A Certificate Signing Request (CSR) is what you send to a Certificate Authority (CA) to get an SSL/TLS certificate. Here's how to create a correct one in about a minute — right in your browser.
Open the CSR generator →A CSR is a PKCS#10 message that bundles three things: your public key, your identity (domain and optional organization details), and a self-signature proving you hold the matching private key. The CA reads it, validates you, and issues a certificate for that public key. Your private key never leaves your side and is never sent to the CA.
The CN is the primary domain the certificate secures, e.g. example.com or *.example.com for a wildcard. Modern certificates are validated against the SAN list, not the CN, so the CN is now optional — you can generate a SAN-only CSR. If you do set a CN, it's automatically copied into the SAN list for you.
Add every hostname the certificate must cover: www.example.com, api.example.com, and so on. You can also add IP addresses. Browsers ignore the CN and only trust SANs, so this step is the one that actually matters. In PQCert the SAN type (DNS, IP, email, URI) is auto-detected, and duplicates are removed.
Not sure which? See RSA vs ECDSA vs Ed25519 vs ML-DSA.
Generate the request. You'll get two files:
.csr — submit this to your CA (Let's Encrypt, DigiCert, Sectigo, or an internal CA)..key — your private key. Keep it secret and access-controlled; you cannot recover it if lost.Prefer the CLI? A typical request looks like:
openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout example.com.key -out example.com.csr -subj "/CN=example.com" -addext "subjectAltName=DNS:example.com,DNS:www.example.com"
PQCert shows this exact command live as you fill the form, so you can copy it or just download the result directly.
Once the CA issues your certificate, install it together with the private key on your web server or load balancer. Want to double-check a request before submitting? Decode and verify the CSR first.
Generate your CSR now →