How to generate a CSR (online, no OpenSSL)

A Certificate Signing Request (CSR) is what you send to a Certificate Authority (CA) to get an SSL/TLS certificate. Here's how to create a correct one in about a minute — right in your browser.

Open the CSR generator →

What a CSR actually contains

A CSR is a PKCS#10 message that bundles three things: your public key, your identity (domain and optional organization details), and a self-signature proving you hold the matching private key. The CA reads it, validates you, and issues a certificate for that public key. Your private key never leaves your side and is never sent to the CA.

Step 1 — Common Name (CN)

The CN is the primary domain the certificate secures, e.g. example.com or *.example.com for a wildcard. Modern certificates are validated against the SAN list, not the CN, so the CN is now optional — you can generate a SAN-only CSR. If you do set a CN, it's automatically copied into the SAN list for you.

Step 2 — Subject Alternative Names (SANs)

Add every hostname the certificate must cover: www.example.com, api.example.com, and so on. You can also add IP addresses. Browsers ignore the CN and only trust SANs, so this step is the one that actually matters. In PQCert the SAN type (DNS, IP, email, URI) is auto-detected, and duplicates are removed.

Step 3 — Choose a key algorithm

Not sure which? See RSA vs ECDSA vs Ed25519 vs ML-DSA.

Step 4 — Generate and download

Generate the request. You'll get two files:

  1. .csr — submit this to your CA (Let's Encrypt, DigiCert, Sectigo, or an internal CA).
  2. .key — your private key. Keep it secret and access-controlled; you cannot recover it if lost.
Security tip: never email or commit your private key. Store it on the server that will use it, out of logs and version control.

The equivalent OpenSSL command

Prefer the CLI? A typical request looks like:

openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout example.com.key -out example.com.csr -subj "/CN=example.com" -addext "subjectAltName=DNS:example.com,DNS:www.example.com"

PQCert shows this exact command live as you fill the form, so you can copy it or just download the result directly.

After you have the certificate

Once the CA issues your certificate, install it together with the private key on your web server or load balancer. Want to double-check a request before submitting? Decode and verify the CSR first.

Generate your CSR now →

Related guides

RSA vs ECDSA vs Ed25519 vs ML-DSA How to decode and verify a CSR Is my website quantum-safe?