OneWebDesk
All tools
한국어|English

CSR Decoder

Paste a CSR to decode its subject and key information.

CSR Decoder quickly checks the structural validity of a Certificate Signing Request (CSR) in PEM form. It verifies that the -----BEGIN CERTIFICATE REQUEST----- block is present, that the inner base64 is intact, and that it decodes into valid DER bytes. It is ideal for catching copy-paste damage — stray line breaks or spaces — before you submit the CSR to a certificate authority.

The CSR you paste is used only for format validation and SHA-256 fingerprinting on the server and is never stored. To fully read fields like the subject (CN) and SANs, the most accurate approach is to runopenssl req -in csr.pem -noout -text locally. This tool focuses on a lightweight "is the format correct" check right before submission. Once the certificate is issued, expand it with the SSL Certificate Decoder, and after installing it on a server run a live check with the SSL Certificate Checker.

What is a CSR

A CSR is the request data you submit to a certificate authority to obtain an SSL/TLS certificate. It contains your public key and subject information (domain, organization, etc.) and is signed with your private key, usually encoded as Base64 PEM text. The private key itself is never part of the CSR, so it is safe to share.

Create and inspect a CSR with openssl

  • Generate a new key + CSR: openssl req -new -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr
  • View CSR contents: openssl req -in domain.csr -noout -text
  • Verify the CSR signature: openssl req -in domain.csr -noout -verify
  • Show subject only: openssl req -in domain.csr -noout -subject

Pre-submission checklist

  • You pasted the entire PEM including the BEGIN/END lines
  • No stray spaces or line breaks broke the base64 body
  • The key is at least 2048-bit RSA or ECDSA P-256 or stronger
  • The Common Name and SANs contain exactly the domains you need

Frequently asked questions

Does this tool show fields like CN or SAN?
No. It only checks structural validity (PEM header, base64, DER decode) and the SHA-256 fingerprint. For detailed fields such as subject, SANs, and signature algorithm, run openssl req -in csr.pem -noout -text locally for the most accurate result.
Is the CSR I paste stored on the server?
No. It is used only for format validation and fingerprinting and is not written to disk. The result may be briefly cached in memory but is never persisted.
It says 'valid' but the CA rejected it.
'Valid' here means the format (PEM/base64/DER structure) is correct. A CA can still reject it for content reasons — key length policy, failed domain validation, or wrong subject data. Inspect the contents with openssl req -text.
Does a CSR contain the private key?
No. A CSR contains only the public key, subject info, and a signature. The private key stays in a separate .key file on your machine and must never be shared.
What CSR format should I paste?
Paste the PEM (Base64) text starting with -----BEGIN CERTIFICATE REQUEST-----. DER binary is not supported.

Related tools

SSL Error Message Decoder
Explain browser SSL errors like ERR_CERT_COMMON_NAME_INVALID.
CAA Record Check
Check which CAs are allowed to issue certificates via CAA records.
SSL Certificate Checker
Check a domain's SSL certificate expiry, issuer, chain and TLS version live.
TLS Version Check
Check which TLS versions (1.0–1.3) a server supports and grade safety.
SSL Certificate Decoder
Paste a PEM certificate to decode subject, issuer, validity and SANs.
CIDR Calculator
Calculate IP range, subnet mask and host count from CIDR notation.