Zero Snippet

RSA key pair generator — PEM public and private keys in the browser

Use this free online RSA key pair generator to create PEM-encoded RSA keys for local development, API demos, and learning workflows. Choose 1024 through 4096 bit modulus sizes, then export standard Subject Public Key Info (public) and PKCS#8 (private) blocks you can paste into OpenSSL-friendly tooling. All work runs in your tab via crypto.subtle, so keys are not uploaded when you generate them here. After you copy material, pair this page with the JWT encoder for signed-token experiments, or the AES encrypt and decrypt tool when you need symmetric encryption alongside asymmetric key concepts.

Modulus length

Keys are generated with RSA-OAEP and SHA-256 in the Web Cryptography API. PEM uses SPKI (public) and PKCS#8 (private). Protect private keys like passwords.

Why generate RSA keys in the browser instead of OpenSSL?

Many developers still run openssl genrsa on a workstation—and that remains a solid choice for automation. A browser-based RSA key generator helps when you are on a locked-down machine, writing a tutorial, or need a quick PEM key pair without installing a toolchain. You get interoperable text that matches what most runtimes import, while keeping the private key in memory you control until you copy it elsewhere.

This page focuses on RSA-OAEP with SHA-256 because that is what the Web Cryptography API exposes for encrypt/decrypt key pairs. Libraries that expect RSA signing may import the same PEM but configure RSA-PSS or RSASSA-PKCS1-v1_5 separately. For password storage, never substitute RSA for bcrypt, Argon2, or your framework’s password APIs—use the bcrypt hash generator when you need slow hashing for credentials.

How to use this RSA key generator (step by step)

  1. Pick a modulus length. For new systems, start at 2048 bits unless a standard mandates 3072 or 4096. Use 1024 bits only for legacy compatibility or fast classroom demos.
  2. Click Generate key pair. Larger keys take longer; generation runs entirely on your device.
  3. Copy the public key PEM to clients, configs, or documentation that only need encryption or verification material. Keep the private key PEM in a password manager, secret store, or encrypted file—never in public repositories.
  4. Use Copy public + private when you need both blocks in one paste (for example moving into a local vault). Use Upload PEM file to load an existing key bundle from disk and review or edit the text fields.

Keywords and search intents this tool covers

People often search for an RSA key generator online, create RSA public private key PEM, 4096 bit RSA generator, or Web Crypto RSA example. This page satisfies those intents with a no-login workflow and explicit privacy boundaries. If you are validating fingerprints or comparing digests of the same key material, the hash generator can compute SHA-256 hashes of strings you paste locally.

PEM format, PKCS#8, and certificates (quick guide)

A PEM file is Base64-encoded DER with header lines such as BEGIN PUBLIC KEY or BEGIN PRIVATE KEY. This tool outputs PKCS#8 private keys and SPKI public keys—the usual interchange format for application code. A TLS certificate wraps a public key with metadata and a CA signature. To inspect a certificate served from a public HTTPS URL, use the SSL certificate checker. For PEM files on disk, use Upload PEM file above or your platform's crypto utilities.

Security notes and responsible use

Treat generated RSA private keys like passwords. If you suspect exposure, rotate and revoke according to your system’s design. For interactive password strength feedback when teaching authentication, open the password strength meter. For API verification patterns that use shared secrets instead of asymmetric keys, the HMAC generator may be a better fit than RSA.

Related security and encryption tools

Browse the full security and encryption tools catalog. Highlights:

  • Password Strength MeterScore password entropy, estimate crack time, and get practical hardening tips.
  • bcrypt Hash GeneratorGenerate bcrypt hashes with configurable cost for secure password storage testing.
  • AES Encrypt & DecryptEncrypt and decrypt text with AES-256 and a passphrase—runs fully in your browser.
  • CSP BuilderToggle Content-Security-Policy directives and copy a header value ready for your server.
  • Security Headers CheckerAnalyze security-related HTTP headers on any URL with graded guidance to harden responses.
  • JWT EncoderBuild HS256-signed JWTs from custom header and payload for API and auth testing.
  • HMAC GeneratorCreate HMAC-SHA256 or HMAC-SHA512 signatures with a secret for webhook and API verification.
  • SSL Certificate DecoderPaste PEM certificates to read subject, issuer, SANs, and validity windows.
  • .htaccess GeneratorAssemble common Apache .htaccess rules for redirects, HTTPS, caching, and access control.

Frequently asked questions

What is an RSA key pair and when do I use it?
RSA is a public-key algorithm: you publish a public key for encryption or signature verification and keep the matching private key secret. Teams use RSA for TLS certificates, SSH host keys (often different PEM formats), JWT signing with some libraries, and encrypting small secrets with hybrid schemes. This tool outputs PKCS#8 private keys and SPKI public keys in PEM text, which many languages and OpenSSL can import.
Which key size should I choose: 1024, 2048, 3072, or 4096 bits?
1024-bit RSA is obsolete for new production systems; browsers and auditors increasingly expect at least 2048 bits. Use 2048 for general compatibility, 3072 or 4096 when your policy or compliance framework requires longer moduli or you want extra margin—at the cost of slower generation and operations. For demos and local testing only, smaller sizes can be faster to generate.
Are keys generated on your server?
No. Generation uses the Web Cryptography API (crypto.subtle) inside your browser tab. Nothing is uploaded unless you use another page that explicitly sends data over the network.
Can I use these keys for HTTPS or production signing?
You can use the mathematical key material in workflows that accept PEM, but production TLS certificates are normally issued by a trusted CA with a CSR—not by pasting a raw key into a server. For signing, follow your library’s requirements (often RSA-PSS vs PKCS#1 v1.5). This page generates RSA-OAEP key pairs for encrypt/decrypt usage in Web Crypto; other tools may re-import the same PEM with different algorithm names.
Why does the PEM say PUBLIC KEY and PRIVATE KEY?
Those labels wrap standard DER encodings: Subject Public Key Info (SPKI) for the public half and PKCS#8 for the private half. That is normal for interoperable PEM. Legacy OpenSSL files sometimes use BEGIN RSA PRIVATE KEY (PKCS#1); you can still paste those into this tool’s fields or upload them when viewing.
How do I copy keys safely?
Use the copy buttons to move keys into a secure vault or configuration that is not committed to git. Avoid sharing private keys in chat or tickets. If a key is exposed, treat it as compromised and generate a new pair.
What does the Upload button do?
It reads a local .pem or text file and fills the public and/or private text areas when it finds recognizable PEM blocks. Use it to inspect keys you already have or to move material between tools without retyping.
Which other tools complement RSA key work?
Use the JWT encoder for signed token experiments, the bcrypt hash generator for password hashing (not RSA), the AES encrypt and decrypt tool for symmetric workflows, the hash generator for digests, and the SSL certificate checker when you need to inspect certificates from a live HTTPS URL—each linked from the Security and Encryption Tools section on the home page.