X.509 Certificate Generator (self-signed / CA-signed with file input)

About this tool

Generate RSA keys entirely in the browser (Web Crypto API) to issue self-signed certificates and CA-signed certificates using an existing CA private key.

  • Key types: RSA 2048 / 3072 (RSASSA-PKCS1-v1_5 + SHA-256)
  • Subject fields (CN, O, OU, C, ST, L) are UTF-8
  • Supports SAN (DNS and IP)
  • Extensions: basicConstraints / keyUsage / extendedKeyUsage / SubjectKeyIdentifier / AuthorityKeyIdentifier
  • Output: certificate (DER .crt / PEM), private key (PKCS#8 PEM), combined PEM bundle

In CA-signed mode you can load .crt (DER/PEM) and .key (PKCS#8 PEM) files directly. This lets you keep an internal root certificate installed on devices while issuing server certificates without reimporting keys. All processing takes place entirely in your browser; no data is transmitted.

Profile

Subject / Issuer

Subject Alternative Name

Extensions

How to build a private certificate chain

  1. Create the root CA (Mode: Self-signed, Profile: CA).
    Save the generated root.crt (DER) and private.key.
  2. Issue the server certificate (Mode: CA-signed, Profile: Server).
    Select root.crt as the CA certificate and private.key as the CA key.
    Add the target DNS/IP to SAN and click Generate.
    Use the resulting cert.crt (server) and private.key (server).
  3. Import root.crt into client trust stores (Firefox uses its own store).
    Deploy the server certificate and key, bundling the chain if needed.

Cautions

  • When enabling the CA flag (basicConstraints=CA), also enable keyUsage keyCertSign.
  • Keep the root CA private key offline.
  • Encrypted PKCS#8 (BEGIN ENCRYPTED PRIVATE KEY) is not supported.

All processing takes place entirely in your browser; no data is transmitted.