OpenSSL CSR & Certificate Decoder - Free Online Parser
Please Note: Encryption Consulting LLC does not possess, store, or retain any data entered into this decoder. All inputs, including PEM certificates or Base64-encoded DER, are used solely for decoding purposes and are not saved.
Frequently Asked Questions
Everything you need to know about decoding your CSR files. Can't find the answer you're looking for? Send us an email and we'll get back to you as soon as possible!
How do I decode a CSR using EC's OpenSSL Decoder tool?
Open the OpenSSL Decoder tool and follow the three steps:
Paste the PEM-encoded CSR directly, or upload a .cer, .crt, .pem, or .der file. Base64-encoded DER is also accepted.
The tool parses the structure and extracts all embedded fields.
Decoded fields are displayed in human-readable format, letting you verify subject details, public key, and extensions before submitting to a Certificate Authority (CA).
To generate a CSR, you can use our CSR Generator Tool. This utility simplifies the entire process of creating a CSR while ensuring compliance.
How is it different from an ASN.1 decoder?
Both tools decode binary-encoded certificate data, but serve different purposes.
An ASN.1 decoder is a general-purpose tool for inspecting any ASN.1-encoded structure as it exposes the raw DER/BER hierarchy of tags, lengths, and values. It is the right choice when you need to audit encoding correctness, debug custom ASN.1 schemas, or inspect non-certificate structures.
An OpenSSL CSR Decoder is purpose-built for X.509 Certificate Signing Requests. It interprets the ASN.1 structure internally and maps the output to certificate-specific fields such as CN, SANs, key algorithm, requested extensions, presenting them in a labeled, actionable format. It is the right choice when you need to verify CSR contents before CA submission, without manually interpreting raw byte sequences.
What does the output contain?
The CSR decoder output is organized mainly into five key sections, each providing important details about the certificate request.
This section identifies the entity requesting the certificate. It includes the Common Name (CN), which is the domain name (e.g., www.example.com), along with organization details such as Organization (O), Organizational Unit (OU), Locality (L), State (ST), and Country (C) using ISO codes.
This section displays the cryptographic properties of the public key. It specifies the key algorithm, such as RSA or ECC. For RSA keys, it shows the key size (for example, 2048 or 4096 bits). For ECC keys, it specifies the elliptic curve used, such as P-256, P-384, or P-521, which defines the key’s mathematical parameters and security level.
This section specifies the algorithm used to sign the CSR, combining hashing and encryption methods (e.g., ecdsa-with-SHA384).
This section lists additional certificate capabilities, including Key Usage (allowed operations), Extended Key Usage (specific purposes like TLS authentication), and Subject Alternative Names (SANs) for extra domains or IP addresses.
This section includes fingerprints such as SHA-256 (primary), SHA-1 (legacy), and MD5 (for compatibility). It also validates the CSR by checking the signature, confirming key details, and flagging weak or deprecated hashing algorithms.