CSR Decoder
Paste a Certificate Signing Request (PEM) and read exactly what you're about to send to a CA — subject, Subject Alternative Names, key, signature, and whether the signature verifies.
Generate one with openssl req -new -newkey rsa:2048 -nodes -keyout key.pem -out req.csr.
About to request a certificate?
CertControl generates keys and CSRs, requests certificates via ACME, and then keeps the result under continuous watch — so the renewal after this one is automatic.
See certificate automation →What a CSR contains
A Certificate Signing Request is what you send to a Certificate Authority to be signed. It carries the subject (the identity you're requesting), any Subject Alternative Names, your public key, and a self-signature proving you hold the matching private key. The private key never leaves your machine and is not part of the CSR. This CSR decoder shows those fields and verifies the request's signature.
Does the CSR contain my private key?
No. A CSR carries your public key and a self-signature; the private key stays on the machine that generated it and is never part of the request. Paste a CSR here freely — there is no private key in it to leak.
What does "signature valid" mean?
The CSR is self-signed with the private key that matches the public key inside it. Verifying that signature proves the requester holds the corresponding private key, which is exactly what a Certificate Authority checks before issuing.
What key size or type should I request?
RSA 2048-bit is the practical minimum today, with 3072-bit or 4096-bit for longer-lived keys; ECDSA P-256 is a strong, faster alternative. This decoder shows the algorithm and size so you can confirm the CSR matches your policy before sending it to a CA.