CSR Decoder

Decode a Certificate Signing Request (CSR) and inspect its contents: Subject (CN, organization, location), public key (type & size), Subject Alternative Names (SAN), signature algorithm and signature verification. Your CSR is parsed locally and never stored.

Load sample

What is a CSR?

A CSR (Certificate Signing Request) is an encoded request you send to a Certificate Authority (CA) when applying for an SSL/TLS certificate. It contains your public key and identity details (domain, organization, country), signed with the matching private key.

What does a CSR contain?

  • Subject — Common Name (the domain), Organization (O), Organizational Unit (OU), Locality (L), State (ST), Country (C), email.
  • Public key — the type (RSA, EC) and size (e.g. 2048-bit).
  • Subject Alternative Names (SAN) — additional domains the certificate will cover.
  • Signature — the algorithm (e.g. SHA-256 with RSA) and the digital signature of the request.

What does this tool do?

Paste your CSR — the entire block from -----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST----- — and the tool decodes all of the fields above. It also confirms the CSR signature is valid and warns you if the key is too small (e.g. RSA below 2048-bit).

A CSR contains only the public key — never the private one. It is safe to share. Your file is parsed on the server and never stored.

Frequently Asked Questions

Does the CSR contain my private key?
No. A CSR contains only the public key and identity details. The private key always stays on your server — never share it.
Why decode a CSR?
To confirm the Common Name, SANs and organization are correct before sending it to the CA. A mistake in the CSR leads to a wrong certificate and a reissue.
What does "Valid signature" mean?
It means the CSR is correctly signed with the private key matching the public key inside the CSR (self-signature). If it fails, the CSR has been altered or is corrupted.
What key size is secure?
For RSA, at least 2048-bit (ideally 3072 or 4096). For ECDSA, at least 256-bit (e.g. the prime256v1 curve). CAs reject smaller keys.
Mail Headers Analyzer
Email headers & hop delays
SPF / DKIM / DMARC
SPF / DKIM / DMARC records
Blacklist Checker
Check against 20+ blacklists
SSL Checker
SSL certificate & chain check