PEM ↔ JWK Key Converter
Convert RSA and EC keys between PEM and JWK in both directions, with an RFC 7638 thumbprint kid, a key-parameter inspector, and one-click public-only JWK and JWKS output.
About PEM ↔ JWK Key Converter
If you wire up OAuth2, OIDC, or JWT verification, you eventually hold a key in the wrong shape. You have a PEM from OpenSSL or a certificate authority but your library wants a JSON Web Key, or you pulled a JWK from a JWKS endpoint and a legacy service only reads PEM. This converter does both directions on one screen for RSA and EC keys, public or private. PEM is base64-wrapped DER with a -----BEGIN-----/-----END----- header; a JWK is the same key expressed as JSON members. Converting between them is a re-encoding, not a key change, so the underlying RSA modulus or EC point is identical on both sides. Paste a PKCS#8 private key or an SPKI (X.509) public key to get a JWK, or paste a JWK to get a PEM back. It also computes the RFC 7638 JWK thumbprint and can fill it in as a deterministic kid. A key-parameter inspector decodes n and e for RSA, or crv, x, y, and d for EC, so you can check what you pasted. For a private key, one click strips it down to a public-only JWK you can wrap in a jwks.json. Everything runs locally with the Web Crypto API, so a pasted private key stays in your browser and is never uploaded. Version 1 covers the Web-Crypto-native encodings, PKCS#8 and SPKI, for RSA and EC P-256, P-384, and P-521. If you paste a PKCS#1 (RSA PRIVATE KEY) or SEC1 (EC PRIVATE KEY) block, the tool detects it and shows the one-line openssl pkey command to convert it to PKCS#8 first.
How to use the PEM ↔ JWK Key Converter
- Pick a direction: PEM → JWK or JWK → PEM.
- Paste your key. For PEM, use a PKCS#8 private key (-----BEGIN PRIVATE KEY-----) or an SPKI/X.509 public key (-----BEGIN PUBLIC KEY-----).
- Read the badges to confirm the detected format, key type (RSA or EC), and whether the key is public or private.
- For PEM → JWK, set alg and use if your consumer needs them, and leave Auto kid on to get an RFC 7638 thumbprint kid.
- Check the key-parameter inspector to verify n and e (RSA) or crv, x, and y (EC).
- Copy the JWK or PEM output with the copy button in the panel header.
- For a private key, click Strip to public JWK or Copy as JWKS to publish at a jwks_uri.
- If you see a PKCS#1 or SEC1 notice, run the shown openssl pkey command and paste the PKCS#8 result.
Common Use Cases
Host a jwks.json at a jwks_uri
Take an RSA or EC PEM, convert it to a public JWK with a stable RFC 7638 kid, and wrap it as a JWKS so relying parties can fetch your verification key from a jwks_uri.
Feed a JWK to a verification library
Some JWT libraries want a JWK rather than a PEM. Convert your verification public key from PEM to JWK so the library can validate incoming tokens.
Move a JWK back to PEM
Pull a JWK from a JWKS endpoint and convert it to a PKCS#8 or SPKI PEM for OpenSSL or a legacy service that only reads PEM.
Compute a deterministic kid
Generate the RFC 7638 thumbprint so a rotating key is addressable by a stable, content-derived kid instead of a hand-assigned label.
Frequently Asked Questions
What is a JWK and how is it different from a PEM?
A JWK (JSON Web Key) describes a key as JSON members: kty plus n and e for RSA, or crv, x, and y for EC. A PEM wraps the same key's DER bytes in base64 between -----BEGIN----- and -----END----- lines. They are two encodings of one key, so converting between them does not change the key.
How do I convert a PEM key to a JWK?
Pick the PEM → JWK direction and paste a PKCS#8 private key or an SPKI/X.509 public key. The converter imports it with the Web Crypto API and exports the matching JWK. It works for both RSA and EC keys (P-256, P-384, P-521), public or private.
How do I convert a JWK back to a PEM?
Pick the JWK → PEM direction and paste the JWK JSON. A private JWK (with a d member) becomes a PKCS#8 PEM (-----BEGIN PRIVATE KEY-----), and a public JWK becomes an SPKI PEM (-----BEGIN PUBLIC KEY-----).
What is the kid and how is the JWK thumbprint computed?
The kid is a key identifier. This tool can fill it from the RFC 7638 JWK thumbprint: a SHA-256 hash over the required public members in lexicographic order with no whitespace (e, kty, n for RSA; crv, kty, x, y for EC), encoded as base64url. Private members and metadata are excluded, so a private key and its public form produce the same thumbprint.
Is it safe to convert a private key here?
Yes. All conversion runs in your browser through the Web Crypto API, and there are no network calls in the tool's code path, so a pasted private key is not uploaded anywhere. The share button is marked sensitive and asks for a second click before it copies a link, since a shared link would carry whatever you pasted.
What do n, e, crv, x, y, and d mean?
For RSA, n is the modulus and e is the public exponent; d is the private exponent. For EC, crv is the named curve and x and y are the public point coordinates; d is the private scalar. A JWK that includes d is a private key.