Skip to content
DevKit Labs

RSA Key Pair Generator — Public & Private Keys

Generate a 2048, 3072 or 4096-bit RSA public/private key pair in PEM format — entirely in your browser.

RSASSA-PKCS1-v1_5 · SHA-256 · runs entirely in your browser

About RSA Key Pair Generator — Public & Private Keys

Generate an RSA public/private key pair in seconds. Pick a key size — 2048 bits is the common default, with 3072 and 4096 for higher security — and the tool produces a matching public key (SPKI / X.509) and private key (PKCS#8), both in PEM format ready to copy or download as .pem files.

Keys are generated with your browser's built-in Web Crypto API, which is fast and cryptographically secure. Nothing is sent to a server and the private key is never uploaded — it exists only in your browser tab and disappears when you close it. That makes this safe for real keys, unlike tools that generate keys on a remote server.

RSA key pairs are used everywhere: signing JWTs with RS256, SSH access, TLS certificates, PGP, and asymmetric encryption where the public key encrypts and only the private key can decrypt. Keep the private key secret and share only the public key.

What you get

Input
Choose 2048 bits → Generate
Output
-----BEGIN PUBLIC KEY-----
… (SPKI) …
-----END PUBLIC KEY-----

-----BEGIN PRIVATE KEY-----
… (PKCS#8) …
-----END PRIVATE KEY-----

Both keys are PEM-encoded; download each with one click.

Frequently asked questions

Are the keys generated on a server?

No. Keys are generated locally with the Web Crypto API and never leave your browser, so it's safe to use for real keys. Nothing is uploaded or stored.

What key size should I choose?

2048-bit is the widely accepted minimum and default. Use 3072 or 4096-bit for longer-term or higher-assurance keys — they're more secure but slower to generate and use.

What format are the keys in?

The public key is SPKI (X.509 SubjectPublicKeyInfo) and the private key is PKCS#8, both PEM-encoded (base64 between BEGIN/END lines). This is what most libraries and JWT signers expect.

Can I use these to sign a JWT?

Yes. Paste the PKCS#8 private key into the JWT Builder and choose RS256. The matching public key verifies the signature.

Is RSA still secure?

Yes, with adequate key sizes (2048-bit or larger). For new systems, elliptic-curve keys (Ed25519/ECDSA) are smaller and faster, but RSA remains widely supported and secure.

Related tools

References