CSR Field Formatter
CSR fields
✓ Ready
How it works
A CSR (Certificate Signing Request) is a Base64-encoded PKCS#10 message submitted to a Certificate Authority (CA) when requesting an SSL/TLS certificate. It contains the public key and Subject DN (Distinguished Name) fields that will appear in the issued certificate. Formatting the Subject DN fields correctly prevents certificate issuance failures and browser security warnings.
**Subject DN fields** CN (Common Name): the fully qualified domain name (FQDN) or wildcard (*.example.com) the certificate will secure. C (Country): ISO 3166-1 alpha-2 code (US, GB, DE) — exactly 2 characters. ST (State or Province): full name, not abbreviation (California, not CA). L (Locality): city name. O (Organization): legal entity name as registered — must match CA records for OV/EV certificates. OU (Organizational Unit): department — optional, being deprecated by many CAs.
**SAN vs CN** Since 2017, browsers require the domain to be in the SAN (Subject Alternative Name) extension, not just the CN. Chrome and Firefox have deprecated CN-only matching. For multi-domain certificates, all domains must appear in SAN. Wildcard SANs (*.example.com) cover one level of subdomain but not sub-subdomains.
**Generating a CSR with OpenSSL** openssl req -new -newkey rsa:2048 -nodes -keyout private.key -out request.csr -subj "/C=US/ST=California/L=San Francisco/O=Example Inc/CN=example.com". The -nodes flag stores the private key unencrypted — use a passphrase for keys that will be stored. The private key must never be submitted to the CA — only the CSR.
Frequently Asked Questions
- CN (Common Name) historically contained the domain name but since 2017 browsers require the domain to be in the SAN (Subject Alternative Name) extension. Chrome, Firefox, and Safari ignore CN for domain matching and only check SANs. Modern certificates should have both CN=yourdomain.com and SAN DNS:yourdomain.com, DNS:www.yourdomain.com. For multi-domain certs, list all domains in SAN. Wildcard: *.example.com in SAN covers one subdomain level (www.example.com, api.example.com) but not sub.sub.example.com.
- DV (Domain Validated): CA verifies you control the domain (via DNS TXT record or HTTP file challenge). Issued in minutes. No organization information validated. Most website certificates. OV (Organization Validated): CA verifies the domain AND organization identity from business registry records. Takes 1–3 days. Organization name appears in certificate details (not visible in browser address bar but in certificate inspector). Required for some government and enterprise contexts. EV (Extended Validation): highest verification — organization identity, physical address, legal status. Previously showed green address bar (deprecated by all browsers in 2019). Takes 1–5 days. Used by banks and high-assurance sites.
- A CSR contains only the public key — the private key should never be in a CSR submission. When you generate a CSR with OpenSSL (openssl req -new -newkey rsa:2048 -keyout private.key -out request.csr), the private.key file is generated separately and the CSR contains only the public key. Submit only the .csr file to the CA. If you accidentally expose a private key: immediately rotate the key by generating a new key pair, request a new certificate, and revoke the compromised certificate with the CA.
- Renew (same key pair): the CA issues a new certificate with an extended expiration date using the same public key. The private key is unchanged. Use when the private key is secure and you simply need to extend the validity period. Rekey (new key pair): generate a new private key and new CSR, submit for a new certificate. The old certificate remains valid until its expiration or revocation. Use when you suspect key compromise, after a server migration, or as a security best practice every 1–2 years. After rekeying, update the certificate files on all servers serving that domain.