CSR & Self-Signed Certificate Generator

What is CSR & Self-Signed Certificate Generator?

This tool is a free, in-browser generator for a private key plus either a certificate signing request (CSR) or a self-signed certificate. A CSR is the file you send to a certificate authority (CA) to be signed into a trusted TLS certificate, while a self-signed certificate is one you sign yourself, handy for local development, internal services, or quick testing. Developers, DevOps engineers, and sysadmins reach for it when they need to request a certificate for a domain, stand up HTTPS on a staging box, or create a throwaway cert with the right Common Name and SANs. You choose the key algorithm (RSA 2048/3072/4096 or ECDSA P-256/P-384), enter the subject distinguished name (Common Name, Organization, Country, and more) and any DNS subject alternative names, switch between CSR and Self-signed mode, and click Generate. The private key always comes out in PKCS#8 PEM, alongside either a PKCS#10 CSR or an X.509 certificate in PEM, all produced locally.

How to use CSR & Self-Signed Certificate Generator

1. Choose the key algorithm: RSA (2048, 3072, or 4096 bits) or ECDSA (P-256 or P-384).
2. Fill in the subject fields, at minimum the Common Name (CN), plus Organization, Organizational Unit, Country, State, and Locality as needed.
3. Enter subject alternative names as a comma-separated list of DNS names if the certificate must cover several hostnames.
4. Use the segmented control to pick CSR (to send to a CA) or Self-signed (ready to use immediately).
5. Click Generate, then copy the private key PEM and the resulting CSR or certificate PEM from the output blocks.
6. Save the private key somewhere safe and keep it private; submit the CSR to your CA, or install the self-signed certificate where you need it.

Examples

Algorithm: RSA 2048, CN: example.com, O: Example Inc, Country: US, Mode: CSR

A PKCS#8 private key PEM (-----BEGIN PRIVATE KEY-----) and a PKCS#10 CSR PEM (-----BEGIN CERTIFICATE REQUEST-----) ready to upload to your certificate authority.

Algorithm: ECDSA P-256, CN: localhost, SANs: localhost, dev.local, 127.0.0.1, Mode: Self-signed

A private key PEM plus an X.509 certificate PEM (-----BEGIN CERTIFICATE-----) covering all listed SAN entries, usable straight away for local HTTPS.

Algorithm: RSA 4096, CN: api.example.org, O: Example Org, OU: Platform, Mode: CSR

A longer 4096-bit private key PEM and a matching CSR PEM with the full subject distinguished name encoded.

Frequently asked questions

Is my private key sent anywhere?

No. The key pair is generated with the Web Crypto API and encoded with pkijs entirely in your browser. Nothing is uploaded to or stored on any server, so the private key never leaves the page and the tool works offline once loaded.

What is the difference between a CSR and a self-signed certificate?

A CSR (certificate signing request) is a request you send to a certificate authority, which signs it into a trusted certificate. A self-signed certificate is signed by its own key with no external authority, so browsers do not trust it by default but it is perfect for local development and internal testing.

Which key algorithms and sizes are supported?

RSA at 2048, 3072, or 4096 bits, and ECDSA on the P-256 or P-384 curves. RSA is the most widely compatible; ECDSA produces smaller, faster keys that modern systems support.

What format are the outputs in?

The private key is PKCS#8 in PEM (-----BEGIN PRIVATE KEY-----). A CSR is PKCS#10 PEM (-----BEGIN CERTIFICATE REQUEST-----) and a self-signed certificate is X.509 PEM (-----BEGIN CERTIFICATE-----). Copy each block from its output area.

How do I add multiple hostnames?

Enter them in the Subject Alternative Names field as a comma-separated list of DNS names, for example example.com, www.example.com, api.example.com. Each becomes a dNSName SAN entry in the request or certificate.