CSR generator

Create a certificate signing request and private key for your SSL/TLS certificate — generated entirely in your browser. Your private key never leaves your device.

Certificate type

Domain Validation only proves domain control — the CSR needs just the domain name.

What is a CSR?

A certificate signing request (CSR) is a small block of encoded text you send to a certificate authority (CA) when applying for an SSL/TLS certificate. It contains your public key and the identity the certificate should carry — the domain name, and for OV/EV certificates, your organization's verified details. The CA signs this information to produce your certificate. The matching private key stays with you and is never part of the CSR.

DV, OV and EV: which fields do you need?

The certificate type decides how much identity information the CSR must carry, because it determines what the certificate authority will verify:

  • Domain Validation (DV): the CA only proves you control the domain — the CSR needs just the Common Name. This is what Let's Encrypt and most standard certificates use.
  • Organization Validation (OV): the CA also verifies your company, so the CSR must include the organization name, city, state and country.
  • Extended Validation (EV): the strictest vetting — the CSR carries the same subject fields as OV; the extra verification happens at the CA, not in the CSR.

How to use this generator

  1. Pick the certificate type — DV needs only your domain; OV and EV unlock the address fields.
  2. Fill in the subject. Use the exact domain the certificate is for (e.g. www.example.com); wildcards like *.example.com are allowed.
  3. Select "Generate CSR". Your browser creates the key pair with the Web Crypto API and signs the request locally.
  4. Save both files. Submit the CSR to your certificate authority; install the private key on your server and keep it secret.

Is this safe? Where is the key generated?

Everything happens in your browser. The RSA key pair is created by your own device's Web Crypto API, and the CSR is assembled and signed locally — no field you type and no key material is ever transmitted to nslookup.io. You can confirm this in your browser's developer tools: no network requests are made when you generate. This is the safe way to use an online CSR tool; never use one that creates the key on a server.

Frequently asked questions

Is it safe to generate a CSR online?

It is with this tool: the key pair and CSR are generated entirely in your browser using the Web Crypto API. Nothing you type and no key material is ever sent to our servers — you can verify that in your browser’s network tab, or even generate while offline.

What is the difference between DV, OV and EV certificates?

They differ in how thoroughly the certificate authority verifies you. Domain Validation (DV) only proves control of the domain, so the CSR needs just a Common Name. Organization Validation (OV) and Extended Validation (EV) verify your company too, so the CSR must also carry the organization name and address.

Which key size should I choose?

RSA 2048 is the standard and is accepted by every certificate authority. Choose RSA 4096 if your security policy requires it — it is slower on every TLS handshake, and provides more margin than most sites need.

What do I do with the private key?

Store it securely on the server that will use the certificate — the CSR is useless to an attacker, but the private key is the secret itself. We never see it, so we cannot recover it: if you lose it, generate a new CSR and reissue the certificate.

Can I add extra domains (SANs) to the CSR?

Yes — list them in the “Additional domains” field. They are embedded as Subject Alternative Names. Note that most CAs read SANs from your order rather than the CSR, but including them keeps the CSR self-describing.

Why does my CA reject my CSR?

The usual causes: a typo in the Common Name, a country field that isn’t a 2-letter ISO code, or key size below the CA’s minimum (2048). Decode your CSR with our CSR decoder to check exactly what it contains before submitting it.

Related tools

Never let a certificate expire again

An expired certificate takes your site down in every browser at once. We'll watch your certificates and email you well before they expire — free for your first domains.

Monitor my certificates