Certificate Signing Requests (CSRs) bundle a public key with identifying details and a proof-of-possession signature. Certification authorities examine the request before issuing an X.509 certificate that browsers and servers can trust.

This decoder lets you drop or paste a PEM-encoded CSR and, through an in-browser reactive engine, instantly reveal the subject common-name, key details, signature algorithm, and any Subject Alternative Names. All processing occurs locally for security and speed.

Typical use: confirm that an automated build pipeline generated a 4096-bit RSA request for api.example.com before forwarding it for signing. Always ensure you have permission to inspect third-party CSRs.

Technical Details:

Under Public-Key Infrastructure, a CSR encapsulates an ASN.1 sequence that holds the requester’s distinguished name, public key, optional extensions, and a signature created with the corresponding private key. Verifying the signature confirms key ownership; parsing the structure exposes metadata crucial for policy checks.

Wrap raw base64 text in BEGIN/END CERTIFICATE REQUEST markers if missing.
Parse the ASN.1 sequence to extract CertificationRequestInfo.
Recover subject attributes, public-key algorithm and size.
Locate the extensionRequest attribute and enumerate any subjectAltName entries.
Verify the signature against the embedded public key.

Field	Meaning
Subject CN	Primary hostname or identity bound to the certificate.
Key Algorithm	Cryptosystem of the public key (e.g. RSA, ECDSA).
Key Size (bits)	Strength indicator; higher usually means better brute-force resistance.
Signature Alg.	Algorithm and hash used to sign the CSR.
Subject Alt Names	Additional hostnames or IPs validated by the certificate.

Values guide certificate policy checks and can reveal mismatches—such as a small key size on a security-critical domain.

csr – PEM string supplied by the user.
keyAlgorithm – RSA, ECDSA, or EdDSA.
keySize – Integer bits; undefined for algorithm-specific curves.
signatureAlgorithm – Friendly OID name (e.g. sha256WithRSAEncryption).
sanList – Array of DNS or IP entries.

Example (truncated):

Input CSR \to Parser

Key Size = 4096

Subject CN = api.example.com

Assumes PEM or base64-only input.
Ignores encrypted CSR formats.
Elliptic-curve size is inferred from curve params, not explicit bit length.
Signature verification fails if the CSR was altered after signing.

Missing boundary lines.
Whitespace inside base64 block.
Unsupported OID mappings.
Malformed subjectAltName extension.

Concept aligns with RFC 2986 (PKCS #10) and X.509 specification. Verification logic reflects commonly accepted PKI practices.

All decoding occurs in the browser; no CSR leaves the user’s device, supporting GDPR data-minimisation principles.

Step-by-Step Guide:

Follow these steps to extract CSR details quickly.

Paste or drop your PEM CSR into the text area.
Optionally select a file via the upload control.
Press Decode CSR to run the local parser.
Review the Info, JSON, or PEM tabs.
Click Copy CSV or Download JSON to export results.

FAQ:

Is my data stored?

No, everything runs in your browser; the CSR never leaves your device.

What formats are supported?

Any PEM-encoded PKCS #10 CSR, with or without header lines.

Why does verification fail?

The signature cannot be validated if the CSR was modified, corrupted, or created with an unsupported algorithm.

Can I decode encrypted CSRs?

No, encrypted or password-protected requests must be decrypted first.

How do I validate SAN entries?

Compare the extracted list with the domains you intend to secure; mismatches indicate a faulty request.

Glossary:

CSR: Certificate Signing Request.
CN: Common Name; primary subject.
SAN: Subject Alternative Name.
OID: Object Identifier tag.
PKI: Public-Key Infrastructure.

CSR Decoder

Introduction:

Technical Details:

Step-by-Step Guide:

FAQ:

Glossary: