Handy Dev Tools
Simple online tools for everyday tasks.

No favorites

    Base64 Encoder/Decoder
    Markdown to HTML
    HTML to Markdown
    URL Encoder/Decoder
    Unicode Escape Converter
    Unicode Encode/Decode
    SQL Formatter
    SQL Splitter
    JSON Formatter
    XML Formatter
    YAML Formatter
    GraphQL Formatter
    JSON to YAML Conversion
    YAML to JSON Conversion
    JSON to TOML Conversion
    TOML to JSON Conversion
    HTML Entity Encode/Decode
    TOML to YAML Conversion
    YAML to TOML Conversion
    CSV to SQL INSERT Conversion
    Markdown Table Generator
    JSON to XML Conversion
    XML to JSON Conversion
    UUID Generator
    ULID Generator
    Password Generator
    Hash Generator
    Lorem Ipsum Generator
    Lorem Picsum Image URL Generator
    Test Data Generator Tool
    QR Code Generator
    S3 Path Parser & Converter
    IP Address Calculator
    Subnet Split
    Subnet Consolidation
    CloudFront Signed URL Generator
    RDS Connection String Generator
    Coordinate Format Converter
    Geo Format Converter
    JWT Decoder & Parser
    Basic Auth
    Password Strength Analyzer
    Credit Card Validator
    RSA Key Pair Generator
    Case Conversion
    Romaji Conversion
    Roman Numeral Conversion
    Phonetic Code Conversion
    Character Counter
    Text Diff
    HTML Tag Remover
    Regex Tester
    Color Conversion
    Dice Roll
    Crontab generator
    Crontab parser
    Emoji Picker
    Unix Timestamp Converter
    HTTP Status Code Search
    Port Number Search
    MIME Type Lookup
    Base64 File Converter
    Image Base64 Encode/Decode
    User-Agent Parser
    URL Parser
    OGP Checker
    Commit Message Generator
    Chmod Calculator
    Terminal GIF Generator
    .env Parser & Validator
Ctrl+K

RSA Key Pair Generator

Generate RSA public and private key pairs instantly in your browser. Supports 512–8192 bit key lengths, PEM format (PKCS#8 / X.509). Compatible with OpenSSL, SSH, JWT, and SSL/TLS. No login required. Keys never leave your browser.

Default: 2048 bits

Generating key pair...

PEM Key Validation

Paste a PEM public/private key and verify whether it is valid.

How to use

About this tool

Generate RSA public and private key pairs instantly in your browser. A 2048-bit key pair is created when you open the page; change length (512–8192 bits, multiple of 8) and regenerate anytime. Keys are PEM (PKCS#8 private, X.509 SPKI public), with copy and download. Works with OpenSSL, SSH, JWT, and SSL/TLS. No login required — keys never leave your browser.

How to use

1. When you open the page, a key pair is automatically generated with the default (2048 bits), and the public and private keys are displayed. 2. To change key length: Enter a value that is a multiple of 8 between 512 and 8192 bits in the key length field, then click "Generate". 3. To generate a new key pair with the same key length: Click the "Regenerate" button. 4. Copy keys: Click the copy button in each key's display area to copy to the clipboard. 5. Download keys: Click the download button in each key's display area to download as a PEM file (public key: public_key.pem, private key: private_key.pem).

Options

Key length: Must be between 512 and 8192 bits and a multiple of 8. Default is 2048 bits. Use the up/down buttons in the number input to increment/decrement by 8. Invalid values (out of range or not a multiple of 8) show an error message and disable the "Generate" and "Regenerate" buttons.

Use cases

• Generating key pairs for SSH connections (public key authentication setup) • Creating private keys for SSL/TLS certificates • Generating key pairs for JWT signing • Creating key pairs for encrypted communication • Temporary key pair generation for development and testing • Generating key pairs for code signing

Code Examples

JavaScript (Web Crypto API)
Read Only
1// Generate key pair
2const keyPair = await window.crypto.subtle.generateKey(
3  {
4    name: 'RSA-OAEP',
5    modulusLength: 2048,
6    publicExponent: new Uint8Array([1, 0, 1]), // 65537
7    hash: 'SHA-256',
8  },
9  true, // extractable
10  ['encrypt', 'decrypt']
11);
Python (cryptography)
Read Only
1from cryptography.hazmat.primitives.asymmetric import rsa
2from cryptography.hazmat.primitives import serialization
3
4# Generate key pair
5private_key = rsa.generate_private_key(
6    public_exponent=65537,
7    key_size=2048
8)
9public_key = private_key.public_key()
10
11# Export in PEM format
12private_pem = private_key.private_bytes(
13    encoding=serialization.Encoding.PEM,
14    format=serialization.PrivateFormat.PKCS8,
15    encryption_algorithm=serialization.NoEncryption()
16)
17public_pem = public_key.public_bytes(
18    encoding=serialization.Encoding.PEM,
19    format=serialization.PublicFormat.SubjectPublicKeyInfo
20)
OpenSSL (basics)
Read Only
1# Generate 2048-bit RSA private key
2openssl genrsa -out private_key.pem 2048
3
4# Extract public key
5openssl rsa -in private_key.pem -pubout -out public_key.pem
OpenSSL & ssh-keygen (SSH, CSR, validation)
Read Only
1# PEM → OpenSSH public key conversion
2ssh-keygen -f public_key.pem -i -m PKCS8
3
4# Fingerprint / integrity check
5openssl rsa -in private_key.pem -check
6
7# Create CSR from private key
8openssl req -new -key private_key.pem -out csr.pem

How it works

RSA key pair generation prioritizes the Web Crypto API. If Web Crypto API is unavailable or PEM conversion fails, it falls back to the node-forge library. Keys are PEM: private keys in PKCS#8 (-----BEGIN PRIVATE KEY-----), public keys as X.509 SubjectPublicKeyInfo (-----BEGIN PUBLIC KEY-----). Larger key lengths take longer to generate, but a 2048-bit key pair typically completes within 5 seconds. All processing is done in the browser; keys are never sent to any server.

Privacy and data

All key generation is done in the browser; generated public and private keys are never sent to any server. Keys exist only in browser memory and are not automatically saved. Private keys are sensitive — manage them carefully and clear them from memory (e.g., close the browser) when done. Do not paste private keys into FAQ answers, chat, or source code. For production, prefer generating keys in a secure, isolated environment when possible.

FAQ

Q: What key length should I use?
A: 2048 bits is the current standard for most use cases. Use 4096 bits for higher security requirements such as long-lived certificates. Key lengths below 1024 bits are considered insecure and should be avoided.
Q: Is this tool safe to use for production keys?
A: This tool uses the browser's built-in Web Crypto API for key generation, which is cryptographically secure. However, for production environments, we recommend generating keys in a secure, isolated environment.
Q: What format are the generated keys in?
A: Keys are PEM text: the private key is PKCS#8 (-----BEGIN PRIVATE KEY-----) and the public key is X.509 SubjectPublicKeyInfo / SPKI (-----BEGIN PUBLIC KEY-----). This is compatible with OpenSSL, SSH, JWT libraries, and most major platforms.
Q: What is the difference between PKCS#1 and PKCS#8?
A: PKCS#1 describes RSA-specific key structures (legacy files sometimes show -----BEGIN RSA PRIVATE KEY-----). PKCS#8 is an algorithm-independent wrapper for private keys; this tool exports PKCS#8 PEM for the private key. Your public key PEM uses SubjectPublicKeyInfo (X.509 / SPKI), not PKCS#1's RSAPublicKey layout. OpenSSL and most libraries accept these formats interchangeably for typical tasks.
Q: Are my keys sent to any server?
A: No. All key generation is performed entirely in your browser. Keys are never transmitted to any server and exist only in browser memory.
Q: Can I use these keys for SSH authentication?
A: Yes. RSA keys from this page work for SSH public-key authentication once your server trusts the key. OpenSSH often expects a one-line "OpenSSH public key" format in authorized_keys, which may differ from the PEM block shown here — see the next question for conversion.
Q: How do I convert my PEM public key to OpenSSH format for SSH?
A: Save the public key as public_key.pem, then run: ssh-keygen -f public_key.pem -i -m PKCS8 > openssh_public.pub The output file is a single-line OpenSSH public key suitable for authorized_keys. OpenSSH versions differ slightly; if -m PKCS8 is unsupported, check man ssh-keygen on your system.
Q: How do I use this RSA key for JWT signing?
A: Use an RS256 (or other RSA) algorithm with the PKCS#8 private key loaded from a file — never paste the real private key into source code or chat. Node.js example: const fs = require('fs') const jwt = require('jsonwebtoken') const privateKey = fs.readFileSync('private_key.pem', 'utf8') const token = jwt.sign({ sub: 'user-123' }, privateKey, { algorithm: 'RS256', expiresIn: '1h' }) In production, load the key from a secrets manager or secure path, not from the repo.
Q: What is the difference between RSA and Ed25519?
A: RSA (what this tool generates) is widely supported for TLS, JWT, and legacy systems; key sizes are typically 2048+ bits. Ed25519 uses shorter keys and fast EdDSA operations on Curve25519; it is common for SSH and modern APIs but is a different algorithm — you cannot turn an RSA key into Ed25519. Prefer Ed25519 for SSH when your servers support it and policy allows; choose RSA when you need broad compatibility. This generator only creates RSA keys.
Q: How do I create a CSR (Certificate Signing Request) from this private key?
A: Use the downloaded private_key.pem: openssl req -new -key private_key.pem -out csr.pem OpenSSL will prompt for certificate fields (country, CN, etc.). For scripts, add e.g. -subj "/C=US/ST=State/L=City/O=Org/CN=example.com". A CSR requires the private key; you cannot build a CSR from the public key alone.