How to decode and verify a CSR

Before you submit a Certificate Signing Request — or when you inherit one — it pays to read exactly what's inside. Here's how to decode a CSR and confirm it matches your private key.

Open the CSR decoder →

What you can read from a CSR

Decode it online

  1. Open the Decode / Inspect tab.
  2. Paste the PEM block (starts with -----BEGIN CERTIFICATE REQUEST-----).
  3. Read the parsed subject, SANs, key, signature validity and extensions.

PQCert also runs a compliance lint — flagging weak keys, missing SANs, or deprecated hashes before a CA rejects them.

Verify the CSR matches your private key

A common renewal mistake is pairing a CSR with the wrong key. In the decoder, expand "check a private key matches this CSR" and paste your key — the match is computed locally in your browser, so the key is never sent anywhere. You'll get a clear "key pair matches / does not match" verdict.

The OpenSSL equivalents

To read a CSR: openssl req -in request.csr -noout -text -verify

Check a key matches (compare moduli): openssl req -in request.csr -noout -modulus | openssl md5 vs openssl rsa -in private.key -noout -modulus | openssl md5.

Decode a CSR now →

Related guides

How to generate a CSR RSA vs ECDSA vs Ed25519 vs ML-DSA Is my website quantum-safe?