Security
RSA Key Pair Generator
The RSA Key Pair Generator creates RSA public/private key pairs in PEM format using the browser's Web Crypto API. Choose the key size (2048 or 4096 bits recommended for production) and the output format (PKCS#8, PKCS#1, SPKI). The private key never leaves your browser. Use the generated keys for testing TLS certificates, JWT RS256 signing, SSH authentication, or learning about asymmetric cryptography.
What is RSA and asymmetric cryptography?
RSA (Rivest–Shamir–Adleman) is the most widely used public-key cryptosystem, invented in 1977. Asymmetric cryptography uses two mathematically related keys: the public key, which can be freely shared, and the private key, which must be kept secret. Data encrypted with the public key can only be decrypted with the private key. A digital signature created with the private key can be verified by anyone with the public key. RSA security is based on the practical difficulty of factoring the product of two large prime numbers. RSA is used for TLS handshakes, code signing, email encryption (PGP/S-MIME), SSH key authentication, and JWT signing (RS256, RS384, RS512).
How does the generator work?
The tool uses the browser's SubtleCrypto.generateKey() API with the RSASSA-PKCS1-v1_5 or RSA-OAEP algorithm to generate the key pair natively in the browser's cryptographic engine. Key generation for 4096-bit keys may take a few seconds. The generated CryptoKey objects are exported using SubtleCrypto.exportKey() in SPKI format for the public key and PKCS#8 format for the private key. The raw DER bytes are Base64-encoded and wrapped with PEM headers (-----BEGIN PUBLIC KEY----- and -----BEGIN PRIVATE KEY-----). The private key is shown only once – copy and store it securely immediately.
Typical Use Cases
- Generating a test RSA key pair for JWT RS256 signing in a development environment
- Creating a key pair to test TLS certificate generation with OpenSSL
- Producing RSA keys for SSH authentication setup
- Learning about public-key cryptography by inspecting the PEM key format
Step-by-step Guide
- Step 1: Select the key size: 2048-bit (faster, good for most uses) or 4096-bit (stronger, slower).
- Step 2: Click 'Generate Key Pair' and wait for the browser to compute the keys.
- Step 3: Copy the private key and store it in a secure location immediately.
- Step 4: Copy the public key for distribution to servers or services.
Example
Input
Key size: 2048 bits
Output
-----BEGIN PUBLIC KEY----- MIIBIjANBgkq... -----END PUBLIC KEY----- -----BEGIN PRIVATE KEY----- MIIEvQIBADAN... -----END PRIVATE KEY-----
Tips & Notes
- Use 2048-bit keys for short-lived test purposes; use 4096-bit keys for long-lived production certificates and signing keys.
- For new projects, consider ECDSA (using P-256 or P-384 curves) instead of RSA – ECDSA provides equivalent security with much shorter keys.
- Never store your private key in source code, environment variable files tracked by git, or any location accessible to unauthorized parties.
Frequently Asked Questions
What is the difference between PKCS#1 and PKCS#8 private key format?
PKCS#1 (-----BEGIN RSA PRIVATE KEY-----) is the older format that only stores RSA keys. PKCS#8 (-----BEGIN PRIVATE KEY-----) is the newer, algorithm-agnostic format that can store any private key type. PKCS#8 is preferred for new systems and is what the Web Crypto API exports.
Is 2048-bit RSA still secure?
Yes, as of 2024. NIST recommends 2048-bit RSA through 2030 and 3072-bit beyond that. For new keys intended to remain secure for many years, 4096-bit or ECDSA P-256/P-384 is recommended.
Does the tool send my private key to a server?
No. All key generation happens in your browser using the Web Crypto API. The private key bytes are never transmitted anywhere. Do not paste a real private key into any online tool.
RSA Key Pair Generator
Generate new random RSA private and public key PEM certificates directly in the browser — cryptographically secure via the Web Crypto API.
Open Tool