Fill in the certificate subject, generate a CSR and private key locally — the key is never uploaded
Separate multiple domains with commas, spaces or newlines; the CN is added to the SAN automatically.
A CSR (Certificate Signing Request) is the file you submit to a Certificate Authority (CA) when requesting an SSL/TLS certificate. It contains your domain, organization details and public key. The CA validates it and issues a certificate, while the matching private key always stays with you and is never submitted.
This tool generates the key pair in your browser with WebCrypto and builds a standard PKCS#10 CSR with pkijs — neither the private key nor the CSR ever touches the network. Copy or download the PEM files and use them with Nginx, Apache or any CA's enrollment form.
No. The key pair is generated entirely in your browser with WebCrypto, and neither the private key nor the CSR is sent over the network. You can confirm this in your browser's Network panel — the whole process makes zero requests.
RSA 2048 offers the broadest compatibility. ECDSA P-256 gives equivalent security with shorter keys and faster handshakes, and is widely supported by modern servers and browsers. For higher strength choose RSA 3072/4096 or ECDSA P-384.
Modern browsers only validate the domains in the SAN (Subject Alternative Name); the CN (Common Name) is no longer used for hostname matching. This tool automatically merges the CN into the SAN so they stay consistent and the certificate covers your primary domain.
After downloading csr.pem, run openssl req -in csr.pem -noout -text to inspect the Subject and Subject Alternative Name and confirm they match what you entered.