← ← All Tools
中文

🔏 RSA Sign & Verify

Client-side RSA digital signature and verification tool. Supports RSASSA-PKCS1-v1_5 and RSA-PSS algorithms, SHA-256/384/512 hashes, PEM (PKCS#8/SPKI) and JWK key formats, JWT presets (RS256/PS256), and OpenSSL command preview — private keys are not uploaded by the tool

🔒 All signing and verification runs locally in your browser via WebCrypto API. Private keys, messages, and signatures are not uploaded by the tool.

Mode

Message format

Signature Algorithm

Hash Algorithm

What is the difference between PKCS1-v1_5 and RSA-PSS?
RSASSA-PKCS1-v1_5 is a deterministic scheme — same input always produces the same signature. It has the widest compatibility and maps to JWT RS256/RS384/RS512. RSA-PSS is probabilistic — each signature includes a random salt, with a tight security proof. It maps to JWT PS256/PS384/PS512. New systems should prefer RSA-PSS.
Why can't I use my PKCS#1 key (BEGIN RSA PRIVATE KEY)?
The WebCrypto API only supports PKCS#8 private keys (BEGIN PRIVATE KEY) and SPKI public keys (BEGIN PUBLIC KEY). PKCS#1 is the older RSA-specific format. Convert with: openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in rsa-key.pem -out private.pem
What do the JWT preset buttons do?
JWT (JSON Web Token) uses specific algorithm and hash combinations: RS256 = PKCS1-v1_5 + SHA-256, PS256 = RSA-PSS + SHA-256, and so on. Preset buttons auto-configure the algorithm and hash to match the specified JWT signing scheme.
Is my private key safe?
All operations run entirely in your browser using the WebCrypto API. Keys and messages are not uploaded by the tool. However, avoid using this tool with real keys on public or shared computers. To verify, open your browser's Network tab in DevTools and confirm no external requests are made.
How can I verify with OpenSSL?
Each sign/verify operation shows the equivalent OpenSSL command. Save your key to a file, your message to a file, then run the shown command. For example: 1) Save private key as private.pem; 2) echo -n "message" > message.txt; 3) Run the shown openssl dgst command. Signatures should match (PKCS1-v1_5) or verification should pass (PSS).

More tools you might find useful.

🔐
AES Encrypt/Decrypt
Client-side AES encryption and decryption with GCM, CBC, and CTR modes, PBKDF2 passphrase derivation and raw key input — keys are not uploaded by the tool
🔐
BCrypt Hash Generator & Verifier
Client-side BCrypt password hash toolkit with three tabs: Generate (cost 4-15, $2a/$2b/$2y version selector, 3 output formats), Verify (auto-parses cost/version with OWASP guidance), and Inspect (dissect any bcrypt hash into prefix/cost/salt/hash). Real-time 72-byte truncation warning, progress bar, cancel button, and mobile-friendly chip controls.
🔐
DES / 3DES Encrypt & Decrypt
Client-side DES and 3DES (2-key/3-key) encryption & decryption with zero dependencies. Supports five modes (ECB/CBC/CFB/OFB/CTR) and five padding schemes (PKCS#7/Zero/ANSI X.923/ISO 10126/No Padding). Independent encoding switchers for Key/IV/Input/Output (Hex/UTF-8/Base64), real-time byte-length hints, built-in NIST test vectors, persistent deprecation banner (DES 2005, 3DES Jan 2024), and K1/K2/K3 key visualization. For education and legacy interop only — keys and plaintext are not uploaded by the tool.
#️⃣
Hash Generator
MD5 & SHA Hash Calculator
🔐
HMAC Calculator
Client-side HMAC calculator with SHA-1/256/384/512, UTF-8/Hex/Base64 key formats, text & file input, and HMAC verification

Free online RSA digital signature and verification tool — client-side with WebCrypto API. Supports both RSASSA-PKCS1-v1_5 and RSA-PSS algorithms, SHA-1/256/384/512 hashes, PEM (PKCS#8/SPKI) and JWK key formats with smart key detection (auto-detects PKCS#1, encrypted keys, and shows conversion commands). JWT presets (RS256/RS384/RS512/PS256/PS384/PS512), OpenSSL command preview, Hex/Base64 signature output. Quick Test for one-click keygen-sign-verify roundtrip. Private keys and messages are not uploaded by the tool.