to automate the application, deployment, and renewal of your SSL certificates across AWS, Azure, GCP, and other cloud providers. Make HTTPS management simple.

Get Started FreeLearn More

Tool Introduction

A Certificate Signing Request (CSR) is the first step in obtaining an SSL/TLS certificate. When you need to configure HTTPS for your website, you must first generate a CSR file and submit it to a Certificate Authority (CA) for signing.

Our online CSR generator tool makes this process simple and secure:

  • Fully Local Processing: All CSR generation occurs in your browser, your private key never leaves your device
  • Multiple Algorithm Support: Supports RSA (2048/3072/4096 bits) and ECDSA (P-256/P-384/P-521) signature algorithms
  • Flexible Configuration: Add multiple domains (SAN), wildcard domains, and more
  • No Installation Required: No need to install OpenSSL or other command-line tools, generate CSR directly in your browser

Security Notice

When using our CSR generator, both the private key and CSR are generated locally in your browser and never uploaded to any server. You can use this tool completely offline.

When Do You Need to Generate a CSR?

You need to generate a CSR when:

  1. Purchasing a New SSL Certificate: First-time SSL/TLS certificate application for a domain
  2. Renewing an Expiring Certificate: When an existing certificate is about to expire and requires regeneration
  3. Changing Domain Information: When you need to modify domain names or organization information in the certificate
  4. Key Compromise: If you suspect private key leakage, immediately generate a new key pair and CSR

How to Choose a Hash Algorithm for CSR

Hash algorithms are used to create digital signatures for certificates. Choosing the right hash algorithm is crucial for certificate security. Our csr generator supports three mainstream hash algorithms:

SHA-256 is currently the most widely used hash algorithm, offering the best balance of security and performance:

  • Security: 256-bit output, sufficient to resist all known attacks
  • Compatibility: Supported by all modern browsers and operating systems
  • Performance: Fast computation speed, suitable for most scenarios
  • Recommended Use: Should be chosen in 99% of cases

SHA-384

SHA-384 provides higher security but with slightly greater computational overhead:

  • Security: 384-bit output, larger security margin
  • Use Cases: Industries with extremely high security requirements such as finance and healthcare
  • Compatibility: Supported by all modern systems

SHA-512

SHA-512 provides the highest level of security:

  • Security: 512-bit output, strongest security guarantee
  • Performance Impact: Relatively slower computation and verification
  • Use Cases: Very few scenarios with special security requirements

Recommendation

For the vast majority of users, we recommend using SHA-256. Unless you have special compliance requirements, SHA-256 already provides sufficient security.

How to Choose a Signature Algorithm for CSR

When you generate csr online, you need to choose a signature algorithm. There are two main options: RSA and ECDSA.

RSA Algorithm

RSA is the most traditional and widely used signature algorithm:

Advantages:

  • Broad Compatibility: Supported by virtually all devices and browsers, including legacy systems
  • Mature and Stable: Proven through decades of practical use
  • High CA Support: Supported by all Certificate Authorities

Disadvantages:

  • Large Key Size: Typically requires 2048-bit or 4096-bit keys to ensure security
  • Performance Overhead: Encryption and decryption operations are relatively slow
  • Large Certificate Size: Generated certificate files are larger

Recommended Key Lengths:

  • 2048 bits: Standard choice, secure with good performance, suitable for most scenarios
  • 4096 bits: Higher security but with noticeable performance impact, suitable for high-security requirements

ECDSA Algorithm

ECDSA (Elliptic Curve Digital Signature Algorithm) is a more modern choice:

Advantages:

  • Compact Key Size: A 256-bit ECDSA key provides security equivalent to a 3072-bit RSA key
  • Excellent Performance: Faster signature generation and verification
  • Bandwidth Friendly: Smaller certificate size, faster transmission
  • Mobile-Friendly: Better suited for resource-constrained devices

Disadvantages:

  • Compatibility: Some legacy systems may not support it (e.g., Windows XP, Android 4.x and below)
  • CA Support: Some Certificate Authorities may not support it or charge extra fees

Recommended Curves:

  • P-256 (secp256r1): Standard choice, widely supported
  • P-384 (secp384r1): Higher security level

Which Should You Choose?

Recommended: RSA 2048

If your website needs to support all users (including those using legacy devices), RSA 2048 bits is the safest choice. Use our generate csr online tool to easily create RSA certificate signing requests.

Recommended: ECDSA P-256

Mobile applications are typically sensitive to performance and bandwidth. ECDSA's small size and high performance make it an ideal choice. All modern mobile devices support ECDSA.

Recommended: RSA 2048 or Higher

Enterprise environments may need to support various operating system versions, where RSA's compatibility advantage is clear. If there are special security requirements, choose RSA 4096.

Recommended: ECDSA P-256

API services are typically called by modern clients, allowing you to fully leverage ECDSA's performance advantages and reduce TLS handshake time.

How to Generate CSR Using OpenSSL

While we provide a convenient online csr generator, it's also useful to understand how to generate CSR using command-line tools. OpenSSL is the most commonly used command-line tool.

RSA Certificate Signing Request

# Generate 2048-bit RSA private key and CSR
openssl req -new -newkey rsa:2048 -nodes \
  -keyout domain.key \
  -out domain.csr

# Generate 4096-bit RSA private key and CSR
openssl req -new -newkey rsa:4096 -nodes \
  -keyout domain.key \
  -out domain.csr

After execution, you will be prompted to enter the following information:

  • Country Name (country code, e.g., US)
  • State or Province (state/province)
  • Locality Name (city)
  • Organization Name (organization name)
  • Organizational Unit (department)
  • Common Name (domain, e.g., autossl.dev)
  • Email Address (optional)

First create a configuration file csr.conf:

# Request configuration section
[req]
default_bits = 2048              # RSA key size in bits
prompt = no                      # Disable interactive prompts
default_md = sha256              # Hash algorithm for signature
distinguished_name = dn          # Reference to DN section below
req_extensions = req_ext         # Reference to extensions section

# Distinguished Name (certificate subject information)
[dn]
C = US                           # Country code
ST = California                  # State or Province
L = San Francisco                # Locality (city)
O = Example Company              # Organization name
CN = autossl.dev                 # Common Name (primary domain)

# Request extensions (additional certificate attributes)
[req_ext]
subjectAltName = @alt_names      # Reference to alternative names section

# Subject Alternative Names (additional domains for this certificate)
[alt_names]
DNS.1 = autossl.dev              # Primary domain
DNS.2 = www.autossl.dev          # Subdomain with www
DNS.3 = *.autossl.dev            # Wildcard for all subdomains

Then generate the CSR:

openssl req -new -nodes \
  -newkey rsa:2048 \
  -keyout domain.key \
  -out domain.csr \
  -config csr.conf
openssl req -new -newkey rsa:2048 -nodes \
  -keyout domain.key -out domain.csr \
  -subj "/C=US/ST=California/L=San Francisco/O=Example Company/CN=autossl.dev"

Note: This method cannot add SAN (Subject Alternative Names).

ECDSA Certificate Signing Request

# Generate ECDSA private key using P-256 curve
openssl ecparam -genkey -name prime256v1 -out domain.key

# Using P-384 curve
openssl ecparam -genkey -name secp384r1 -out domain.key

# Generate CSR based on private key
openssl req -new -key domain.key -out domain.csr

Verifying Generated CSR

After generating the CSR, use the following commands to verify its contents:

# View detailed CSR information
openssl req -text -noout -in domain.csr

# Verify CSR signature
openssl req -verify -in domain.csr

# Extract domain information from CSR
openssl req -noout -subject -in domain.csr

Private Key Security

The generated private key file (such as domain.key) must be kept secure and not disclosed to anyone. It's recommended to set strict file permissions: chmod 600 domain.key

Frequently Asked Questions

What is the Relationship Between CSR and Private Key?

When you generate csr, you actually generate a key pair: a Private Key and a Public Key. The CSR contains the public key and your identity information, while the private key must be kept confidential. The CA uses the information in the CSR to issue a certificate, which can only be used with the corresponding private key.

Can the Same CSR Be Reused?

Technically yes, but it's not recommended. Best practice is to generate a new key pair and CSR each time you apply for a new certificate. If a certificate expires or needs to be reissued (such as when changing CAs), you should generate a new certificate signing request.

What Needs to Be Retained After Submitting the CSR?

You must retain the private key file! After the certificate is issued, you need the private key to configure SSL/TLS. If you lose the private key, you cannot use the certificate even if you have it, and you'll need to reapply.

What's the Difference Between Online Tools and Command-Line Generation?

Functionally, there is no difference. Our csr generator uses the Web Crypto API to generate keys in the browser, which is fully compatible with OpenSSL-generated results. The advantage of online tools is that they are more intuitive and user-friendly, requiring no software installation or command memorization.

Best Practices

  1. Key Length Selection: For RSA, use at least 2048 bits; for ECDSA, use P-256 or higher
  2. Regular Certificate Updates: Don't wait until the certificate expires to renew, it's recommended to renew 30 days in advance
  3. Use SHA-256: Unless you have special requirements, SHA-256 is the best choice
  4. Add SAN: If your website has multiple domains (such as autossl.dev and www.autossl.dev), add all domains when generating the CSR
  5. Protect Private Keys: Use strict file permissions and consider encrypted storage
  6. Backup Private Keys: Back up private keys to a secure location, but ensure backups are also properly protected

Use our CSR generator tool now to quickly and securely generate certificate signing requests for your website!