Build a Certificate Signing Request (CSR) and private key in your browser, or copy the openssl req command to run locally. Supports RSA and ECDSA keys, multiple SANs, and full subject fields.
*.example.comandexample.com.A Certificate Signing Request (CSR) is a block of encoded text sent to a Certificate Authority (CA) when you want a TLS/SSL certificate. It contains the public key, the domain (and any Subject Alternative Names), and identifying information about the organization. The CA signs it to produce the final certificate. The matching private key never leaves your machine.
Modern browsers ignore the legacy Common Name (CN) field and trust only Subject Alternative Names. Every domain you want the certificate to cover β including the CN itself β should be listed as a SAN. For a wildcard, use *.example.com plus the apex domain example.com so the cert covers both.
RSA 2048 is the industry default and works everywhere. RSA 4096 doubles the key size for slightly better long-term security at the cost of slower TLS handshakes. ECDSA (P-256 or P-384) produces much smaller keys with equivalent security but is unsupported by a small number of legacy clients. For new deployments in 2025+, ECDSA P-256 is a great default if you don't need legacy compatibility.
Nothing is sent over the network. Key generation runs in your browser using WebCrypto / forge, and the openssl command tab is just text we render β no telemetry, no logging, no backend involved.