← All Tools

🔐 CSR Decoder

Decode and analyze Certificate Signing Requests (CSR) instantly. Extract and view all certificate information including common name, organization, location, public key details, and signature algorithm. Perfect for SSL/TLS certificate verification and troubleshooting.

Paste your CSR in PEM format

Support TinyToolWeb

Help us keep these tools free and ad-free! Your support allows us to create more useful tools.

About CSR Decoder

The CSR Decoder is a specialized security tool that decodes and analyzes Certificate Signing Requests (CSR) used in SSL/TLS certificate generation. A CSR is a block of encoded text that contains information about your organization and the domain name for which you want to secure. This tool extracts and displays all the information embedded in a CSR, including the common name (domain), organization details, geographical location, public key information, signature algorithm, and key usage extensions. It's essential for system administrators, security professionals, and DevOps engineers who need to verify CSR content before submitting to Certificate Authorities, troubleshoot SSL certificate issues, or audit security configurations.

Features

  • Instant Decoding: Decode CSR files in seconds directly in your browser
  • Subject Information: View Common Name (CN), Organization (O), Organizational Unit (OU), Country (C), State/Province (ST), and Locality (L)
  • Public Key Details: Extract public key algorithm, key size, and modulus information
  • Signature Algorithm: Identify the signature algorithm used in the CSR
  • Subject Alternative Names (SAN): Display all SAN entries for multi-domain certificates
  • Key Usage Extensions: Show intended key usage and extended key usage
  • Validation Status: Verify CSR format and structural integrity
  • Sample CSR: Load a sample CSR to understand the format and test the tool
  • Copy All Information: Copy decoded information to clipboard with one click
  • Client-Side Processing: All decoding happens in your browser - no data sent to servers
  • No File Upload Required: Simply paste the CSR text directly
  • Detailed Error Messages: Clear error reporting with troubleshooting hints

How to Use

  • Step 1: Copy your CSR text including the BEGIN and END markers
  • Step 2: Paste the CSR into the text area on this page
  • Step 3: Click the "Decode CSR" button to extract information
  • Step 4: Review the decoded subject information, public key details, and extensions
  • Step 5: Verify the Common Name matches your intended domain
  • Step 6: Check organization details for accuracy
  • Step 7: Use "Copy All" to save the information for your records
  • Step 8: Click "Load Sample" to see an example if you don't have a CSR ready

Understanding CSR Components

  • Common Name (CN): The fully qualified domain name (FQDN) for the certificate, e.g., "www.example.com"
  • Organization (O): The legal name of your organization or company
  • Organizational Unit (OU): The division or department within your organization
  • Country (C): Two-letter ISO country code where your organization is located
  • State/Province (ST): The state, province, or region where your organization operates
  • Locality (L): The city where your organization is located
  • Subject Alternative Names (SAN): Additional domains or subdomains covered by the certificate
  • Public Key: The cryptographic public key that will be included in the certificate
  • Key Size: The length of the key in bits (typically 2048 or 4096 for RSA)
  • Signature Algorithm: The algorithm used to sign the CSR (e.g., SHA-256 with RSA)

Common Use Cases

  • Pre-Submission Verification: Verify CSR content before submitting to Certificate Authority (CA)
  • Domain Validation: Confirm the Common Name matches the intended domain
  • Organization Details Check: Ensure organization information is correct for EV/OV certificates
  • Multi-Domain Certificates: Verify all domains are included in Subject Alternative Names
  • Key Size Verification: Confirm the key meets security requirements (minimum 2048-bit RSA)
  • Troubleshooting SSL Issues: Diagnose certificate request problems during SSL setup
  • Security Audits: Review CSR security parameters during compliance checks
  • Certificate Renewal: Verify new CSR matches existing certificate details
  • Wildcard Certificates: Confirm wildcard notation (*.example.com) is correct
  • DevOps Automation: Validate CSR format in automated certificate workflows
  • Training & Education: Learn about CSR structure and SSL/TLS concepts
  • Documentation: Extract CSR information for security documentation

CSR Format Requirements

For successful decoding, your CSR must meet these requirements:

  • PEM Format: CSR must be in PEM (Privacy Enhanced Mail) format with Base64 encoding
  • Header Required: Must begin with "-----BEGIN CERTIFICATE REQUEST-----"
  • Footer Required: Must end with "-----END CERTIFICATE REQUEST-----"
  • Base64 Content: The content between headers must be valid Base64 encoded data
  • Line Breaks: Content should have line breaks approximately every 64 characters
  • No Extra Characters: Avoid adding extra spaces, tabs, or characters outside the CSR block
  • Complete CSR: The entire CSR must be present from BEGIN to END markers

Generating a CSR

CSRs are typically generated using command-line tools or web server control panels:

  • OpenSSL: openssl req -new -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr
  • IIS (Windows): Use the Internet Information Services (IIS) Manager to create a certificate request
  • Apache: Generate using OpenSSL, then configure in Apache's SSL configuration
  • Nginx: Generate using OpenSSL, then reference in Nginx SSL configuration
  • cPanel/WHM: Use the built-in SSL/TLS certificate generation tools
  • Java Keytool: keytool -certreq -keyalg RSA -alias domain -file domain.csr -keystore keystore.jks

Security Best Practices

  • Key Size: Use minimum 2048-bit RSA keys; 4096-bit for high-security applications
  • Signature Algorithm: Use SHA-256 or higher; avoid SHA-1 (deprecated)
  • Private Key Security: Never share your private key; store it securely
  • Separate Keys: Generate new key pairs for each certificate request
  • Information Accuracy: Ensure all organization details are accurate for validation
  • SAN Completeness: Include all necessary domains and subdomains in SAN field
  • Wildcard Caution: Use wildcard certificates (*.domain.com) only when necessary
  • Regular Rotation: Renew certificates before expiration; generate new CSRs for renewals

Certificate Types and CSRs

  • Domain Validated (DV): Requires only Common Name; fastest validation
  • Organization Validated (OV): Requires organization details; CA verifies organization
  • Extended Validation (EV): Requires complete organization info; highest level of validation
  • Wildcard Certificates: Use asterisk in CN (*.example.com) to cover all subdomains
  • Multi-Domain (SAN): Include multiple domains in Subject Alternative Names extension
  • Code Signing: Specialized CSR for signing software and applications

Troubleshooting Common Errors

  • "Invalid CSR Format": Check BEGIN/END markers are present and spelled correctly
  • "Decoding Failed": Verify the Base64 content is not corrupted or incomplete
  • "Missing Information": Some fields are optional; this doesn't indicate an error
  • "Key Size Too Small": Modern standards require minimum 2048-bit keys
  • "Unsupported Algorithm": Ensure you're using standard algorithms (RSA, ECDSA)
  • Copy/Paste Issues: Ensure no extra characters were added during copy/paste

Privacy & Security

Your privacy and security are paramount:

  • Client-Side Processing: All CSR decoding happens entirely in your browser
  • No Data Transmission: Your CSR is never sent to any server or third party
  • No Storage: CSR data is not stored, logged, or retained in any way
  • No Analytics on Content: We don't track or analyze CSR content
  • Public Information: CSRs contain public information only (no private keys)
  • Secure Browsing: Always access this tool over HTTPS

CSR vs Certificate vs Private Key

  • Private Key: Secret key that must never be shared; used to decrypt data
  • CSR: Contains public key and organization info; sent to CA for signing
  • Certificate: The signed document from CA; proves your identity and contains public key
  • Certificate Chain: Includes your certificate plus intermediate CA certificates
  • Root Certificate: The trusted CA's root certificate that validates the chain

OpenSSL Commands Reference

  • View CSR: openssl req -text -noout -verify -in domain.csr
  • Generate CSR: openssl req -new -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr
  • Generate from Existing Key: openssl req -new -key domain.key -out domain.csr
  • Verify CSR: openssl req -text -noout -verify -in domain.csr
  • Check Key Match: Compare modulus of key and CSR to ensure they match

Frequently Asked Questions

  • Is it safe to decode my CSR here? Yes, all processing is client-side. Your CSR never leaves your browser.
  • Can I decode a certificate instead of a CSR? This tool is specifically for CSRs. Use a certificate decoder for X.509 certificates.
  • What's the difference between CSR and certificate? A CSR is a request; a certificate is the signed response from a CA.
  • Why do I need to decode my CSR? To verify the information is correct before sending to a Certificate Authority.
  • Can this tool generate a CSR? No, this tool only decodes existing CSRs. Use OpenSSL or server tools to generate CSRs.
  • What if some fields are empty? Many fields are optional. Only Common Name is typically required for DV certificates.