DevToolbox

RSA Key Pair Generator

Generate RSA public and private key pairs in PEM format using the Web Crypto API. All processing runs in your browser.

About This Tool

The RSA Key Pair Generator creates cryptographically secure RSA key pairs directly in your browser using the Web Crypto API. It supports key sizes of 2048, 3072, and 4096 bits, and exports keys in industry-standard PKCS#8 (private) and SPKI (public) PEM format. No server is involved at any point — your private key never leaves your machine.

RSA (Rivest-Shamir-Adleman) is one of the most widely deployed public-key cryptosystems. It is used for TLS/SSL certificates, SSH authentication, code signing, and digitally signing JSON Web Tokens. The two algorithm modes offered here cover the main RSA use cases: RSA-OAEP for asymmetric encryption and RSASSA-PKCS1-v1_5 for digital signatures. Both use SHA-256 as the underlying hash function.

The generated PEM output can be used directly with OpenSSL, Node.js, Python, Go, and virtually any crypto library. The private key is exported in PKCS#8 DER encoding wrapped in PEM armor (base64 with 64-character line wrapping and BEGIN/END headers). The public key uses SubjectPublicKeyInfo (SPKI) encoding. If you need to compute hashes of your keys or data, try the Hash Generator.

All key generation and export is performed entirely in the browser. The Web Crypto API delegates to the operating system's native cryptographic libraries, which means key generation is hardware-accelerated where available. A 2048-bit key typically generates in under 500 milliseconds, while a 4096-bit key may take a few seconds depending on your device. The generation time is displayed after each operation so you can gauge performance.

How to Use

  1. Select a key size: 2048-bit (fast, standard), 3072-bit (recommended for new systems), or 4096-bit (maximum strength, slower).
  2. Choose an algorithm: RSA-OAEP for encryption/decryption, or RSASSA-PKCS1-v1_5 for signing/verification.
  3. Click Generate Key Pair or press Ctrl+Enter. A loading spinner appears while the key is being generated.
  4. Once generated, both the public key and private key appear in PEM format with their respective headers.
  5. Click Copy next to either key to copy it to your clipboard, or press Ctrl+Shift+C to copy the public key.
  6. Click Clear to remove the generated keys from the page.
  7. Repeat with different settings to generate additional key pairs as needed.

FAQ

Is my data safe?

Yes. All key generation runs entirely in your browser using the Web Crypto API. Your private key is never sent to any server, stored in a database, or logged by analytics. You can verify this by inspecting the network tab in your browser's developer tools.

Which key size should I choose?

For most use cases, 2048-bit keys are considered secure through 2030. NIST recommends 3072-bit keys for security beyond 2030. 4096-bit keys provide the highest level of security but are slower to generate and use. Choose based on your threat model and performance requirements.

What is the difference between RSA-OAEP and RSASSA-PKCS1-v1_5?

RSA-OAEP (Optimal Asymmetric Encryption Padding) is used for encrypting data with a public key and decrypting with the corresponding private key. RSASSA-PKCS1-v1_5 is used for creating digital signatures with a private key and verifying them with the public key. Choose the algorithm that matches your intended use case.

What format are the keys exported in?

Private keys are exported in PKCS#8 PEM format (-----BEGIN PRIVATE KEY-----). Public keys are exported in SPKI (SubjectPublicKeyInfo) PEM format (-----BEGIN PUBLIC KEY-----). Both formats are widely supported by OpenSSL, programming libraries, and security tools.

Why does 4096-bit key generation take longer?

RSA key generation requires finding two large prime numbers. Larger key sizes require larger primes, which means more primality tests and more computation. A 4096-bit key uses primes roughly twice as large as a 2048-bit key, and the generation time scales super-linearly. This is a one-time cost — once generated, key operations are faster.

Can I use these keys with OpenSSL or SSH?

The PKCS#8 private key and SPKI public key PEM formats are directly compatible with OpenSSL. For SSH, you would need to convert the public key to OpenSSH format using a command like 'ssh-keygen -i -m PKCS8 -f key.pub'. The private key can often be used directly or converted with OpenSSL.

Related Tools

JWT Generator

Generate JSON Web Tokens with custom payloads and HMAC signing. Set claims, expiration, and copy the signed JWT.

SSL Certificate Decoder

Decode and inspect PEM/DER SSL certificates. View issuer, subject, validity, extensions, and fingerprints.

Encryption Playground

Experiment with AES-GCM, AES-CBC, and RSA-OAEP encryption. Step-by-step visualization of the encryption process.

HMAC Generator

Generate HMAC signatures using MD5, SHA-1, SHA-256, SHA-384, and SHA-512 with hex or Base64 output.

Hash Generator

Generate MD5, SHA-1, SHA-256, and SHA-512 hashes for text and files.