CSR decoder

Read the subject, key details, and SANs inside a certificate signing request.

Once the certificate is issued and deployed, let SJ Monitor's SSL monitoring watch it for expiry. Start free →

A CSR decoder parses a certificate signing request and displays the information it contains in human-readable form before you submit it to a certificate authority. It shows the subject distinguished name, the public key algorithm and size, and any subject alternative names, so you can confirm the request matches what you intend to certify. Catching a wrong common name or missing SAN here saves a failed or reissued certificate later. While CSRs themselves are one-time artifacts, SJ Monitor's broader certificate tooling can keep watching the certificate that results once it is deployed.

Frequently asked questions

What information does a CSR contain?

It holds the subject details such as common name and organization, the public key and its algorithm, and any subject alternative names. It does not contain your private key.

Why should I decode a CSR before submitting it?

Decoding lets you verify the common name, key strength, and SANs are correct before a CA issues the certificate, avoiding a costly reissue. Mistakes are far cheaper to fix here.

Does decoding a CSR expose my private key?

No. A CSR contains only the public key and subject information, so decoding it is safe and never reveals your private key.

What key size should the CSR use?

For RSA, 2048-bit is the minimum and 4096-bit is common; ECDSA with a P-256 curve is a smaller, faster modern alternative. The decoder shows the algorithm and size so you can confirm before submitting.

Why was my CSR rejected by the CA?

Common reasons are a missing or mismatched common name, absent SANs (modern certs validate SANs, not just CN), an unsupported key size, or a corrupted Base64 block. Decoding first catches these.

Do I need to include the common name in the SANs too?

Yes. Browsers ignore the common name and validate only the subject alternative names, so the hostname in your CN must also appear in the SAN list or clients will reject the certificate.

More SSL/TLS & security tools tools

Certificate decoder HSTS checker Mixed content checker Security headers grade SSL certificate checker SSL chain checker TLS / cipher scan
All SSL/TLS & security tools tools → · Browse every tool →

Want this checked automatically and around the clock? Create a free SJ Monitor account and we'll alert you the moment something changes.

Share this tool: X LinkedIn Facebook Reddit Email

We use essential cookies to run SJ Monitor (sign-in, security). See our privacy policy.