Generate an RSA or EC key pair in your browser and export the PEM private key (PKCS#8) and public key (SPKI) — runs fully locally, the private key never leaves your browser
Before issuing a certificate, configuring SSH, signing a JWT or encrypting data, the first step is usually generating a key pair. This tool uses WebCrypto in your browser to generate an RSA (2048 / 3072 / 4096-bit) or EC (P-256 / P-384 / P-521 curve) key pair and exports the private key as PKCS#8 and the public key as SPKI PEM — no need to memorize a long openssl genpkey command.
The whole process runs entirely client-side: the private key is generated by the browser on your device, never leaves your machine and makes no network request, which you can verify in your browser's Network panel. The resulting PEM can be read directly by standard tools such as openssl pkey and ssh-keygen.
No. The key pair is generated in your browser with the Web Crypto API. The private key never leaves your device and no network request is made — you can confirm this in your browser's Network panel.
EC (elliptic curve) keys are shorter and faster, and at equivalent security P-256 is roughly comparable to RSA 3072. EC is recommended for new systems; choose RSA 2048 or higher only if you need to support legacy systems that accept RSA only.
The private key is PKCS#8 PEM (-----BEGIN PRIVATE KEY-----) and the public key is SPKI PEM (-----BEGIN PUBLIC KEY-----). Both are standard cross-tool formats that openssl, Node.js crypto and others can parse directly.
You can generate the underlying key pair, but SSH uses the OpenSSH private-key and public-key-line formats by default. Use ssh-keygen -p -f or ssh-keygen -i to convert between the PEM exported here and the OpenSSH format.