toolsy.one

SSL key generator

Generate RSA and ECDSA key pairs in PEM, JWK or DER — entirely in your browser, never uploaded.

What this SSL key generator does

Every HTTPS website, signed JWT and TLS handshake rests on a single mathematical idea: a pair of keys that belong together. This tool creates that pair on the spot using your browser’s built-in window.crypto.subtle.generateKey() — the same vetted cryptosystem that powers the rest of the web platform. You pick an algorithm and an output format, click once, and get a matching public key (safe to share) and private key (kept secret) ready to paste into a server config or a CSR.

The public key encrypts data and verifies signatures; the private key decrypts and signs. Because they are linked by a one-way mathematical relationship, you can hand out the public half freely without ever exposing the private half. That asymmetry is what lets a stranger’s browser trust your server without you sharing a secret in advance.

A worked example

Suppose you are setting up TLS on a modern Nginx box. Choose ECDSA with the P-256 curve and PEM output, then generate. You’ll get a short private key wrapped in -----BEGIN PRIVATE KEY-----. Save it as private.pem, build a CSR with openssl req -new -key private.pem -out request.csr, and submit that CSR to a Certificate Authority such as Let’s Encrypt. The CA signs it and returns your certificate — your private key never leaves your machine at any step.

Choosing an algorithm and size

ChoiceBest forTrade-off
ECDSA P-256New servers, APIs, mobileTiny, fast; needs a modern client
ECDSA P-384 / P-521High-security or long-lived keysSlightly slower handshakes
RSA 2048Broad compatibility, the defaultLarger keys than ECDSA
RSA 4096Legacy systems needing extra marginNoticeably slower to generate and sign

A 256-bit elliptic-curve key offers security comparable to a 3072-bit RSA key while being a fraction of the size — which is why ECDSA is the modern default. Reach for RSA only when something in your stack still demands it.

Privacy note: this generator has no backend. Key generation, formatting and downloads all run locally with the Web Crypto API. Your private key is created on your device and exists only in this browser tab until you save or close it — it is never transmitted or stored.

Frequently asked questions

Are the keys really generated in my browser?

Yes. Every key pair is produced by the Web Crypto API (window.crypto.subtle.generateKey), which runs entirely on your own machine. The private key never touches the network, our servers, or any log. Close the tab and it is gone for good.

Should I choose RSA or ECDSA?

Pick ECDSA (P-256) for new systems — it is fast, compact, and supported by every modern client. Choose RSA (2048 or 4096) only when you need compatibility with older devices, legacy load balancers, or software that does not yet accept elliptic-curve keys.

What is the difference between PEM, DER and JWK?

PEM is the familiar Base64 text wrapped in -----BEGIN…----- headers used by Nginx, Apache and OpenSSL. DER is the same data in raw binary, common on Windows and Java. JWK is a JSON representation used by web apps, OAuth and OpenID Connect.

Can I use this key directly to get an SSL certificate?

Not directly. A Certificate Authority signs a Certificate Signing Request (CSR), which bundles your public key with your domain details. Generate the key here, then build a CSR with OpenSSL or your hosting panel and submit that to a CA such as Let’s Encrypt.

Why can I only copy PEM and JWK, not DER?

DER is binary, so it cannot be represented faithfully as text in a copy box. For DER, use the Save button to download the raw .der file, which preserves every byte exactly.

Is RSA-2048 still secure in 2026?

Yes. RSA-2048 remains safe for general use and is the default for most certificates. For long-lived keys or high-value systems, 3072 or 4096 bits adds margin, at the cost of slower generation and signing.

Related tools

Password generator

Strong passwords & memorable passphrases via WebCrypto.

JSON formatter

Format, validate and beautify JSON, with error messages.

Base64 encoder

Encode and decode Base64 text and URL-safe variants.