Is my private key sent anywhere?

No. The PEM is Base64-decoded and parsed in your browser's JavaScript; the bytes never touch a network. Even so, treat private keys as secrets and avoid pasting production keys into any tool.

Which key formats are supported?

It recognises PKCS#8 (BEGIN PRIVATE KEY), PKCS#1 RSA (BEGIN RSA PRIVATE KEY), SEC1 EC (BEGIN EC PRIVATE KEY) and Ed25519 keys wrapped in PKCS#8. Encrypted keys (BEGIN ENCRYPTED PRIVATE KEY) are detected but not decrypted.

How does it tell RSA from EC from Ed25519?

For PKCS#8 it reads the ASN.1 AlgorithmIdentifier OID inside the DER: 1.2.840.113549.1.1.1 is RSA, 1.2.840.10045.2.1 is EC, and 1.3.101.112 is Ed25519. The PKCS#1 and SEC1 labels themselves also imply the type.

Does a valid format mean the key is usable?

It confirms the structure parses correctly, which catches the most common copy-paste and encoding errors. It does not verify the key against a certificate or test a cryptographic operation.

Why does my key fail with an invalid Base64 error?

Usually the BEGIN/END lines are missing, the body has stray characters, or line breaks were mangled. Re-copy the whole block including both armour lines and ensure no extra spaces were added.

PEM Private Key Format Validator

A PEM private key is a Base64-encoded DER structure wrapped in -----BEGIN ... PRIVATE KEY----- armour. When TLS or SSH setup fails, the cause is often a malformed key — wrong label, corrupted Base64 or a truncated block. This validator decodes the PEM in your browser, identifies whether it is RSA, EC or Ed25519, and reports structural validity. The key is never transmitted.

How it works

The PEM armour is matched to find the label (e.g. PRIVATE KEY, RSA PRIVATE KEY, EC PRIVATE KEY).
The Base64 body between the lines is decoded to raw DER bytes.
For PKCS#8 keys the parser walks the ASN.1 to read the AlgorithmIdentifier OID, mapping it to a key type:
- 1.2.840.113549.1.1.1 → RSA
- 1.2.840.10045.2.1 → EC (elliptic curve)
- 1.3.101.112 → Ed25519
PKCS#1 (RSA PRIVATE KEY) and SEC1 (EC PRIVATE KEY) labels imply the type directly.

Where available, the browser’s Web Crypto importKey is used as an extra structural check for PKCS#8 RSA and EC keys.

Notes

Encrypted keys (BEGIN ENCRYPTED PRIVATE KEY) are recognised but not decrypted — supply the unencrypted form to inspect the algorithm. As with any key tool, prefer test keys; a real private key is a credential you should never paste into untrusted pages. Here, processing is fully local.