Home/Security Tools/Public/private key generator

Key pairs (RSA / EC)

Public and Private Key Generator

Runs in your browser using WebCrypto — no network requests.

Local only Key pair

Options

Choose a key type that matches how you’ll use it (signing vs encryption).

PurposeEC
CurveP-256 default

Quick mapping

  • ECDSA P-256 → common for JWT ES256.
  • ECDH is for deriving shared secrets (not signing).
Exportformat
FingerprintSHA-256 (public)
Tip: share public keys; keep private keys secret.

Output

Generate keys, then copy or download.

Public key fingerprint (SHA-256)

Private key (PEM / PKCS#8)

Public key (PEM)

What you’re generating

A public key can be shared to verify signatures or encrypt data to you. A private key must stay secret — it can sign or decrypt.

PEM vs JWK

  • PEM is common for servers, CLIs, TLS, and OpenSSL workflows.
  • JWK is common for JSON APIs (OAuth/OIDC, JWT key sets).
  • For OIDC discovery, you typically publish public JWKs only.

Safety notes

  • Prefer generating keys on a secure machine for production use.
  • Store private keys in a secret manager / HSM when possible.
  • Rotate keys and keep old public keys available during rollout.

How it works

Uses WebCrypto to generate RSA or EC key pairs in your browser, exports as PEM or JWK, and derives a SHA-256 fingerprint of the public key for quick verification.

  • RSA-PSS/RSASSA for signing, RSA-OAEP for encryption; EC supports ECDSA and ECDH.
  • Private keys stay local; download or copy them securely before leaving the page.

Quick examples

ECDSA P-256
Format: PEM, include private/public
Fingerprint shown for SPKI
RSA-OAEP 3072
Format: JWK, public only
Usages: encrypt/wrapKey

Choose JWK for OAuth/JWKS, PEM for CLI/server configs.

Mini FAQ

Why no passphrase on PEM?

Encrypt the private key externally (OpenSSL or a vault) if needed.

Which curve should I pick?

P-256 is widely supported; P-384/P-521 offer bigger keys.

Can I import an existing key?

This page only generates; use your platform tools to import.