RSA Keypair Generator (2048 / 4096-bit)

Generate an RSA keypair in your browser. Pick key size (2048 minimum, 3072 recommended for new deployments, 4096 for the paranoid), get back PKCS#8 private key and SPKI public key in PEM-encoded form, ready to drop into your SSL config or JWT signer. Generation uses the browser's native WebCrypto, so the private key never leaves your device.

Key size Hash Usage

Public key (PEM, SPKI)

Private key (PEM, PKCS#8)

How to use the RSA Keypair Generator (2048 / 4096-bit)

Pick a key size and intended usage. Click Generate. Public and private keys appear as standard PEM-encoded blocks. The public key uses the SubjectPublicKeyInfo (SPKI) format that OpenSSL, JWT libraries, and TLS servers expect. The private key uses PKCS#8, the modern unified private-key format.

About RSA Keypair Generator (2048 / 4096-bit)

RSA is the oldest widely-deployed public-key cryptosystem, dating to 1977. A keypair consists of a public key (shareable) and a private key (kept secret). What's encrypted with one can only be decrypted with the other. The most common modern uses are TLS certificates (HTTPS), JWT signing (RS256/RS384/RS512), email encryption, and SSH (though Ed25519 is now preferred for SSH).

2048-bit RSA is the minimum considered safe today; 3072 and 4096 add margin against future cryptanalytic advances. The trade-off is speed — 4096-bit signing is ~5x slower than 2048-bit. For most applications, 2048 or 3072 is the right choice. This generator uses RSA-PSS for signing (the modern padding scheme that replaces deprecated PKCS#1 v1.5) or RSA-OAEP for encryption.

All generation runs locally via WebCrypto. The private key is never serialised to the network, never sent to any server. You can verify this in your browser's devtools (Network tab will be empty when you click Generate).

Common use cases

JWT signing keys — generate RS256 keys for your auth server.
TLS dev certificates — feed the private key into a CSR signing flow.
Service-to-service auth — public key in a config, private key in a secret.
Educational — see what a real PEM looks like, decode it with our PEM/DER converter.

Frequently asked questions

How long does generation take?

2048-bit: ~1 second. 3072-bit: ~3 seconds. 4096-bit: ~10 seconds. WebCrypto runs at native speed but RSA key generation is inherently slow (requires finding large primes).

Is the private key really not sent anywhere?

Confirmed — open devtools Network tab, click Generate, watch zero network requests. All key material exists only in your browser's memory.

Why not Ed25519?

For new SSH / signing use cases, Ed25519 is preferred (smaller keys, faster, simpler). Use our Ed25519 generator. RSA remains needed for TLS and legacy JWT support.