Developer Tools
Public/Private Keypair Generator - RSA & EC Keys Online
Generate RSA or Elliptic Curve (ECDSA, ECDH) public/private keypairs in your browser using the Web Crypto API. Export as PEM or JWK. Keys never leave your device.
🔒Keys are generated locally using the browser's Web Crypto API. Nothing is sent to any server.
Elliptic Curve signing using NIST P-256 (secp256r1). 256-bit key.
Key size recommendations
Minimum secure key sizes according to current NIST SP 800-131A guidance (through 2030+):
- RSA: minimum 2048 bits; prefer 3072 or 4096 bits for long-lived keys
- ECDSA / ECDH P-256: equivalent to RSA-3072 security; widely supported
- ECDSA / ECDH P-384: equivalent to RSA-7680 security; used in high-security government applications
1024-bit RSA is no longer considered secure and must not be used for new keys.
Common use cases
| Use case | Recommended algorithm |
|---|---|
| SSH server / client authentication | ECDSA P-256 or RSA-4096 |
| TLS certificate private key | ECDSA P-256 (preferred) or RSA-2048+ |
| JWT signing (RS256) | RSA-2048 minimum; RS-PSS preferred |
| JWT signing (ES256) | ECDSA P-256 |
| PGP / GPG email encryption | RSA-4096 or Ed25519 (modern) |
| Document signing | RSA-PSS or ECDSA P-256 |
What is a public/private keypair?
Asymmetric cryptography uses a pair of mathematically related keys: a public key you can freely share, and a private key you keep secret. Data encrypted with the public key can only be decrypted with the private key, and data signed with the private key can be verified with the public key.
Algorithms available
| Algorithm | Purpose | Key size |
|---|---|---|
| RSA-OAEP | Encryption / key wrapping | 2048 or 4096 bits |
| RSASSA-PKCS1-v1_5 | Digital signatures (legacy) | 2048 bits |
| RSA-PSS | Digital signatures (modern) | 2048 bits |
| ECDSA P-256 / P-384 | Digital signatures | 256 / 384 bits |
| ECDH P-256 / P-384 | Key agreement / exchange | 256 / 384 bits |
Export formats
- PEM
-
Privacy Enhanced Mail: a Base64-encoded DER structure wrapped in
-----BEGIN … KEY-----headers. This is the most common format for OpenSSL, Node.js, nginx, and most TLS tools. - JWK
- JSON Web Key: a JSON representation defined in RFC 7517. Used by JWT libraries, JWKS endpoints, and the Web Crypto API natively.
RSA vs Elliptic Curve
| Feature | RSA | EC |
|---|---|---|
| Key size for ~128-bit security | 3072 bits | 256 bits |
| Signature size | Large (256–512 bytes) | Small (64–96 bytes) |
| Generation speed | Slower | Fast |
| Legacy compatibility | Very wide | Good (P-256 universal) |
Security notes
- Keys are generated in your browser using the Web Crypto API: they never leave your device.
- Store your private key in a secure location (password manager, HSM, or encrypted vault).
- Never embed unencrypted private keys in source code or environment files committed to version control.
- For production certificates, prefer a proper CA (e.g. Let's Encrypt) or your organisation's PKI.