RSA Key Format Error — Invalid PEM Fix
💡An RSA key format error usually means a PEM header mismatch (PKCS#1 vs PKCS#8), missing line breaks in the Base64 body, or the wrong key type for the operation. Check that the header matches the format your library expects, wrap the Base64 body at 64 characters, and use PKCS#8 format ('BEGIN PRIVATE KEY') for broadest compatibility.
Quick Diagnosis
If you see “Error: invalid PEM formatted message” → it means the PEM header/footer is missing, wrong, or the Base64 body is malformed → do this: confirm the key starts with -----BEGIN ... KEY----- and ends with -----END ... KEY-----
If you see “Error: unsupported key type” → it means the library expects PKCS#8 format but received PKCS#1 (or vice versa) → do this: convert with openssl: openssl pkcs8 -topk8 -nocrypt -in key.pem -out key_pkcs8.pem
If you see “key works in OpenSSL but fails in code” → it means the key string has incorrect line endings or the Base64 body is on one line → do this: ensure the PEM body has line breaks every 64 characters
If you see “public key mismatch with private key” → it means the keys are from different key pairs → do this: derive the public key from the private key and compare: openssl rsa -in private.pem -pubout
Common Causes and Fixes
PKCS#1 vs PKCS#8 header mismatch
❌ Wrong
# PKCS#1 private key — some libraries reject this
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA...
-----END RSA PRIVATE KEY-----✅ Fixed
# PKCS#8 private key — universally accepted
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkq...
-----END PRIVATE KEY-----
# Convert with:
openssl pkcs8 -topk8 -nocrypt -in pkcs1.pem -out pkcs8.pemPKCS#1 headers say 'RSA PRIVATE KEY'. PKCS#8 says 'PRIVATE KEY'. Node.js crypto and most modern libraries prefer PKCS#8.
Missing line breaks in PEM body
❌ Wrong
# PEM body on a single line — invalid
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...very long line...
-----END PUBLIC KEY-----✅ Fixed
# PEM body with 64-character lines
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
rNPp8GXJX...
-----END PUBLIC KEY-----Standard PEM format requires the Base64 body to be wrapped at 64 characters per line.
Generate RSA Key Pairs Online
Generate RSA private and public key pairs in the browser in PKCS#8 PEM format, ready to use in your application.
PEM Format Checklist
- ✓Header line: -----BEGIN PRIVATE KEY----- (PKCS#8) or -----BEGIN RSA PRIVATE KEY----- (PKCS#1)
- ✓Footer line: -----END PRIVATE KEY----- — must match the header exactly
- ✓Base64 body wrapped at exactly 64 characters per line
- ✓No Windows CRLF line endings — use LF only
- ✓No trailing spaces on any line
- ✓Newline at the very end of the file
Related Guides
Frequently Asked Questions
What is the difference between PKCS#1 and PKCS#8?
PKCS#1 is an older RSA-specific format with headers like 'BEGIN RSA PRIVATE KEY'. PKCS#8 is a newer, algorithm-agnostic format with 'BEGIN PRIVATE KEY'. Most modern libraries prefer PKCS#8.
How do I convert an RSA key from PKCS#1 to PKCS#8?
Use OpenSSL: openssl pkcs8 -topk8 -nocrypt -in pkcs1.pem -out pkcs8.pem. The -nocrypt flag outputs an unencrypted key.
Why does my key work in openssl verify but fail in Node.js?
Node.js crypto is strict about PEM format. Common issues are missing line breaks every 64 characters, Windows-style line endings (CRLF), or PKCS#1 format where PKCS#8 is expected.
All tools run in your browser. Your data never leaves your device.