JWK to PEM Converter

Convert RSA and EC JSON Web Keys into standard PEM files entirely in your browser. No uploads, no server processing.

Input JWK

Paste a JWK object or JWKS with a keys array

PEM Output

SPKI for public keys, PKCS8 for private keys

Private by design

Conversion uses the browser Web Crypto API locally. Keys are not uploaded or sent to a backend.

RSA and EC support

Supports RSA keys with n/e/d fields and EC keys for common curves such as P-256, P-384, and P-521.

Standard PEM output

Public keys export as SPKI PEM and private keys export as PKCS8 PEM for compatibility with OpenSSL and OAuth tooling.

About JWK to PEM Converter

A JWK (JSON Web Key) and PEM are two standard formats for representing cryptographic keys. JWK is a JSON-based format used by OAuth, OpenID Connect, and JWT validation, while PEM is the base64-encoded ASN.1 format used by OpenSSL and most server-side cryptography tooling. This converter parses RSA and EC JSON Web Keys directly in your browser and produces standard PEM files using the native Web Crypto API.

  • Convert RSA public keys to SPKI PEM and RSA private keys to PKCS8 PEM
  • Convert EC keys on P-256, P-384, and P-521 curves to PEM format
  • Accept a single JWK object or a full JWKS set containing a keys array
  • Auto-detect key type, modulus size, curve, key ID (kid), and algorithm
  • 100% client-side — no JWK or PEM data ever leaves your device
  • Tolerant of optional JWK fields like use, alg, and key_ops that often break other converters

How to Use the JWK to PEM Converter

  1. 1

    Paste your JWK or JWKS

    Copy a JSON Web Key object or a JWKS containing a keys array into the input field. Both RSA and EC key types are supported.

  2. 2

    Click Convert to PEM

    The converter detects whether the key is RSA or EC, public or private, and chooses SPKI or PKCS8 output format automatically.

  3. 3

    Review the key metadata

    Confirm the detected key type, algorithm, curve, modulus size, and key ID match what you expect before using the output.

  4. 4

    Copy or download the PEM

    Use the Copy PEM button to send the result to your clipboard, or download a .pem file ready for OpenSSL, JWT libraries, or API clients.

Tip: Click the Sample button to generate a real RSA-2048 key pair on the fly and try the full conversion flow without supplying your own key.

Common Use Cases

OAuth & OpenID Connect

  • • Convert provider JWKS endpoints to PEM
  • • Pin signing keys for token verification
  • • Migrate keys between identity providers

JWT Signature Verification

  • • Use PEM with jsonwebtoken, PyJWT, or jose
  • • Validate RS256, RS384, RS512, ES256 tokens
  • • Plug straight into Express, FastAPI, or Spring

Mobile & Embedded SDKs

  • • Many native SDKs accept PEM, not JWK
  • • Bundle public keys with iOS or Android apps
  • • Flash signing keys to IoT firmware

OpenSSL & CLI Pipelines

  • • Inspect keys with openssl rsa -text
  • • Build certificate signing requests (CSRs)
  • • Integrate with shell scripts and CI/CD

Key Rotation & Migration

  • • Move legacy JWK stores into PEM-based vaults
  • • Re-publish rotated keys to downstream services
  • • Convert exported keys from cloud KMS providers

Learning & Debugging

  • • Inspect modulus, exponent, and curve params
  • • Compare JWK vs SPKI/PKCS8 representations
  • • Teach JWT, JOSE, and PKI fundamentals

Frequently Asked Questions

What is a JWK and why convert it to PEM?

A JSON Web Key (JWK) is a JSON representation of a cryptographic key defined in RFC 7517 and used heavily by OAuth, OpenID Connect, and JWT. PEM is the older base64-encoded ASN.1 format consumed by OpenSSL and most server-side libraries. Converting JWK to PEM lets you use keys published as JWKS with tools that only understand PEM.

Which key types and curves are supported?

RSA keys of any modulus size (1024, 2048, 3072, 4096 bits) and EC keys on the P-256, P-384, and P-521 curves are supported. Both public and private JWKs work — private keys must include the d parameter (and optimally p, q, dp, dq, qi for RSA).

What do SPKI and PKCS8 mean in the output?

SPKI (SubjectPublicKeyInfo) is the standard wrapper for public keys, producing a -----BEGIN PUBLIC KEY----- PEM. PKCS8 wraps private keys, producing -----BEGIN PRIVATE KEY----- PEM. Both are the modern, algorithm-neutral formats accepted by OpenSSL and major libraries.

Can I paste a full JWKS endpoint response?

Yes. If the input is a JWKS object containing a keys array, the converter uses the first key. To convert other keys in the set, paste them individually.

Why do JWKs with use or alg fail in other converters?

Web Crypto enforces that requested key usages match the JWK's use, key_ops, and alg hints exactly. This converter strips those advisory fields before importing so any valid RSA or EC JWK works regardless of metadata.

Can I use the PEM with OpenSSL or JWT libraries?

Yes. The output is standard SPKI or PKCS8 PEM and works directly with openssl, jsonwebtoken (Node.js), PyJWT, jose, and most other JWT and TLS libraries without further conversion.

Is my data safe? Does this tool send keys to a server?

No data leaves your browser. All parsing, importing, and PEM encoding happens entirely client-side using the browser's Web Crypto API, so your JWK and any private key material are never uploaded, logged, or stored.

Does this work offline?

Once the page is loaded, conversion runs without any network requests. You can disconnect and the tool will continue to work, which is recommended when handling sensitive private keys.