RSA Key Pair Generator
Generate RSA key pairs (2048/4096-bit) in PEM or JWK format directly in your browser. Private keys never leave your machine.
How to Use
- Select a Key Size (2048-bit or 4096-bit).
- Select an Algorithm: RSA-OAEP for encryption use cases, RSASSA-PKCS1-v1_5 for signing.
- Select an output Format: PEM or JWK.
- Click Generate Key Pair and wait a moment for generation to complete.
- Copy or download the public and private keys separately.
Security Notes
- Keep your private key secret. Anyone with the private key can decrypt messages or forge signatures.
- Share only your public key — it is designed to be public.
- This tool generates keys for testing and development. For production use, manage keys with a dedicated secret manager (AWS KMS, HashiCorp Vault, etc.).
FAQ
Are my keys sent to any server?
No. Key generation uses the browser's built-in Web Crypto API (crypto.subtle.generateKey). Nothing ever leaves your machine. The 'Your keys never leave this browser' badge is a hard guarantee.
What is the difference between RSA-OAEP and RSASSA-PKCS1-v1_5?
RSA-OAEP is used for asymmetric encryption (encrypt data with public key, decrypt with private key). RSASSA-PKCS1-v1_5 is used for digital signing (sign with private key, verify with public key).
Which key size should I choose?
2048-bit is the current industry minimum and is sufficient for most use cases. Choose 4096-bit for long-lived keys or when regulations require higher security margins. 4096-bit generation takes noticeably longer.
What is the PEM format?
PEM (Privacy Enhanced Mail) is a Base64-encoded DER certificate wrapped in -----BEGIN/END----- headers. It is the most common format for TLS certificates, SSH keys, and API keys.
What is the JWK format?
JWK (JSON Web Key) is a JSON representation of cryptographic keys defined by RFC 7517. It is commonly used in OAuth 2.0, OIDC, and JWT authentication flows.