Skip to main content

CSR Parser

Inspect a CSR in seconds

Validate what will appear on your SSL/TLS certificate before sending it to a Certificate Authority. Detect missing SANs, weak keys, or outdated algorithms.

Instant decoding

Paste your CSR and immediately get the subject, SANs, key type, and signature algorithm. No installation required.

Pre-submission validation

Verify that all domains are present in the SANs before sending the CSR to your CA. Avoid costly back-and-forth.

Security analysis

Check key size (RSA 2048+ or EC P-256/P-384) and signature algorithm (SHA-256 minimum) to meet current standards.

Error detection

Identify common issues: missing SANs, obsolete CN, weak key, incorrect IDN encoding. Fix before submission.

OpenSSL examples

See OpenSSL commands to generate RSA or EC CSR with SANs. Copy-paste and adapt to your domain.

Why use this analyzer?

Validate what will appear on your certificate before sending it to a Certificate Authority (CA). Detect a missing SAN, a weak key, an outdated algorithm, or dubious IDN encoding. Save time during onboarding or renewal by reading the useful fields right away.

What is a CSR?

A Certificate Signing Request is a PEM-format text file containing:

  • Your public key (RSA or EC)
  • Identity information: subject (CN, O, OU, L, ST, C) and SANs
  • A signature made with your private key to prove possession

The CSR is sent to a CA (Let's Encrypt, DigiCert, GlobalSign, Sectigo...) which issues the certificate if validation passes (DV, OV, or EV).

When to generate a CSR?

Use caseDescription
New certificateCreating a TLS certificate for web server, API, MTA
RenewalRenewing an existing certificate with a new key pair
Adding SANsAdding a new subdomain or FQDN to the certificate
RSA to EC migrationSwitching to EC key for better performance
StandardizationHarmonizing fields across a heterogeneous infrastructure

What should a good CSR contain?

Required fields

  • SAN (Subject Alternative Names): list of all covered names, including the bare domain if needed. Without SANs, many CAs will reject.
  • Public key: RSA 2048 bits minimum (ideally 3072) or EC P-256/P-384
  • Signature: SHA-256 recommended (SHA-1 rejected)

Optional fields

  • Subject CN: often ignored by modern CAs, but keep it for compatibility
  • O, OU, L, ST, C: useful for OV/EV, unnecessary for DV
  • Key Usage / Extended Key Usage: depending on your specific needs

Important: A CN alone is no longer sufficient. SANs are mandatory for most CAs.

OpenSSL examples

RSA 3072 CSR with SANs

san.cnf file:

[ req ]
prompt = no
distinguished_name = dn
req_extensions = v3_req
[ dn ]
CN = www.example.com
[ v3_req ]
subjectAltName = @alt
[ alt ]
DNS.1 = www.example.com
DNS.2 = example.com

Command:

openssl req -new -newkey rsa:3072 -nodes -keyout site.key -out site.csr -config san.cnf

EC P-256 CSR with SANs

openssl ecparam -name prime256v1 -genkey -noout -out site.key
openssl req -new -key site.key -out site.csr -config san.cnf

Internationalized Domain Names (IDN)

Use punycode (xn--...) in SANs to avoid encoding surprises.

Common errors

ErrorImpactSolution
Missing SANsCertificate covers fewer names than expectedAdd all domains in the [alt] section
RSA 1024 or SHA-1Likely rejection by CAUse RSA 2048+ and SHA-256
Private key exposedSecurity compromiseNever paste private key online
Incorrect IDN encodingDomain not recognizedUse exact punycode
Wildcard without bare domain*.example.com doesn't cover example.comAdd both in SANs

Best practices

  1. Generate key pair server-side and keep private key off any shared system
  2. Prefer EC P-256/P-384 or RSA 3072+ for new deployments
  3. Limit the SAN list to what is actually needed
  4. Keep a log: date, subject, SANs, key size, responsible person
  5. Test the CSR after generation to avoid back-and-forth with the CA

Privacy

Your CSR is sent to the CaptainDNS API only to be decoded and displayed. Content is not stored. No field is logged in clear text. Only anonymous technical metrics are recorded (processing time, size, key type, algorithm) for availability monitoring.