Free Online CSR Generator — Build OpenSSL Certificate Signing Requests

Generate a properly formatted OpenSSL command and configuration file for
creating a Certificate Signing Request. Fill in the details for your domain
— such as crtmgr.com — choose your key type and digest algorithm, and the
generator builds the exact command to run on your server or workstation.

What This Tool Produces

The CSR command builder creates two outputs depending on whether you include
Subject Alternative Names:

Basic Mode (CN Only)

When you specify only a Common Name without SANs, the generator produces a
single openssl req command with the -subj flag. This is the simplest and
fastest way to create a certificate request:

openssl req -new -newkey rsa:2048 -nodes \
  -keyout crtmgr_com.key -out crtmgr_com.csr \
  -subj "/CN=crtmgr.com/O=CrtMgr/C=PL" -sha256

The private key is written to a .key file; the CSR is written to a .csr
file ready for submission to any Certificate Authority.

Extended Mode (With SANs)

When you list one or more Subject Alternative Names (e.g. crtmgr.com,
www.crtmgr.com, *.crtmgr.com), the generator also outputs an OpenSSL
configuration file (openssl.cnf). The command references this config to
include the SAN extension, which is required by modern browsers and by
Certificate Authorities such as Let’s Encrypt for domain validation.

The config file includes the v3_req section with keyUsage,
extendedKeyUsage = serverAuth, and the [alt_names] section listing every
SAN you entered. You can save this file and reuse it for future certificate
renewals.

Key Type and Size Selection

RSA remains the most widely compatible option. 2048 bits is the minimum
recommended by NIST and the CA/Browser Forum; 3072 and 4096 bits provide
additional security margin at the cost of slower handshakes and larger
certificate sizes. RSA works with every CA, every web server, and every TLS
client.

Elliptic Curve (ECDSA) keys offer equivalent security with much smaller
key sizes. A P-256 (prime256v1) key provides security comparable to RSA 3072
bits while generating faster and consuming less CPU during TLS handshakes.
P-384 offers a higher security level for regulated environments. ECDSA
certificates are fully supported by Let’s Encrypt, Cloudflare, AWS Certificate
Manager, and modern browsers.

Signature digest options are SHA-256 (the standard), SHA-384, and SHA-512.
SHA-256 is the default and recommended choice for all common use cases. SHA-384
and SHA-512 may be required by specific compliance frameworks or internal
security policies that mandate a stronger hash function.

Typical Workflow

  1. Fill out the form with your domain details. At minimum, enter the Common
    Name — for example, crtmgr.com if you’re securing the main website.
  2. Add any additional hostnames as SANs. If your certificate needs to cover
    www.crtmgr.com and the bare domain, list both.
  3. Choose a key type. RSA 2048-bit is a safe default for most deployments.
  4. Click Generate Command and copy the resulting OpenSSL command.
  5. Paste the command into a terminal on a machine with OpenSSL installed
    (Linux, macOS, or Windows with OpenSSL).
  6. The tool creates two files: the private key (.key) and the CSR (.csr).
  7. Submit the .csr file to your Certificate Authority of choice.

After the CA issues the certificate, you can verify it with our
SSL Certificate Decoder and check the live deployment with
the SSL Checker.

Privacy and Security

This tool runs entirely in your browser. No form data — not even the domain
name — is sent to any server. Private keys are generated locally by the
openssl command on your machine; CrtMgr never sees, stores, or transmits
your private key material.

OpenSSL Compatibility

The commands and configuration files produced by this generator are compatible
with OpenSSL 1.1.x and 3.x on Linux, macOS, and Windows (via Git Bash, WSL,
or native OpenSSL builds). The -nodes flag is included so the private key is
not encrypted with a passphrase — remove it manually from the command if you
prefer passphrase-protected keys.

Related Tools

SSL Certificate Checker — once your Certificate Authority
issues the certificate and you’ve deployed it, check the live domain to confirm
the correct chain is being served and the validity window is accurate.

CSR Decoder — after generating a CSR with the command
above, paste it here to verify the subject fields, key type, and signature
algorithm are exactly what you intended before submitting to a CA.

Scroll to Top