DevToolKit

RSA Key Pair Generator

Generate RSA-2048, RSA-3072, and RSA-4096 key pairs in PEM and JWK formats. Uses the Web Crypto API for secure client-side generation. Keys never leave your browser.

100% Client-Side. Keys are generated using the Web Crypto API in your browser. Nothing is transmitted to any server.

Key Configuration
Was this tool helpful?

How to Use

Generating an RSA key pair takes just a few steps with our browser-based tool:

  1. Choose Key Size: Select 2048-bit for standard applications, 3072-bit for enhanced security, or 4096-bit for maximum protection.
  2. Select Algorithm: Pick RSA-OAEP if you need encryption and decryption, or RSASSA-PKCS1-v1_5 for digital signing and verification.
  3. Generate: Click the Generate RSA Key Pair button. The Web Crypto API creates your keys instantly in your browser.
  4. Switch Format: Toggle between PEM (for OpenSSL, SSH, and server configs) and JWK (for web APIs and JWT libraries).
  5. Copy or Download: Use the copy button for quick clipboard access, or download each key as a file. The private key is blurred by default for on-screen privacy.
  6. Verify Fingerprint: Check the SHA-256 fingerprint in the key info bar to confirm key identity when distributing the public key.

About This Tool

Understanding RSA Key Pair Generation

RSA (Rivest-Shamir-Adleman) is one of the oldest and most widely deployed public-key cryptographic algorithms. Published in 1977, RSA remains the foundation of internet security infrastructure, powering TLS/SSL certificates, SSH authentication, code signing, and encrypted email (S/MIME and PGP). An RSA key pair consists of two mathematically related keys: a public key that can be freely shared, and a private key that must remain secret. The security of RSA relies on the computational difficulty of factoring the product of two large prime numbers.

Key Sizes and Security Levels

The security of an RSA key is directly proportional to its bit length. A 2048-bit key provides approximately 112 bits of security strength and is the current minimum recommended by NIST (SP 800-57 Part 1). This size is sufficient for most applications through 2030. A 3072-bit key delivers approximately 128 bits of security and is recommended for data that must remain confidential well beyond 2030. A 4096-bit key offers the strongest practical protection but generates slower and produces larger signatures. Choose your key size based on the sensitivity and longevity requirements of your data.

RSA-OAEP vs RSASSA-PKCS1-v1_5

This tool supports two RSA algorithm variants. RSA-OAEP (Optimal Asymmetric Encryption Padding) is the modern standard for RSA encryption. It uses a padding scheme that provides provable security against chosen-ciphertext attacks. Use RSA-OAEP when you need to encrypt data or wrap symmetric keys. RSASSA-PKCS1-v1_5 is a signature algorithm used to create and verify digital signatures. Despite its age, it remains widely used in JWT RS256 tokens, TLS handshakes, and certificate chains. Both algorithms use SHA-256 for hashing in this implementation.

PEM and JWK Export Formats

Keys are exported in two industry-standard formats. PEM (Privacy-Enhanced Mail) wraps Base64-encoded key data between header and footer lines. Public keys use SPKI (Subject Public Key Info) encoding, while private keys use PKCS#8 encoding. PEM is the default format for OpenSSL, Apache, Nginx, and SSH tooling. JWK (JSON Web Key, RFC 7517) represents the key as a JSON object with named parameters (n, e, d, p, q). JWK is the native format for browser-based Web Crypto API operations, JWT libraries like jose and jsonwebtoken, and REST API key distribution.

SHA-256 Key Fingerprint

A key fingerprint is a compact hash of the public key's binary representation. This tool computes a SHA-256 digest of the SPKI-encoded public key and displays it in colon-separated hexadecimal format. Fingerprints serve as a convenient way to verify key identity without comparing the full key text. When distributing your public key, share the fingerprint through a separate trusted channel so recipients can confirm they received the authentic key.

Why Use This Tool

Why Use This RSA Key Generator?

Most online RSA generators transmit your private key through their servers, creating an unacceptable security risk. Our tool generates keys entirely in your browser using the Web Crypto API (crypto.subtle.generateKey), the same cryptographic engine that powers HTTPS in every modern browser. Your private key exists only in your browser's memory and is never transmitted, logged, or stored anywhere.

Common Use Cases

  • JWT Signing: Generate RS256 keys for signing and verifying JSON Web Tokens in authentication systems.
  • TLS/SSL: Create RSA key pairs for self-signed certificates during development and testing.
  • SSH Authentication: Generate key pairs for passwordless SSH login to servers and Git repositories.
  • S/MIME Email: Create keys for encrypting and signing email messages.
  • API Security: Generate JWK key sets for OAuth 2.0 and OpenID Connect providers.
  • Code Signing: Create signing keys for software distribution and package verification.

Privacy by Architecture

This tool loads zero external scripts and makes zero network requests during key generation. You can verify this by opening your browser's Network tab before generating a key. The entire application is static HTML, CSS, and JavaScript served from Cloudflare's edge network. There is no backend server, no database, and no analytics on the key generation process itself. Your cryptographic material stays where it belongs: on your machine.

FAQ

Are the generated RSA keys truly secure?
Yes. This tool uses the browser's native Web Crypto API (crypto.subtle.generateKey) which relies on a cryptographically secure random number generator. The keys are generated entirely in your browser and never transmitted to any server.
What is the difference between RSA-OAEP and RSASSA-PKCS1-v1_5?
RSA-OAEP is designed for encryption and decryption operations, commonly used in key wrapping and secure message exchange. RSASSA-PKCS1-v1_5 is designed for digital signing and verification, commonly used in JWT tokens and code signing.
Which RSA key size should I choose?
2048-bit keys are the current minimum standard and suitable for most applications. 3072-bit keys offer stronger security recommended for data that must remain secure beyond 2030. 4096-bit keys provide the highest security but are slower to generate and use.
What is the difference between PEM and JWK formats?
PEM (Privacy-Enhanced Mail) is a Base64-encoded format widely used in TLS/SSL certificates, SSH keys, and command-line tools like OpenSSL. JWK (JSON Web Key) is a JSON-based format used in web applications, JWT libraries, and APIs.
NavigateOpenEscClose