Encrypt Online
Theme
Privacy Tool inputs are processed in your browser and are not sent to us.

CSR Decoder & Inspector

Read requested names, public-key details, extensions, and signature state before submission

Privacy note: CSR inspection runs in this browser. The pasted request is not uploaded or saved, and it is not added to the URL.
Inspect a certificate signing requestPaste one PEM CSR or strict Base64-encoded DER request
Accepted PEM labels: CERTIFICATE REQUEST and NEW CERTIFICATE REQUEST.
Raw DER must be padded Base64 without a PEM header. Whitespace between Base64 lines is allowed.
What a CSR Contains

A PKCS#10 certificate signing request carries a subject name, a public key, a signature made by the matching private key, and optional requested extensions such as subject alternative names. A CA decides which requested fields, if any, appear in the certificate it issues.

Inspect a CSR
  1. Paste one PEM CSR or the strict Base64 body of a DER CSR.
  2. Click Inspect CSR and confirm the subject, common name, SAN requests, and public-key details.
  3. Check the self-signature result before submitting the request to a CA.
  4. Compare the issued certificate separately; a CA can omit or replace requested fields.
What This Inspection Cannot Prove

A valid CSR self-signature shows that the request was signed with the private key matching its embedded public key. It does not prove identity, domain control, certificate issuance, CA trust, certificate validity dates, revocation status, or hostname coverage in a future certificate.

Check a CSR with OpenSSL

Use OpenSSL when you need a second local parser or command-line output for a support ticket:

openssl req -in request.csr -noout -text -verify

If the command reports a verification failure, regenerate the CSR from the intended private key instead of editing the encoded request.

CSR Decoder FAQ
Does a valid self-signature mean the CA will issue the certificate?

No. It shows that this request was signed with the corresponding private key when the CSR was created. It does not prove current control of that key, CA approval, or domain control.

Should I check the common name or the SAN list?

Review both in the request, but use the SAN list on the issued certificate for modern hostname coverage. A CA can change what it issues.

Can I paste DER Base64 without PEM header lines?

Yes. Use padded Base64 for one DER-encoded PKCS#10 request; hex and URL-safe Base64 are not accepted.