Skip to content

RSA Key Generator

Generate RSA public/private key pairs in PEM format using Web Crypto API

Public Key Crypto Without the Command Line

You need an RSA key pair for testing JWT RS256 signatures. Or you’re setting up API authentication where the client signs requests with a private key and the server verifies with the public key. Or you’re building a TLS-related feature and need test certificates. Normally you’d fire up a terminal and run openssl genrsa, but maybe you’re on a machine without OpenSSL, or you just want something faster.

This tool generates RSA-OAEP key pairs in 2048 or 4096 bits, exported as PEM-formatted text (SPKI for public keys, PKCS#8 for private keys). The output works directly with OpenSSL, Node.js crypto, Python’s cryptography library, Java’s KeyFactory, and every other standard crypto library.

The critical part: key generation happens entirely in your browser through the Web Crypto API. Your private key never hits a network connection. Server-based key generators are a trust problem — you’re asking someone else’s machine to generate your secret key. This tool eliminates that.

2048 vs. 4096 Bits

2048-bit RSA is NIST’s current minimum recommendation. It’s considered secure through at least 2030. Key generation is nearly instant, and encryption/decryption operations are fast.

4096-bit RSA doubles the key size, which roughly quadruples the computational cost per operation. It’s slower to generate (you might notice a brief pause) and slower to use. But it provides a significantly larger security margin, especially if your keys need to protect data that’ll still be sensitive 10+ years from now.

For test and development keys, 2048 is fine. For production keys protecting sensitive data long-term, go with 4096.

What Comes Out

The output looks like standard PEM blocks:

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A...
-----END PUBLIC KEY-----

-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASC...
-----END PRIVATE KEY-----

Share the public key freely. Guard the private key like a password. Anyone with your private key can decrypt your data, forge your signatures, and impersonate you cryptographically.

Real Development Scenarios

JWT RS256 testing. Your auth service signs tokens with a private key and your API verifies them with the public key. Generate a pair here, configure both sides, and test the flow end-to-end. Use the JWT Decoder to inspect the resulting tokens.

Client certificate authentication. Some APIs require client certificates instead of API keys. You’ll need an RSA key pair as the starting point for generating a certificate signing request (CSR).

Encryption prototyping. You’re building a feature where users encrypt messages with a recipient’s public key. Generate test keys to develop against before integrating with a real key management system.

SSH access in a pinch. If you don’t have ssh-keygen available, this gets you a PEM key pair. Note that SSH uses a different format (OpenSSH), so you may need to convert with ssh-keygen -i -m PKCS8 or similar.

RSA vs. AES: Different Tools for Different Jobs

RSA is asymmetric — two keys, one public and one private. It’s great for key exchange, digital signatures, and encrypting small amounts of data (like an AES key). But it’s slow and has a message-size limit tied to the key size.

AES is symmetric — one shared key. It’s fast and encrypts data of any size. But both parties need the same key, which creates a key distribution problem.

In practice, most systems combine both: RSA encrypts an AES session key, then AES encrypts the actual data. This is how TLS works.

For symmetric encryption, use the AES Encrypt / Decrypt tool on Toolsvu. For random tokens and API keys that don’t need public-key crypto, the Random Token Generator is simpler.

rsa key encryption pem security crypto

Related Tools

More in Security Tools