Key pairs (RSA / EC)
Public and Private Key Generator
Runs in your browser using WebCrypto — no network requests.
Options
Choose a key type that matches how you’ll use it (signing vs encryption).
Quick mapping
- ECDSA P-256 → common for JWT ES256.
- ECDH is for deriving shared secrets (not signing).
Output
Generate keys, then copy or download.
Public key fingerprint (SHA-256)
—
Private key (PEM / PKCS#8)
—Public key (PEM)
—What you’re generating
A public key can be shared to verify signatures or encrypt data to you. A private key must stay secret — it can sign or decrypt.
PEM vs JWK
- PEM is common for servers, CLIs, TLS, and OpenSSL workflows.
- JWK is common for JSON APIs (OAuth/OIDC, JWT key sets).
- For OIDC discovery, you typically publish public JWKs only.
Safety notes
- Prefer generating keys on a secure machine for production use.
- Store private keys in a secret manager / HSM when possible.
- Rotate keys and keep old public keys available during rollout.
How it works
Uses WebCrypto to generate RSA or EC key pairs in your browser, exports as PEM or JWK, and derives a SHA-256 fingerprint of the public key for quick verification.
- RSA-PSS/RSASSA for signing, RSA-OAEP for encryption; EC supports ECDSA and ECDH.
- Private keys stay local; download or copy them securely before leaving the page.
Quick examples
Choose JWK for OAuth/JWKS, PEM for CLI/server configs.
Mini FAQ
Why no passphrase on PEM?
Encrypt the private key externally (OpenSSL or a vault) if needed.
Which curve should I pick?
P-256 is widely supported; P-384/P-521 offer bigger keys.
Can I import an existing key?
This page only generates; use your platform tools to import.
Related tools