PEM to JWK Converter

Convert RSA and EC PEM keys into JSON Web Keys entirely in your browser. No uploads, no server processing.

Input PEM

Paste an SPKI public key or PKCS8 private key

JWK Output

RFC 7517 JSON Web Key representation

Private by design

Conversion uses the browser Web Crypto API locally. Keys are not uploaded or sent to a backend.

RSA and EC support

Supports RSA SPKI / PKCS8 keys at any size and EC keys on common curves like P-256, P-384, and P-521.

Standard JWK output

Emits RFC 7517 JSON Web Keys ready for OAuth, OpenID Connect, JWKS endpoints, and JWT signing libraries.

About PEM to JWK Converter

PEM and JWK (JSON Web Key) are two standard ways to represent cryptographic keys. PEM is the base64-encoded ASN.1 format produced by OpenSSL and most server-side tooling, while JWK is the JSON-based format used by OAuth, OpenID Connect, JWKS endpoints, and JWT validation. This converter parses RSA and EC PEM keys directly in your browser and produces standard JWK objects using the native Web Crypto API.

  • Convert SPKI PUBLIC KEY PEM into RSA or EC public JWKs
  • Convert PKCS8 PRIVATE KEY PEM into RSA or EC private JWKs
  • Auto-detect key type, modulus size, curve, and algorithm
  • Outputs RFC 7517 compliant JWK ready to publish in a JWKS endpoint
  • 100% client-side — no PEM or JWK data ever leaves your device
  • Strips advisory alg, key_ops, and ext fields so you can layer your own metadata

How to Use the PEM to JWK Converter

  1. 1

    Paste your PEM key

    Copy a complete PEM block including the -----BEGIN----- and -----END----- markers into the input field.

  2. 2

    Click Convert to JWK

    The converter detects whether the key is RSA or EC, public or private, and tries the supported curves and hashes automatically.

  3. 3

    Review the key metadata

    Confirm the detected key type, algorithm, curve, and modulus size match what you expect before using the JWK output.

  4. 4

    Copy or download the JWK

    Use the Copy JWK button or download a .json file ready for JWKS endpoints, JWT libraries, or identity provider configuration.

Tip: Click the Sample button to generate a real RSA-2048 SPKI PEM on the fly and try the full conversion flow without supplying your own key.

Common Use Cases

Build a JWKS Endpoint

  • • Publish public keys at /.well-known/jwks.json
  • • Add kid and use after conversion
  • • Rotate signing keys for your auth service

JWT Signing & Verification

  • • Use JWK with jose, jsonwebtoken, or PyJWT
  • • Sign RS256, RS384, RS512, ES256 tokens
  • • Plug into Auth0, Okta, or Keycloak custom flows

Identity Provider Migration

  • • Move PEM-based keys into JWKS-aware IdPs
  • • Convert KMS-exported PEM to JWK format
  • • Migrate legacy auth servers to OIDC

Web Crypto & Browser Apps

  • • Import keys with subtle.importKey('jwk', ...)
  • • Pre-bundle JWKs with SPA assets
  • • Inspect key parameters in DevTools

Testing & Debugging

  • • Inspect modulus, exponent, and curve params
  • • Compare PEM vs JWK representations
  • • Reproduce issues with known-good test vectors

Learning JOSE & PKI

  • • See how SPKI maps to JWK fields
  • • Teach RFC 7517 / 7518 in workshops
  • • Visualize the difference between formats

Frequently Asked Questions

What is a PEM key and why convert it to JWK?

PEM is a base64-encoded ASN.1 wrapper used for X.509 certificates and cryptographic keys, common in OpenSSL and TLS. JWK (RFC 7517) is the JSON-based key format used by OAuth, OpenID Connect, JWKS endpoints, and JWT libraries. Converting PEM to JWK lets you publish keys to a JWKS endpoint or import them into Web Crypto and JOSE libraries.

Which PEM formats are supported?

SPKI -----BEGIN PUBLIC KEY----- and PKCS8 -----BEGIN PRIVATE KEY----- are supported directly. Legacy PKCS#1 (RSA PUBLIC KEY / RSA PRIVATE KEY) and SEC1 (EC PRIVATE KEY) are not natively importable by the Web Crypto API; convert them first with openssl pkey -in key.pem -out new.pem.

Which key types and curves are supported?

RSA keys of any modulus size (1024, 2048, 3072, 4096 bits) and EC keys on the P-256, P-384, and P-521 curves are supported. The converter tries each algorithm candidate (RSASSA-PKCS1-v1_5, RSA-PSS, RSA-OAEP, ECDSA) until one succeeds.

What does the JWK output contain?

For RSA keys, the JWK includes kty, n, e, plus d, p, q, dp, dq, and qi for private keys. For EC, you get kty, crv, x, y, and d for private keys.

Why are alg and key_ops stripped?

Web Crypto adds advisory fields based on the algorithm guess used for import, but the key itself doesn't dictate them. They're removed so you can add the correct values for your context (e.g. "alg": "RS256", "use": "sig", "kid": "...") without conflicting hints.

Can I use the JWK with jose, jsonwebtoken, or PyJWT?

Yes. The output is a standard RFC 7517 JWK and works directly with jose (Node.js / browser), node-jose, jsonwebtoken (after wrapping in a JWKS), PyJWT, and most other JWT and JOSE libraries.

Is my data safe? Does this tool send keys to a server?

No data leaves your browser. All parsing, importing, and JWK encoding happens entirely client-side using the browser's Web Crypto API, so your PEM and any private key material are never uploaded, logged, or stored.

Does this work offline?

Once the page is loaded, conversion runs without any network requests. You can disconnect and the tool will continue to work, which is recommended when handling sensitive private keys.