certgen

Generate X.509 certificates and RSA keys locally in your browser. Self-sign, or sign with your own issuer. Nothing is sent anywhere.

Subject

Options

Optional. DNS names and IPv4 addresses are auto-detected.
{{ issuer.loaded ? 'Issuer: ' + issuer.cn : 'Self-signed' }}
{{ error }}
This generates a BrCAC-shaped transport certificate profile locally. Production acceptance still depends on issuance through an approved ICP-Brasil/Open Finance Brasil V10 certificate chain and correct Directory values.

BrCAC Subject

Generate a random valid CNPJ, or enter your own.
Stored as organizationIdentifier OFBBR-<code>.
Generate a random UUID, or enter your own.
Used as both commonName and DNS subjectAltName.

BrCAC Options

Open Finance Brasil specifies RSA 2048.
{{ issuer.loaded ? 'Issuer: ' + issuer.cn : 'Self-signed' }}
{{ error }}
This generates a BrSEAL-shaped signing certificate profile locally. Production acceptance still depends on issuance through an approved ICP-Brasil/Open Finance Brasil V5 certificate chain and correct Directory values.

BrSEAL Subject

Stored as UID.
Stored in subjectAltName otherName 2.16.76.1.3.3.
Stored as the first organizationalUnitName.
Stored as the second organizationalUnitName.
Stored as the third organizationalUnitName.
Stored in subjectAltName otherName 2.16.76.1.3.2.
Stored in subjectAltName otherName 2.16.76.1.3.4.
Stored in subjectAltName otherName 2.16.76.1.3.7.

BrSEAL Options

Open Finance Brasil specifies RSA 2048.
{{ issuer.loaded ? 'Issuer: ' + issuer.cn : 'Self-signed' }}
{{ error }}

Validate certificate or CSR

Paste a PEM-encoded certificate or certificate signing request and choose the profile you expect it to match. A certificate can't be reliably classified on its own, so validation runs against the profile you pick. Everything runs locally in your browser; extra whitespace is stripped automatically.
{{ validationError }}

Validation result

{{ validationReport.verdict.label }}
{{ icons[c.status] }} {{ c.label }} — {{ c.detail }}

Issuer

Paste or upload an issuer certificate and its private key. The generated certificate will be signed by this issuer instead of being self-signed. Leave blank to self-sign.
{{ issuerError }}

Output

Certificate (PEM)

Certificate Signing Request (PEM)

Private Key (PEM, unencrypted)

Public Key (PEM)