ToolJutsu
All tools
Developer Tools

RSA Key Pair Generator

Generate RSA public and private key pairs as PEM files.

Key size (bits)

2048 is the minimum modern web standard. 3072 / 4096 are recommended for long-term keys, at the cost of longer generation time. 1024 is included only for legacy testing — it is no longer considered secure.
Processed on your device. We never see your files.

How to use RSA Key Pair Generator

What is RSA?

RSA — named after Rivest, Shamir and Adleman, who published it in 1977 — is the original practical public-key cryptosystem. Its security rests on the difficulty of factoring the product of two large prime numbers: given the modulus n = p * q, recovering p and q is computationally infeasible at sufficient key sizes.

An RSA key pair has two parts: a public key anyone can hold, and a private key the owner must keep secret. The two are mathematical inverses — anything encrypted (or signed) with one can only be decrypted (or verified) with the other. Half a century later, RSA still underpins most of the public-key infrastructure you touch every day: the TLS handshake to your bank, the JWT issued by your auth provider, the GitHub SSH key in your ~/.ssh, the code-signing certificate on a Windows installer.

How it works

Key generation, in outline:

  1. Pick two large random primes p and q of equal bit-length — each roughly half the desired key size.
  2. Compute the modulus n = p * q and the Carmichael totient λ(n) = lcm(p−1, q−1).
  3. Choose a public exponent e coprime to λ(n) — almost universally 65537 (0x10001), a small Fermat prime that permits fast public-side operations.
  4. Compute the private exponent d as the modular inverse of e mod λ(n).
  5. The public key is (n, e). The private key is (n, d) plus, in practice, p, q and several pre-computed CRT values that speed up signing.

The Web Crypto API does all of this inside crypto.subtle.generateKey, using the browser’s CSPRNG to source the prime candidates. The keys are then exported as PEM-encoded byte arrays: SPKI (Subject Public Key Info) for the public side and PKCS#8 for the private side, both wrapped in the familiar -----BEGIN ... KEY----- armour.

Common use cases

  • TLS certificates. A web server presents a certificate that binds its hostname to its RSA public key, signed by a CA. The server proves possession of the matching private key during the TLS handshake.
  • SSH login. ~/.ssh/id_rsa holds an RSA private key; the corresponding public key sits in the server’s authorized_keys. SSH signs a session-specific challenge to prove possession.
  • JWT signing. RS256, RS384 and RS512 JWTs are signed with RSA private keys and verified with the matching public key — ideal for issuing tokens that any consumer can verify without sharing a secret.
  • Code signing. Windows Authenticode, macOS notarisation, npm package signing and Java JAR signing all use RSA (and ECDSA) signatures to prove publisher identity.
  • Document signing. PDF signatures, S/MIME emails and XML-DSig workflows still rely heavily on RSA.

How to use this RSA key pair generator

  1. Choose a key size — 2048 is the sensible default; 3072 or 4096 if you need a longer lifetime; 1024 only for compatibility with legacy systems you cannot change.
  2. Click Generate key pair. Generation runs in your browser via crypto.subtle.generateKey; expect 1–3 seconds for 2048 bits and noticeably longer for 4096.
  3. Copy the public key (-----BEGIN PUBLIC KEY----- block) to wherever the relying party needs it — a server config, a JWT verifier, a CA’s CSR form.
  4. Copy the private key (-----BEGIN PRIVATE KEY----- block) into a secure store. Do not paste it into chat, tickets, or any service you don’t control.
  5. If you only need one half — for example you’re generating a JWT verifier and the issuer already holds the private side — discard the other half and clear the page.

Security considerations

  • Key size for longevity. A 2048-bit key is fine for short-lived TLS certificates (90-day Let’s Encrypt rotation); a 3072- or 4096-bit key is the right pick for keys you may keep for years.
  • Never reuse a key across roles. Use distinct keys for TLS, signing JWTs, signing code, and SSH. Compromise of one role should not pivot into another.
  • Rotate on schedule. Even with good hygiene, plan rotation: yearly for TLS, every 2–3 years for SSH, on every release for ephemeral signing keys.
  • The private key is the asset. A leaked private key is catastrophic; treat it as more sensitive than the password it protects. Filesystem permissions alone are not enough — encrypt at rest where the platform supports it.
  • Consider ECC. For new systems, an ECDSA P-256 or Ed25519 key gives equivalent security at a fraction of the size and is faster to sign with. RSA remains right when interoperability with older systems is required.

Privacy

Both keys are generated by crypto.subtle.generateKey in your browser, exported to PEM locally with crypto.subtle.exportKey, and displayed on this page. No network request is made during generation. You can verify in the Network tab — after the initial JavaScript bundle there is silence — or pull the cable after the page loads and the generator continues to work.

Compatibility notes

The PEM-encoded output uses the standard SPKI (public) and PKCS#8 (private) ASN.1 structures and is accepted by OpenSSL, Node.js crypto, Python cryptography, Java KeyFactory, Go’s crypto/x509, .NET RSA.ImportFromPem, the jose and jsonwebtoken libraries, and every TLS toolchain. To convert to OpenSSH format (ssh-rsa AAAA...), run ssh-keygen -i -f key.pub -m PKCS8. The generator requires Web Crypto API support, present in every browser released since 2018.

Frequently asked questions

Which key size should I pick?
2048 bits is the modern minimum and what the CA/Browser Forum has required for publicly trusted TLS certificates since 2014. 3072 bits is the recommendation for keys you expect to keep using past 2030 (NIST SP 800-57 maps it to a 128-bit security level, comparable to AES-128). 4096 bits is a defensible choice for long-lived signing keys (root CAs, code-signing) where the extra CPU cost during signing is irrelevant. 1024 bits is included for legacy interoperability only — it has been considered broken since 2010 and any new system should reject it. As a rule of thumb: 2048 for short-lived TLS, 3072 for general use, 4096 for keys you may not be able to rotate easily.
What's the difference between PEM and OpenSSH format?
Both encode the same key material; they differ only in the wrapper. PEM (the format this tool emits) is the X.509 / PKCS standard: a -----BEGIN PUBLIC KEY----- block for SPKI public keys and -----BEGIN PRIVATE KEY----- for PKCS#8 private keys, with base64 inside. PEM is what TLS servers, JWT libraries, code-signing tools and most language standard libraries consume. OpenSSH format (ssh-rsa AAAAB3Nza... on a single line for the public key, and the proprietary -----BEGIN OPENSSH PRIVATE KEY----- block for the private key) is what ~/.ssh/authorized_keys and ~/.ssh/id_rsa use. Converting between them is one ssh-keygen -i -f input.pub -m PKCS8 command, but this tool generates PEM directly because that is the form most application code wants.
How do I keep the private key safe?
Treat the private key as more sensitive than any password it protects. Specifically: never paste a private key into a chat, ticket, screenshot or email; store it encrypted at rest (filesystem permissions are not enough — use a passphrase, an OS keystore, or a hardware token); never commit it to version control even briefly; rotate it immediately if you suspect any exposure. For high-value keys (root CAs, code-signing, production TLS) consider generating directly inside an HSM or hardware token so the private key never has a software representation at all. This tool generates the private key in your browser and never transmits it, but the moment you copy it out, you own the responsibility for it.
Can I encrypt data with the keys generated here?
These keys are generated as RSASSA-PKCS1-v1_5 — the standard format for signing, which is what 99% of RSA usage in TLS, JWT and SSH actually needs. The same key material can be re-imported as RSA-OAEP for encryption in most libraries, but be aware: if you actually need RSA encryption you almost certainly want a hybrid scheme (encrypt a symmetric key with RSA-OAEP, then encrypt the payload with AES-GCM). Raw RSA encryption of arbitrary data is a footgun — RSA can only encrypt blocks smaller than the modulus minus padding overhead, and PKCS1-v1.5 encryption padding has known attacks (Bleichenbacher, 1998). Use OAEP, or better, use a high-level library like libsodium and pick Curve25519.
Is the private key sent to a server?
No. Both keys are generated by crypto.subtle.generateKey inside your browser, exported with crypto.subtle.exportKey to raw bytes, and PEM-encoded locally. There is no network request during generation — you can verify in the Network tab, or pull the network cable after the page loads. The private key never leaves the tab unless you copy it yourself.

Related tools

Hash Generator

Generate MD5, SHA-1, SHA-256, and SHA-512 hashes.

HMAC Generator

Generate HMAC signatures with the Web Crypto API.

JWT Decoder

Decode and inspect JSON Web Token headers and payloads.

bcrypt Generator

Hash and verify passwords with bcrypt at a configurable cost factor.

Random Token Generator

Generate secure random tokens — alphanumeric, hex, base64url or URL-safe.

UUID Generator

Generate v1 and v4 UUIDs in bulk.