How Do I Generate an RSA or EC Key Pair in the Browser?
Updated 2026-06-27
To generate an RSA or EC key pair in the browser, open the RSA & EC Key-Pair Generator, choose an algorithm (RSA 2048, RSA 4096, EC P-256, or EC P-384), and click Generate key pair. Within a moment you get a PEM-encoded public key and private key you can copy or download. The whole process uses your browser's built-in Web Crypto API, so the private key is created locally and nothing is uploaded.
Pick the right algorithm
The generator offers four options, and the right one depends on your needs:
- RSA 2048 — the safe default for broad compatibility with older systems and most tooling.
- RSA 4096 — a higher security margin, but generation takes a few seconds because it has to find large random primes.
- EC P-256 — an elliptic-curve key that is much smaller than RSA and generates almost instantly. A great modern default.
- EC P-384 — elliptic-curve with an even stronger security margin, still fast.
Under the hood, RSA keys use RSASSA-PKCS1-v1_5 with SHA-256 and the standard 65537 public exponent, while EC keys use ECDSA on the chosen curve. All four are configured for sign and verify usage.
Generate and read the output
Click Generate key pair. EC keys appear instantly; RSA 4096 shows a short "finding primes" pause. You then see two PEM blocks:
- Public key — exported as SPKI (SubjectPublicKeyInfo) inside a BEGIN PUBLIC KEY envelope. This is safe to share with anyone who needs to verify your signatures.
- Private key — exported as PKCS#8 inside a BEGIN PRIVATE KEY envelope. This is unencrypted, so treat it like a password.
Each block has a Copy button and a Download button that saves public.pem or private.pem to disk. Hit Generate another any time for a fresh pair.
Keep the private key safe
The private key is the sensitive half. Anyone who obtains it can impersonate you or forge signatures, so handle it carefully:
- Store it in a secrets manager or an encrypted vault, never in a public repo or chat.
- Because the PKCS#8 output is unencrypted, add your own protection if you need it at rest.
- Share only the public key — that is what others use to verify.
Because the RSA & EC Key-Pair Generator runs entirely client-side, you can even generate keys with your network disconnected to prove nothing is uploaded. There is no account, no server, and no log of the keys you create.
What to use the keys for
These PEM key pairs work well for:
- Signing and verifying data or JSON Web Tokens (JWT).
- Feeding into crypto libraries that expect SPKI/PKCS#8 PEM.
- Generating certificate signing requests or development credentials.
If you are working with shared-secret signatures instead of public/private keys — for example signing API requests or webhooks with a secret string — pair this with the HMAC Generator, which computes SHA-based message authentication codes in the browser too.
Why generate keys locally?
Many online key generators send your request to a server, which means you have to trust that the operator never logs your private key. ToolsDeck avoids that risk entirely: the RSA & EC Key-Pair Generator uses the same hardened Web Crypto API your browser already uses for HTTPS, and the private key never leaves your machine. That makes it a fast, private way to spin up key pairs for testing, development, or production setup.