Home

Certificate Generator

Contact us
🔒All certificates are generated locally in your browser using the Web Crypto API. No data is sent to any server. Your private keys never leave your device.
Comma-separated DNS names or IPs. CN is added automatically.

X.509 Certificates (HTTPS / TLS)

An X.509 certificate proves a server's identity and enables TLS encryption. It is signed by a Certificate Authority (CA) or self-signed. Browsers trust certificates from known CAs but will warn on self-signed ones.

Using the Certificate

Unzip the download and configure your server. The private key (.key) must be kept secret; the certificate (.crt) is public.

  • nginx: ssl_certificate /path/to/cert.crt; and ssl_certificate_key /path/to/key.key;
  • Apache: SSLCertificateFile and SSLCertificateKeyFile
  • Node.js: Use https.createServer() with fs.readFileSync() to load both files
  • Local browser warning: Import .crt into your OS or browser's trust store

Learn more at Google Web Fundamentals — Encrypt in Transit and Mozilla Server Side TLS Guide.

Key Algorithms

  • RSA 2048 — Most widely compatible. Supported by virtually all TLS clients and SSH servers.
  • RSA 4096 — Stronger but slower. Use when compliance requires it.
  • EC P-256 / P-384 — Elliptic curve keys are smaller and faster than RSA with equivalent security. Recommended for modern deployments.
  • Ed25519 — State-of-the-art elliptic curve algorithm. Fast, compact, and resistant to implementation bugs. Recommended for modern TLS deployments. Not supported by very old clients.