CSR Decoder

How to use

1. 1Paste a PEM block beginning with -----BEGIN CERTIFICATE REQUEST----- (openssl, Certbot, lego, ACME) or -----BEGIN NEW CERTIFICATE REQUEST----- (Microsoft IIS / certreq.exe).
2. 2The summary names the subject CN, the key algorithm and size, and runs an in-browser signature verification using Web Crypto so you immediately see whether the CSR is self-consistent.
3. 3Read the Subject card to confirm the CN, O, and other attributes match what you submitted to the CA, and review the Subject Alternative Name list to make sure every hostname you need is included.
4. 4Use the Public key card to confirm the RSA modulus bit length, the EC curve, or the Edwards algorithm matches your CA policy before the certificate is issued.
5. 5Copy the SHA-256 fingerprint to compare against the value your CA portal displays, or grab the plain-text summary to paste into a change-management ticket.
6. 6Click any sample button to load an RSA 2048 CSR with SANs or an EC P-256 CSR and explore the output.

About this tool

CSR Decoder parses a PEM-encoded PKCS#10 Certificate Signing Request (RFC 2986) directly in the browser and surfaces every field a sysadmin, DevOps engineer, or developer needs to verify before sending the CSR to a Certificate Authority. It accepts both -----BEGIN CERTIFICATE REQUEST----- (the file openssl req, Certbot, lego, and most ACME clients produce) and -----BEGIN NEW CERTIFICATE REQUEST----- (the variant the Microsoft IIS / certreq.exe wizard emits) and decodes the same structure underneath. The decoded output shows the PKCS#10 version, the full Subject distinguished name broken into CN, O, OU, C, L, ST, emailAddress, and any other OID-mapped attributes, plus a single-line RFC 4514 form you can paste into a ticket. The subject public key is parsed into algorithm (RSA, EC id-ecPublicKey, Ed25519, Ed448), modulus bit length and full hex modulus for RSA, named curve and curve OID for EC (prime256v1 / secp384r1 / secp521r1 / secp256k1 / brainpoolP256r1 / brainpoolP384r1 / brainpoolP512r1), and raw public key bytes for Edwards keys. Requested X.509 extensions inside the extensionRequest attribute (RFC 2985 OID 1.2.840.113549.1.9.14) are extracted and named: Subject Alternative Name with DNS, IP, URI, email, and directoryName entries; Key Usage flags; Extended Key Usage with friendly labels like TLS Web Server Authentication and Code Signing; Basic Constraints with the CA flag and path length; plus any other extension OIDs displayed verbatim. The signature algorithm OID (sha256WithRSAEncryption, ecdsa-with-SHA256, ecdsa-with-SHA384, ecdsa-with-SHA512, RSASSA-PSS, and more) is named, and the tool verifies the CSR signature against the embedded public key using the Web Crypto SubtleCrypto API so a green Signature is valid banner confirms the CSR was actually produced by the holder of the matching private key. SHA-256, SHA-1, and MD5 fingerprints are computed over the full CSR DER so the SHA-256 value matches openssl req -in csr.pem -outform DER piped into openssl dgst -sha256. If a challengePassword attribute is present the tool flags it but never displays its value. The ASN.1 parser, the OID lookup tables, the extension decoder, the signature verifier, and the fingerprint hashes all run locally; the CSR you paste here is never uploaded.

Free to use. Works in your browser. No signup, no login.