Is my private key safe when using this tool?

Yes. This tool runs entirely in your browser and generates OpenSSL commands for you to run locally. No data — including your private key — is ever sent to a server.

What is the difference between RSA and EC keys for a CSR?

RSA is the most widely supported algorithm, with 2048 or 4096-bit keys. Elliptic Curve (EC) keys are smaller and faster while providing equivalent security — P-256 and P-384 are the most common curves used in TLS certificates.

CSR Generator — Free OpenSSL Certificate Signing Request Tool

Subject information

Common Name (CN) required FQDN for SSL, or your full name for code-signing

Organisation (O) optional

Organisational Unit (OU) optional

Email Address optional

Country (C) optional 2-letter ISO 3166 code

State / Province (ST) optional

Locality / City (L) optional

Key & file options

Key algorithm

RSA key size

Generate new private key Outputs a key generation command alongside the CSR command

Private key output file

CSR output file

Subject Alternative Names optional

Add DNS names, IP addresses, or email SANs for multi-domain and wildcard certificates

Frequently asked questions

What is a Certificate Signing Request (CSR)?

A CSR is a block of encoded text you submit to a Certificate Authority (CA) when applying for an SSL/TLS certificate. It contains your public key along with identifying information — domain name (Common Name), organisation, country, and optionally Subject Alternative Names. The CA uses the CSR to issue a signed certificate without ever seeing your private key.

Is this tool safe to use? Is my private key secure?

Yes. This tool generates the OpenSSL commands for you to run on your own machine. No private keys, CSR data, or form inputs are ever transmitted to a server — everything runs in JavaScript inside your browser. You can verify this by opening the page source or using it fully offline.

RSA vs EC — which key type should I choose?

RSA 2048-bit is universally supported and is a safe default. RSA 4096-bit offers stronger security at the cost of slightly slower TLS handshakes. Elliptic Curve (EC) keys using P-256 or P-384 are smaller, faster, and provide equivalent or better security — they are increasingly preferred for modern deployments. Check your CA and web server support before choosing EC.

What are Subject Alternative Names (SANs) and when do I need them?

SANs allow one certificate to cover multiple hostnames, IP addresses, or email addresses. For example, a single certificate can protect example.com, www.example.com, and api.example.com. Modern browsers require SANs — the Common Name alone is no longer trusted for hostname validation. Use SANs for any multi-domain or wildcard certificate.

How do I use the generated OpenSSL command?

Copy the generated commands and paste them into a terminal on the machine where you want to generate your certificate. You need OpenSSL installed — it is available on Linux, macOS, and Windows (via Git Bash or WSL). Run the key generation command first, then the CSR command. Submit the resulting .csr file to your Certificate Authority.

What does the `-nodes` flag do in the one-liner command?

The -nodes flag (no DES) means the generated private key will not be encrypted with a passphrase. This is convenient for automated web servers that need to read the key at startup without user input. If you want passphrase protection, omit -nodes and OpenSSL will prompt you to set one.