Is my keypair generated on a server?

No. All key generation runs 100% in your browser using the Web Crypto API. Your private key is never transmitted anywhere.

What is an RSA keypair used for?

RSA keypairs are used for asymmetric encryption and digital signatures. Common uses: JWT signing (RS256), API authentication, encrypting data that only the private key holder can decrypt, and TLS certificate generation.

What is the difference between RSA and EC (elliptic curve) keypairs?

RSA uses large integer factorization for security and requires longer keys (2048-4096 bits). EC uses elliptic curve mathematics and achieves equivalent security with much shorter keys (256-384 bits). EC is faster and produces smaller signatures — preferred for modern applications.

What key format should I use — PEM or JWK?

PEM (Privacy Enhanced Mail) is the traditional format used by OpenSSL, most web servers, and certificate authorities. JWK (JSON Web Key) is the format used by OAuth 2.0, OIDC, and JWT libraries. This tool exports both formats.

What is the difference between signing and encryption keypairs?

A signing keypair uses the private key to sign data and the public key to verify the signature. An encryption keypair uses the public key to encrypt data and the private key to decrypt it. The same RSA key can technically do both, but best practice is to use separate keys for each purpose.

RSA / EC Key Pair Generator

Generate RSA, ECDSA, and Ed25519 key pairs entirely in your browser using Web Crypto. Export to PEM, JWK, and OpenSSH.

Keys generated locally with Web Crypto. Never transmitted, never logged.

Algorithm

ECDSA P-256Recommended

Recommended default. JWT ES256, modern TLS, fast.

ECDSA P-384

Higher-security ECC. JWT ES384, FIPS profiles.

Ed25519

Modern signing for SSH, Sigstore, age. Browser support varies.

RSA-2048

Legacy compatibility. Widest support, smallest of the RSA sizes.

RSA-3072

128-bit-security RSA where ECC is not an option.

RSA-4096Slow

Maximum-strength RSA. Generation runs in a Worker — may take a few seconds.

OpenSSH comment (optional)

EC · Recommended default. JWT ES256, modern TLS, fast. · All modern browsers.

About the RSA/EC Keypair Generator

Asymmetric keypairs are the foundation of modern authentication and encryption — JWT signing, OAuth 2.0, TLS certificates, and API authentication all rely on them. Generating a keypair correctly means choosing the right algorithm, key size, and output format for your use case. This tool generates RSA and EC keypairs in your browser using the Web Crypto API and exports them in PEM and JWK formats.

Algorithm guide

RSA-2048 / RSA-4096

Maximum compatibility. Use for JWT RS256/RS384/RS512 signing, TLS certificates, and systems that don't support EC. 4096-bit for new keys.

EC P-256 / P-384

Modern and efficient. Use for JWT ES256/ES384 signing, ECDH key exchange, and modern TLS. Smaller keys and faster operations than RSA.

PEM Format

Base64-encoded DER with header/footer lines. Used by OpenSSL, Nginx, Apache, and most server-side libraries.

JWK Format

JSON Web Key format used by OAuth 2.0, OIDC, and JWT libraries. Includes key metadata like algorithm and key ID (kid).

Pipeline

SSH Key Generator — generate SSH keys for server authentication.
JWT Decoder — decode JWTs signed with the keys you generate here.

Frequently asked

Is my keypair generated on a server?: No. All key generation runs 100% in your browser using the Web Crypto API. Your private key is never transmitted anywhere.
What is an RSA keypair used for?: RSA keypairs are used for asymmetric encryption and digital signatures. Common uses: JWT signing (RS256), API authentication, encrypting data that only the private key holder can decrypt, and TLS certificate generation.
What is the difference between RSA and EC (elliptic curve) keypairs?: RSA uses large integer factorization for security and requires longer keys (2048-4096 bits). EC uses elliptic curve mathematics and achieves equivalent security with much shorter keys (256-384 bits). EC is faster and produces smaller signatures — preferred for modern applications.
What key format should I use — PEM or JWK?: PEM (Privacy Enhanced Mail) is the traditional format used by OpenSSL, most web servers, and certificate authorities. JWK (JSON Web Key) is the format used by OAuth 2.0, OIDC, and JWT libraries. This tool exports both formats.
What is the difference between signing and encryption keypairs?: A signing keypair uses the private key to sign data and the public key to verify the signature. An encryption keypair uses the public key to encrypt data and the private key to decrypt it. The same RSA key can technically do both, but best practice is to use separate keys for each purpose.