Before you submit a Certificate Signing Request — or when you inherit one — it pays to read exactly what's inside. Here's how to decode a CSR and confirm it matches your private key.
Paste the PEM block (starts with -----BEGIN CERTIFICATE REQUEST-----).
Read the parsed subject, SANs, key, signature validity and extensions.
PQCert also runs a compliance lint — flagging weak keys, missing SANs, or deprecated hashes before a CA rejects them.
Verify the CSR matches your private key
A common renewal mistake is pairing a CSR with the wrong key. In the decoder, expand "check a private key matches this CSR" and paste your key — the match is computed locally in your browser, so the key is never sent anywhere. You'll get a clear "key pair matches / does not match" verdict.
The OpenSSL equivalents
To read a CSR: openssl req -in request.csr -noout -text -verify