GenerateKeyPair()
Generates a cryptographic key pair (public/private) for the specified algorithm.
Requires Extension: Crypto Extension
GenerateKeyPair( algorithm=string, options=struct );
Returns: Struct
| Argument | Description |
|---|---|
|
algorithm
string,
required
|
edit
Algorithm string. For RSA, append key size: RSA (default 2048), RSA-4096. For EC, use curve name: EC (default P-256), P-384, P-521. For EdDSA: Ed25519, Ed448. For post-quantum: Kyber768, Dilithium3. |
|
options
struct,
optional
|
edit
Optional struct with: format (PEM|DER|Base64, default PEM) |
Usage Notes
editWhich key type?
- P-256 (EC) — Best default for most applications. Small keys, fast operations, widely supported. Use for JWT (ES256), TLS, and general-purpose signing.
- RSA-2048 — Use when you need compatibility with older systems, Adobe ColdFusion, or SAML. Larger keys and slower than EC.
- Ed25519 — Modern alternative to EC. Fastest signatures, smallest keys, but less ecosystem support than P-256. Only supports PKCS8 format (no traditional/OpenSSL format).
- Kyber768 — Post-quantum key encapsulation. Use with KyberEncapsulate() for quantum-resistant key exchange.
- Dilithium3 — Post-quantum signatures. Use with GenerateSignature() for quantum-resistant signing.
Output formats:
- PEM / PKCS8 (default) — Standard PEM with
-----BEGIN PRIVATE KEY-----headers. Most compatible. - traditional / OPENSSL — OpenSSL legacy format with algorithm-specific headers (e.g.
-----BEGIN RSA PRIVATE KEY-----). Not available for Ed25519. - Base64 — Raw Base64-encoded key bytes without PEM headers.
- DER — Raw binary key bytes.
Examples
edit// Generate an RSA key pair - default is 2048-bit, PKCS#8 PEM format
keyPair = GenerateKeyPair( "RSA" );
// keyPair.private starts with "-----BEGIN PRIVATE KEY-----"
// keyPair.public starts with "-----BEGIN PUBLIC KEY-----"
// Specify key size explicitly
keyPair = GenerateKeyPair( "RSA-4096" );
// Elliptic curve key pairs - smaller and faster than RSA
keyPair = GenerateKeyPair( "P-256" ); // NIST P-256 (secp256r1)
keyPair = GenerateKeyPair( "P-384" ); // NIST P-384
keyPair = GenerateKeyPair( "P-521" ); // NIST P-521
// Ed25519 - modern, fast, compact signatures
keyPair = GenerateKeyPair( "Ed25519" );
// Output format options
keyPair = GenerateKeyPair( "RSA", { format: "PEM" } ); // PKCS#8 (default)
keyPair = GenerateKeyPair( "RSA", { format: "traditional" } ); // OpenSSL traditional format
// private starts with "-----BEGIN RSA PRIVATE KEY-----"
keyPair = GenerateKeyPair( "P-256", { format: "traditional" } ); // EC traditional
// private starts with "-----BEGIN EC PRIVATE KEY-----"
keyPair = GenerateKeyPair( "RSA", { format: "Base64" } ); // raw Base64 (no PEM headers)
keyPair = GenerateKeyPair( "RSA", { format: "DER" } ); // binary DER format
// Format aliases: PKCS8 = PEM, OPENSSL = traditional
// Note: Ed25519 only supports PKCS8/PEM format (no traditional)