Homeโ€บGeneratorsโ€บSecurityโ€บSSL Certificate CSR Generator

SSL Certificate CSR Generator

Security

Generate the OpenSSL command and config file to create a Certificate Signing Request for your domain. Free, runs in-browser, no private key is ever created or stored.

What is a CSR?

A Certificate Signing Request (CSR) is a structured file you submit to a Certificate Authority (CA) to obtain an SSL/TLS certificate for your domain. The SSL Certificate CSR Generator creates two things instantly: a ready-to-run OpenSSL command and a matching openssl.cnf configuration file tailored to your domain and organisation details. You run that command on your server, and it produces the .csr file you hand to your CA โ€” along with the private key that stays exclusively on your machine.

SSL certificates underpin HTTPS, the standard for encrypting traffic between visitors and your web server. Without a valid certificate, modern browsers display security warnings, search engines deprioritise the site, and payment processors refuse to operate. Getting a certificate right requires generating a CSR with the correct fields: a precise Common Name matching your domain, a two-letter country code, and an appropriate key size. Errors in any field can cause the CA to reject the request or issue a certificate that does not work as expected.

The tool removes the need to remember OpenSSL's syntax. The openssl req command has several flags and an interactive prompt that must be answered in the correct order โ€” easy to mistype under time pressure when a certificate is expiring. By filling a form instead of writing a command from memory, you guarantee the correct flags and subject fields every time.

All inputs โ€” domain name, organisation name, city, state, country โ€” are processed entirely in your browser. Nothing is transmitted to any server. This means you can safely generate CSRs for internal domains, staging environments, and production infrastructure without exposing your organisation details.

If you need to validate that your domain name is correctly formatted before generating a CSR, use the Domain Name Validator. For generating other server configuration files, the .htaccess Generator covers Apache redirect and HTTPS enforcement rules.

How to use this CSR calculator

  1. Enter your Domain Name (Common Name) โ€” the exact FQDN the certificate will protect. For a single domain, use example.com or www.example.com. For a wildcard that covers all subdomains, use *.example.com.

  2. Fill in Organisation Name โ€” your company's registered legal name as it appears in official records (for OV and EV certificates). For domain-validated (DV) certificates, any name is accepted, but matching your legal name avoids potential CA queries.

  3. Optionally fill in Organisation Unit โ€” the department or team name. Leave blank if your CA does not require it; many modern CAs ignore this field.

  4. Enter City / Locality and State / Province โ€” your organisation's registered location. Do not abbreviate the city name; spell it in full as it appears on official documents.

  5. Enter the Country Code โ€” the two-letter ISO 3166-1 alpha-2 code for your country. For India use IN, for the United States use US, for the United Kingdom use GB.

  6. Select your Key Size: 2048-bit (Standard) for most use cases including e-commerce and content sites, or 4096-bit (High Security) for banking, healthcare, or high-value data environments.

  7. The OpenSSL Command and CSR Config File (openssl.cnf) appear instantly. Click the copy button on the OpenSSL Command output to copy it to your clipboard.

  8. On your server, create a file named openssl.cnf and paste the config file contents into it. Then run the copied OpenSSL command in the same directory.

  9. After running the command, locate the generated .csr file. Open it in a text editor, copy the entire contents (from -----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST-----), and paste it into your CA's certificate request form.

  10. Keep the generated .key file secure โ€” back it up in an encrypted vault and never share it. When your CA issues the signed certificate, install both the .crt and .key files on your server.

Formula & Methodology

The generator does not perform cryptographic operations itself โ€” it constructs the correct OpenSSL command based on your inputs. Here is the exact mapping from form fields to command output:

Generated OpenSSL command structure:

openssl req -new -newkey rsa:{keySize} -nodes -keyout server.key -out server.csr -config openssl.cnf

- -new โ€” create a new CSR
- -newkey rsa:{keySize} โ€” generate a new RSA key of the selected bit size (2048 or 4096)
- -nodes โ€” do not encrypt the private key with a passphrase (suitable for automated server restarts)
- -keyout server.key โ€” write the private key to server.key
- -out server.csr โ€” write the CSR to server.csr
- -config openssl.cnf โ€” read subject fields from the config file rather than prompting interactively

Generated openssl.cnf structure:

ini [req] default_bits       = {keySize} prompt             = no default_md         = sha256 distinguished_name = dn  [dn] CN = {commonName} O  = {organization} OU = {orgUnit} L  = {city} ST = {stateProvince} C  = {country} 

Each {field} is substituted with the value you entered in the form. The default_md = sha256 line ensures the CSR is signed with SHA-256, which all CAs currently require โ€” SHA-1 has been deprecated and rejected since 2017.

Worked example:

For a company named Redlof Technologies Pvt Ltd operating app.redlof.in from Bengaluru, Karnataka, India with a 2048-bit key, the generated command would be:

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr -config openssl.cnf

And the config file would contain:

ini [dn] CN = app.redlof.in O  = Redlof Technologies Pvt Ltd L  = Bengaluru ST = Karnataka C  = IN 

Running this command produces server.key (your private key, keep secret) and server.csr (your certificate signing request, send to the CA).

Frequently Asked Questions

A Certificate Signing Request (CSR) is a block of encoded text that you submit to a Certificate Authority (CA) when applying for an SSL/TLS certificate. It contains your organisation details โ€” domain name, organisation name, country, and public key โ€” but never your private key. The CA uses the CSR to verify your identity and issue a signed certificate that browsers will trust.
A private key is the cryptographic secret that pairs with the public key embedded in your CSR. It must remain secret on your server at all times โ€” anyone who obtains it can impersonate your domain. This tool does not generate or store private keys. It generates the OpenSSL command you run locally, so the private key is created on your own machine and never leaves it.
The Common Name is the fully qualified domain name (FQDN) that the certificate will protect โ€” for example, `example.com` or `shop.example.com`. For a wildcard certificate that covers all subdomains, use `*.example.com`. The CN must exactly match the domain browsers will check; a mismatch triggers a security warning for visitors.
Both key sizes are considered secure, but they differ in computational cost. A 2048-bit RSA key meets the requirements of all major CAs and is the current industry standard โ€” it is fast to process and supported everywhere. A 4096-bit key provides a larger security margin against future computational advances, but doubles the TLS handshake processing time, which may matter for high-traffic servers or low-power devices.
Copy the generated OpenSSL command and run it in a terminal on the server where you intend to host the certificate. OpenSSL must be installed โ€” it is pre-installed on most Linux/macOS servers. The command creates both a private key file (`.key`) and a CSR file (`.csr`). You then submit the `.csr` file to your chosen Certificate Authority to receive a signed certificate.
The `openssl.cnf` file is an optional configuration file that pre-fills your CSR subject fields so you do not have to type them interactively when running the OpenSSL command. This tool generates both the command and the matching config file together. If you prefer the interactive prompt approach, you can skip the config file and answer each field question when OpenSSL prompts you.
No. All processing runs entirely in your browser using JavaScript. Your domain name, organisation name, and all other fields are never sent to any server. The generated OpenSSL command and config file are produced locally and exist only in your browser tab until you copy or close them. This approach is safe even for sensitive or internal domain names.
The Organisation Unit field is optional and increasingly deprecated by modern CAs โ€” many no longer include it in issued certificates. If your CA requires it, enter the department or team name handling the certificate, such as `IT Security` or `Engineering`. If your CA does not require it, leave this field blank to avoid mismatches during validation.
The country code must be the two-letter ISO 3166-1 alpha-2 code for your organisation's registered country โ€” for example, `IN` for India, `US` for the United States, `GB` for the United Kingdom, or `SG` for Singapore. Using the wrong code will not cause OpenSSL to fail, but it may cause the CA to reject or delay issuing your certificate during domain validation.
Yes. Enter `*.yourdomain.com` in the Domain Name (Common Name) field and the tool will generate a valid wildcard CSR command. A wildcard certificate covers all first-level subdomains โ€” `www`, `api`, `shop`, and so on โ€” under one certificate. Note that wildcard certificates do not cover the apex domain (`yourdomain.com`) itself unless your CA explicitly includes it as a Subject Alternative Name.
You send only the `.csr` file to your Certificate Authority โ€” never the `.key` file. The CSR contains your public key and organisation details; it is designed to be shared. Most CAs provide a web form where you paste the CSR contents, which look like `-----BEGIN CERTIFICATE REQUEST-----` followed by base64-encoded data. Keep the `.key` file private and stored securely on your server.
The CA verifies your domain ownership (and, for OV/EV certificates, your organisation details) and then issues a signed certificate file โ€” typically a `.crt` or `.pem` file. You install this certificate alongside your private key on your web server or load balancer. Most server configurations also require you to include the CA's intermediate certificate chain to achieve full browser trust.
Also known as
CSR generatorSSL CSR generatorcertificate signing requestopenssl CSR commandSSL certificate request