RSA Key Pair Generator: Create RSA Public and Private Keys Online

What Is RSA and How Does Asymmetric Cryptography Work?

RSA (Rivest–Shamir–Adleman, named after its inventors) is a public-key cryptosystem introduced in 1977 that remains widely used today. Unlike symmetric encryption, which uses the same key to encrypt and decrypt, RSA uses a mathematically linked key pair: a public key and a private key. The security of the pair rests on the integer factorization problem — multiplying two large primes is easy, but factoring the product back into its primes is computationally infeasible for sufficiently large numbers.

Key generation involves selecting two large prime numbers, computing their product (the RSA modulus), and deriving the public and private exponents from it. The public key (modulus + public exponent) can be distributed to anyone. The private key (modulus + private exponent) must remain secret. Anyone can encrypt with the public key, but only the private key holder can decrypt. Conversely, a signature created with the private key can be verified by anyone with the public key — this provides authentication and non-repudiation.

RSA key sizes are measured in bits, referring to the size of the modulus. 2048-bit RSA is currently considered secure and is the minimum recommended by NIST through 2030. 4096-bit provides a larger safety margin at the cost of slower operations. For most applications, 2048-bit is sufficient; 4096-bit is appropriate for certificate authorities, long-lived keys, or high-value secrets.

How to Use This Tool

Generating an RSA key pair takes a few seconds, as the operation involves large prime number generation.

1. 1

   Select key size

   Choose between 2048-bit (faster, suitable for most uses) and 4096-bit (stronger, recommended for long-lived keys, CAs, and high-security applications). Key generation is slower for 4096-bit — typically 1–3 seconds in a browser.

2. 2

   Click Generate Key Pair

   Press the Generate button. The Web Crypto API will perform the prime selection and modulus computation. A progress indicator shows while generation is in progress.

3. 3

   Review the output

   Both keys are displayed in PEM format. The public key starts with '-----BEGIN PUBLIC KEY-----' and the private key starts with '-----BEGIN PRIVATE KEY-----'. These are the standard PKCS#8 / SubjectPublicKeyInfo formats.

4. 4

   Copy or download each key

   Use the Copy button for each key to copy it to the clipboard, or use the Download button to save each key as a .pem file. Always keep the private key separate from the public key in storage.

5. 5

   Secure your private key immediately

   The moment you have the private key, protect it: restrict file permissions (chmod 600 on Linux/Mac), consider encrypting it with a passphrase, and store it in a secure location such as a hardware security module or secrets manager.

Common Use Cases

RSA key pairs are fundamental to many security systems.

• SSH authentication: add the public key to a server's authorized_keys file and keep the private key on your local machine to authenticate without a password.
• TLS/SSL certificates: RSA key pairs are used during TLS certificate generation; the public key is embedded in the certificate, and the private key signs the TLS handshake.
• Code signing: software vendors sign their releases with a private key, allowing users to verify the signature with the public key to confirm the software is authentic and unmodified.
• JWT RS256/RS512: JSON Web Tokens can be signed with an RSA private key and verified with the corresponding public key, enabling stateless authentication across distributed systems.
• PGP/GPG email encryption: RSA key pairs enable encrypted email where the sender encrypts with the recipient's public key and only the recipient's private key can decrypt it.

Tips and Best Practices

Proper key management is as important as proper key generation.

• Never share or transmit your private key. The private key must remain exclusively in your control. If you need to use it on a server, transfer it via an encrypted channel and restrict its file permissions immediately.
• Use a passphrase to encrypt your private key file. This adds a layer of protection if the key file is accessed by an unauthorized party — they would still need the passphrase to use it.
• Rotate RSA keys annually for long-lived applications, and immediately if you suspect compromise. Plan your systems to support key rotation with minimal service disruption.
• Prefer 4096-bit keys for certificate authority keys and other long-lived, high-trust keys. For short-lived session keys and everyday authentication, 2048-bit is sufficient.
• Consider using ECDSA (elliptic curve) keys as an alternative to RSA — they are significantly smaller and faster while providing equivalent or better security. Ed25519 keys, for example, are 256 bits and considered more secure than 2048-bit RSA for most purposes.

Security Considerations

RSA key generation in this tool uses the Web Crypto API's `generateKey()` function, which relies on the operating system's CSPRNG for prime selection. The private key is never exported off your device — it is generated entirely in browser memory and displayed only for you to copy or download.

The biggest risk when generating keys in a browser is the local environment: browser extensions with broad permissions, screen recording software, or malware could potentially capture the key. For highly sensitive production keys (certificate authority keys, master signing keys), generate them on an air-gapped machine using `openssl genrsa` and transfer via a secure medium. This tool is ideal for development, testing, and low-to-medium sensitivity production use cases.

Frequently Asked Questions