CSR Decoder
Decode a Certificate Signing Request and check its details before you send it to a certificate authority — the subject, Subject Alternative Names, key type and size, and signature algorithm. Parsed entirely in your browser; nothing is uploaded.
New to this? Read the CSR decoder guide →
The CSR is parsed entirely in your browser — nothing is uploaded. A CSR contains only public information (your subject details and public key), not your private key, so it is safe to inspect. Still, generate and handle it on a machine you trust.
How to use the CSR decoder
- Paste a Certificate Signing Request in PEM form (it starts with -----BEGIN CERTIFICATE REQUEST-----) and press Decode.
- Check the subject (especially the Common Name), the Subject Alternative Names, and the key type and size are what you intended before you send the CSR to a certificate authority.
- Catch mistakes early — a typo in the CN or a missing SAN means a reissued certificate and a wasted round-trip with the CA.
What a CSR contains
A CSR (PKCS#10) bundles the information a certificate authority needs to issue your certificate: the subject distinguished name (organisation, common name and so on), the public key and its algorithm, any requested Subject Alternative Names, and a signature made with your private key to prove you hold it. Crucially, it does not contain the private key itself — that stays on your server.
Common things to verify
- Common Name and SANs. Modern browsers ignore the CN for hostname matching and use SANs, so every hostname you need — including www — must appear in the SAN list.
- Key type and size. RSA 2048 or higher, or an EC key on P-256/384. A 1024-bit key will be rejected.
- Subject fields. Public CAs now ignore most organisational fields for domain-validated certs, but they must still be correct for OV/EV.
This tool pairs with the certificate decoder (for issued certificates) and the certificate-to-CSR generator.
Frequently asked questions
What is in a CSR?
A Certificate Signing Request (PKCS#10) contains the subject details, the public key and its algorithm, any requested Subject Alternative Names, and a signature proving you hold the private key. It does not contain the private key itself, so it is safe to inspect and to send to a certificate authority.
What should I check before submitting a CSR?
That the Common Name and every Subject Alternative Name are correct (browsers match hostnames against SANs, so include the www host and any subdomains), and that the key is RSA 2048+ or an EC key on P-256/384. A missing SAN is the most common cause of a certificate reissue.
Is it safe to paste a CSR here?
Yes. A CSR carries only public information, and this tool parses it entirely in your browser — nothing is uploaded. Your private key is never part of a CSR and stays on your server.