Create real asymmetric key pairs with the WebCrypto API and export them as PEM or JWK. Everything runs client-side — your private key never leaves this tab.
This tool is a thin, transparent wrapper over the browser’s native WebCrypto implementation. When you click Generate, it calls crypto.subtle.generateKey(algorithm, true, keyUsages). For RSA algorithms the parameters are {name, modulusLength, publicExponent: 65537, hash}; the public exponent is fixed at the standard value 0x010001. For elliptic-curve algorithms the parameter is simply {name, namedCurve} over P-256, P-384 or P-521.
Export happens in two shapes. Calling exportKey("spki", publicKey) and exportKey("pkcs8", privateKey) returns raw DER-encoded ArrayBuffers: SubjectPublicKeyInfo for the public half and PKCS#8 PrivateKeyInfo for the private half. To produce PEM the tool Base64-encodes those DER bytes, folds the text at 64 characters per line, and wraps it in the correct armor — -----BEGIN PUBLIC KEY----- and -----BEGIN PRIVATE KEY-----. Choosing the JWK tab instead calls exportKey("jwk", …), giving you the JSON Web Key form used directly by JWT libraries, with fields like n/e for RSA or crv/x/y/d for EC.
Security-wise, P-256 delivers roughly 128-bit security, comparable to RSA-3072, while P-521 approaches 256-bit strength — which is why EC keys are dramatically smaller than an equivalent RSA modulus. Use RSA-2048 or P-256 for general JWT and TLS work, and step up to 4096 or P-384/521 only when a policy or long-lived root demands it. Because the private key is marked extractable and never transmitted, you remain the only party who ever sees it. Paste the PEM into OpenSSH, an X.509 signing request, or a JWT signer with confidence.