Generate RSA public and private key pairs directly in your browser using the Web Crypto API. Keys are output in PEM format and never leave your device — 100% client-side, zero server contact.
RSA Key Pair Generator creates asymmetric cryptographic key pairs directly in your browser using the Web Crypto API. The tool generates mathematically linked public and private keys in PEM format, the most widely used format compatible with OpenSSL, SSH, JWT libraries, and virtually all cryptographic tools. Unlike server-based generators, this tool runs 100% client-side — your keys are generated on your device and never transmitted to any server, providing the highest possible level of trust and security.
Use this tool when you need RSA keys for SSL/TLS certificate generation, JWT token signing, SSH key setup, API authentication, encrypted communication between services, or any application requiring public-key cryptography. It is ideal for development and testing environments where you need quick key generation without installing OpenSSL or other command-line tools.
Security engineers and developers use RSA Key Pair Generator to create signing keys for JWT authentication, generate TLS certificate key pairs for development servers, produce SSH key pairs for server access, create keys for encrypted data exchange between microservices, set up webhook signature verification, and build proof-of-concept security implementations. The 2048-bit default is suitable for most applications, while 4096-bit keys provide a higher security margin for long-lived production keys.
Essential terms and definitions related to RSA Key Pair Generator.
One of the first and most widely used public-key cryptographic algorithms. RSA is based on the mathematical difficulty of factoring the product of two large prime numbers. It enables asymmetric encryption (encrypt with public key, decrypt with private key) and digital signatures (sign with private key, verify with public key). Common applications include SSL/TLS certificates, SSH authentication, and JWT signing.
A Base64-encoded text format for storing cryptographic keys and certificates, enclosed between header and footer lines (e.g., -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY-----). PEM stands for Privacy-Enhanced Mail and is the most common format for exchanging keys. It is human-readable, easy to copy-paste, and supported by virtually all cryptographic tools.
A mathematically linked pair of cryptographic keys used in asymmetric cryptography. The public key can be freely shared and is used to encrypt data or verify signatures. The private key must be kept secret and is used to decrypt data or create signatures. The security of the system relies on the computational infeasibility of deriving the private key from the public key.
A random number generator that produces output suitable for use in cryptographic applications. Unlike standard Math.random(), a CSPRNG (like the one backing Web Crypto API) guarantees that its output is unpredictable even to an adversary with knowledge of previous outputs. Operating systems provide CSPRNGs through interfaces like /dev/urandom (Linux) and CryptGenRandom (Windows).
Yes. The generator uses the Web Crypto API (window.crypto.subtle.generateKey), which is a browser-native cryptographic API that provides cryptographically secure key generation. The randomness source is the operating system CSPRNG (Cryptographically Secure Pseudo-Random Number Generator), the same source used by OpenSSL and other security-critical applications.
No. The entire key generation process runs locally in your browser using JavaScript and the Web Crypto API. No data is sent to any server — there are no API calls, no uploads, and no analytics on generated keys. You can verify this by disconnecting from the internet and using the tool offline.
The tool supports RSA key sizes of 1024, 2048, and 4096 bits. 2048 bits is the current industry standard minimum for secure communications. 4096 bits provides a higher security margin and is recommended for long-lived keys. 1024 bits is provided for legacy compatibility but is considered insecure for production use.
Keys are output in PEM (Privacy-Enhanced Mail) format, the most widely used format for RSA keys. The public key uses SPKI (Subject Public Key Info) format and the private key uses PKCS#8 format. These formats are compatible with OpenSSL, SSH, JWT libraries, and most cryptographic tools and libraries.
The generated keys are in standard PEM format (PKCS#8 for private, SPKI for public). For SSH, you would need to convert the public key to OpenSSH format using a command like `ssh-keygen -i -m PKCS8 -f public.pem`. The private key in PKCS#8 PEM format is directly usable by modern OpenSSH versions (7.8+).
Common errors developers encounter and how to resolve them.
Key generation takes a long time with 4096-bit size RSA key generation for 4096 bits requires significantly more computation than 2048 bits (roughly 8x more). On mobile devices or older hardware, this can take 5–15 seconds. The browser may appear unresponsive during generation — this is normal. If you need faster generation, use 2048-bit keys, which provide adequate security for most applications.
Web Crypto API not available error The Web Crypto API requires a secure context (HTTPS or localhost). If you are accessing the tool over plain HTTP, the browser will not expose the crypto.subtle API. Access the tool via HTTPS to resolve this issue. All modern browsers (Chrome 37+, Firefox 34+, Safari 11+, Edge 12+) support the Web Crypto API.
Generated PEM key is not accepted by my application Verify that your application expects the correct PEM format. This tool generates PKCS#8 for private keys and SPKI for public keys. Some older applications expect PKCS#1 format (headers: BEGIN RSA PRIVATE KEY / BEGIN RSA PUBLIC KEY). Use OpenSSL to convert between formats: `openssl rsa -in private.pem -out private_pkcs1.pem -traditional`.