How to confirm a CSR PEM is well-formed

1. Paste the CSR PEM

   Drop the `-----BEGIN CERTIFICATE REQUEST-----` … `-----END CERTIFICATE REQUEST-----` block into the "PEM" field. Some CAs export the older `NEW CERTIFICATE REQUEST` header — this tool only looks for `CERTIFICATE REQUEST`.

2. Press Run

   Result returns `containsHeader` (true if the BEGIN line is present) and `bodyLength` (character count of the base64 body between BEGIN and END). A non-zero body with the header is the basic well-formedness signal.

3. What it does NOT validate

   The tool does NOT verify the CSR's signature, decode the subject/SAN, or check key strength. For that, run `openssl req -in request.csr -noout -text` locally, or upload to a CA's CSR-decode page.

4. When the CSR fails to submit

   If the CA refuses your CSR even after `containsHeader: true`, common culprits: stray whitespace inside the base64 body, BEGIN/END mismatched, or the CSR signed with a key the CA doesn't accept. Re-export from your KMS.