A CSR is signed by the private key corresponding to the public key in the CSR. This check verifies the signature on the CSR is valid. An invalid signature indicates that the CSR has been modified since it was created or the public key in the CSR doesn't correspond to the private key used to sign it.

This check checks if the CSR's name contains a field with no value. For example, the CSR Decoder would issue a warning about the name given below because the locality field is present, but has no value. CN=www.acme.com, O=acme, L=, C=gb The reason for this warning is that some CAs may reject CSRs that contain fields with empty values.

Checks for weak RSA keys generated by Debian-based systems. It uses the dowkd blacklist, which may be incomplete. This page contains CSRs and certificates with known weak keys. Please let us know if it fails to identify a CSR or certificate you know to have weak key. In May 2008, the Debian team announced that Luciano Bello had discovered a vulnerabilty in the Debian OpenSSL package. The impact was that all SSL and SSH keys generated on Debian-based systems (including Ubuntu) released between September 2006 and May 13th 2008 may be affected. The Debian Security Team disclosed this vulnerability in Debian Security Advisory 1571. The best resource on this vulnerability is the Debian Wiki. We have also written about this in our CSR FAQ.

Checks RSA and DSA keys are at least 2048 bits and EC keys are at least 224 bits