ZeroData Tools
Tools
JSON Formatter Format and validate JSON instantly with no uploads, no server calls, and no stored data. JSON Validator Validate JSON instantly before deploys with local processing and zero server calls. YAML Validator Validate YAML files and catch indentation errors instantly with no uploads or backend processing. Base64 Encoder Encode or decode Base64 strings instantly with zero uploads. URL Encoder Encode and decode query parameters locally for APIs, redirects, and forms. HTML Formatter Pretty-print messy markup and inspect structure without exposing page code. CSS Minifier Shrink stylesheets for production with browser-only processing and instant output. JavaScript Beautifier Reformat dense JavaScript into readable code locally for debugging.

CSR Decoder

Verify the contents of your Certificate Signing Request (CSR) before purchasing an SSL/TLS certificate. Paste your PEM-formatted CSR below. Decoding happens 100% locally in your browser. We never transmit your private keys or CSR data to a server.

CSR Decoder
Decode and inspect PEM-formatted Certificate Signing Requests locally in your browser.
Local Only
Paste CSR (PEM format)
Decoded CSR Details

Waiting for CSR input...

How ZeroData protects your privacy

  • No Uploads: Processing happens entirely via client-side JavaScript.
  • No Storage: We do not have a database. We physically cannot save your data.
  • No Tracking: We don't log what you process or track your inputs.
  • Verifiable: Check your DevTools Network tab. You will see 0 outbound requests.

How to Generate a CSR

The most common way to generate a CSR is with OpenSSL:

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

This generates a 2048-bit RSA private key (server.key) and a CSR (server.csr). You then submit server.csr to your Certificate Authority.

Expected CSR Format

Your CSR must be in PEM format, which is Base64-encoded ASCII wrapped in header/footer lines:

-----BEGIN CERTIFICATE REQUEST-----
MIICzDCCAbQCAQAwgYYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
... (base64 data) ...
-----END CERTIFICATE REQUEST-----

What This Decoder Extracts

  • Common Name (CN): The primary domain the certificate will cover.
  • Organization (O): The legal entity requesting the certificate.
  • Subject Alternative Names (SANs): Additional domains covered by the certificate.
  • Key Algorithm: RSA or ECC (Elliptic Curve).
  • Key Size: The bit length of the public key (e.g., 2048-bit, 4096-bit).

Common Use Cases

  • Verifying Common Name (CN) spelling before purchasing an SSL/TLS certificate.
  • Checking that all Subject Alternative Names (SANs) are included in a multi-domain CSR.
  • Confirming the key algorithm (RSA vs ECC) and key size meets security requirements.
  • Validating Organization and Country fields for OV and EV certificate applications.
  • Auditing CSRs generated by automated tools like certbot or openssl to catch misconfigurations.

Frequently Asked Questions

What is a CSR (Certificate Signing Request)?

A CSR is a block of PEM-encoded text generated on the server where your SSL/TLS certificate will be installed. It contains your domain name (Common Name), organization details, and public key. You submit the CSR to a Certificate Authority (CA) like Let's Encrypt, DigiCert, or Comodo to receive a signed SSL certificate.

Why should I decode my CSR before submitting it?

Decoding lets you verify that the Common Name (CN), Organization, and Subject Alternative Names (SANs) are correct before purchasing. Typos in these fields cannot be corrected after the certificate is issued, requiring you to regenerate the CSR and repurchase. A 30-second check here can save hours of troubleshooting.

Is it safe to paste my CSR here?

Yes. A CSR contains only your public key and identity information — never your private key. Even so, this tool decodes your CSR entirely inside your web browser using the node-forge library. Nothing is uploaded to any server. You can verify this by checking your browser DevTools Network tab.

What key size should my CSR use?

For RSA keys, a minimum of 2048-bit is required by all major Certificate Authorities. 4096-bit RSA provides stronger security but is slower. For ECC (Elliptic Curve) keys, 256-bit (P-256) is the standard and provides equivalent security to 3072-bit RSA with significantly better performance.

What are Subject Alternative Names (SANs)?

SANs allow a single certificate to cover multiple domain names. For example, a certificate for example.com might include SANs for www.example.com, api.example.com, and mail.example.com. Modern browsers require the domain to be listed in the SAN field, not just the Common Name.

Explore more ZeroData utilities

Related Tools

JWT Signature Verifier

Verify JWT signatures locally using Web Crypto API. Supports HS256, RS256, and ES256. Your secrets never leave your browser.

JWK & JWKS Generator

Generate JSON Web Keys (JWK) and JWKS for JWT signing. Supports RS256, RS384, RS512, ES256, ES384, ES512, HS256 — 100% browser-based via Web Crypto API.

JWK to PEM Converter

Convert JSON Web Keys (JWK) to PEM format and back. Supports RSA and EC keys using Web Crypto API — 100% browser-based, zero uploads.

Certificate Decoder

Decode X.509 SSL/TLS certificates locally. Inspect issuer, subject, validity dates, SANs, and key details with zero uploads.

© 2026 ZeroData Tools. All rights reserved.