{{ summaryHeading }}
{{ summaryPrimary }}
{{ summaryLine }}
{{ badge.text }}
JWK {{ stageKeyLabel }} {{ stagePemLabel }}
Accepted public-key families: RSA, EC P-256/P-384/P-521, and OKP Ed25519/X25519/Ed448/X448 when the required fields are present.
{{ sourceStatus }}
Only one selected JWK is exported at a time; table and JSON results identify the selected index.
SPKI public key is the safe default and can be derived from private RSA, EC, or OKP JWKs that include public coordinates.
{{ normalizedPemWrap }} chars
Choose 48-76 characters unless a target importer requires a specific wrap width.
chars
{{ normalizedHashPreviewChars }} chars
Display 8-32 hex characters in summary tables while preserving full values in JSON.
{{ pemDisplayText }}
Field Value Note Copy
{{ row.field }} {{ row.value }} {{ row.note }}
Check Status Evidence Copy
{{ row.check }} {{ row.status }} {{ row.evidence }}
Tags: Cryptography, Encoding, PKI
RSA Keys Converter Convert RSA PEM keys between PKCS#1, PKCS#8, and public-key wrappers in your browser with fingerprints, passphrase checks, and format guidance.
Certificate Signing Request (CSR) Decoder Decode a CSR locally, normalize PEM or DER input, verify SAN hostname coverage, key strength, signatures, fingerprints, JWK, and readiness notes.
Secure Sockets Layer (SSL) Certificate Decoder Decode PEM, DER, or PKCS#7 certificates in your browser to inspect names, validity dates, fingerprints, key usage, and chain inventory.
Binary Decimal Hex Converter Convert one integer across binary, decimal, hex, octal, and Base36, with signed width, endian, byte stream, bit map, and wrap checks.
Customize
Advanced
:

JSON Web Keys and PEM files often carry the same cryptographic key material in very different packaging. JWK represents key fields as JSON names and base64url values, which fits JOSE, OAuth, OpenID Connect, and JWKS publishing. PEM represents ASN.1 DER bytes as base64 text between header and footer lines, which fits OpenSSL, TLS tooling, certificate utilities, and many server configuration files.

Converting between those formats should not change the key. An RSA public key still depends on modulus n and exponent e. An EC public key still depends on curve name plus x and y coordinates. An OKP public key still depends on the curve and public value x. The conversion job is to build the right DER wrapper and PEM armor without losing track of whether the source contains public-only or private key material.

Diagram showing conversion from JWK JSON fields to ASN.1 DER to PEM text armor.

The most common public PEM target is SubjectPublicKeyInfo, usually shortened to SPKI. It wraps the public key with an algorithm identifier so another program can understand whether the bytes are RSA, EC, or OKP. Private PEM output is usually PKCS#8, which wraps the private key and its algorithm information. Public output can be built from public fields only, but private output requires private fields such as d and, for RSA, the full CRT field set.

JWKS adds one more practical detail: a key set can contain several keys, each with a kid, alg, use, or key_ops value. Those fields help select and identify a key, but they are not embedded in the PEM key material. A separate thumbprint or fingerprint is useful because it lets the reader compare identity without trusting a file name or a short key ID alone.

Format term What it contains Common use
JWK One JSON object with key fields such as kty, n, e, crv, x, and y. JOSE, OAuth, OpenID Connect, and key-set publishing.
JWKS A JSON object with a keys array. Publishing several public keys for rotation.
SPKI PEM A public key wrapped with algorithm metadata. Public-key input for OpenSSL-style tools and certificate workflows.
PKCS#8 PEM A private key wrapped with algorithm metadata. Private-key import where a complete private JWK is available.

How to Use This Tool:

Use the converter when a system gives you JWK or JWKS JSON and another system expects a PEM public or private key.

  1. Paste a single JWK or JWKS JSON object, browse a JSON file, or drop the file onto the input area.
  2. Use Load RSA sample, Load EC sample, or Load JWKS sample to inspect accepted shapes before using your own key.
  3. When a JWKS contains several keys, choose the correct Selected key. Only one JWK is exported at a time.
  4. Choose Output PEM: public SPKI, private PKCS#8, or auto by key material.
  5. Adjust PEM line wrap only when the receiving system requires a different base64 line length. The common default is 64 characters.
  6. Review PEM, then confirm key type, DER size, thumbprint, and private-field status in Key Details and Conversion Checks.

If conversion fails, read the first failed check. Invalid base64url, unsupported key type, missing EC coordinates, unsupported OKP curve, or missing private fields usually explain the error faster than inspecting the PEM area.

Interpreting Results:

The PEM tab is the artifact to copy or download. The header tells you whether the output is PUBLIC KEY or PRIVATE KEY. If the source contains private fields, treat the pasted JSON and any PKCS#8 output as sensitive even if you only need a public key for the current task.

  • Key Details shows the selected source shape, key type, estimated key size, kid, advisory alg/use values, DER bytes, PEM size, JWK thumbprint preview, and DER SHA-256 preview.
  • Conversion Checks separates JSON parsing, key-family support, output-target readiness, private-material detection, URL-sync boundaries, and PEM build status.
  • JSON Report keeps full thumbprints and fingerprints, including values that are shortened in the tables.

A successful PEM conversion does not prove the key belongs to a trusted issuer or matches a certificate. Compare the thumbprint, certificate public key, issuer metadata, or deployment record that originally supplied the JWK.

Technical Details:

The conversion is a format transformation. JWK uses JSON and base64url values without PEM headers. DER uses binary ASN.1 objects. PEM armors those DER bytes into base64 text with a label. The important technical question is which DER object should be built for the key type and output target.

Public SPKI output contains an algorithm identifier plus the public key bit string. Private PKCS#8 output contains a version, algorithm identifier, and private key octet string. RSA private output requires CRT fields because the local builder expects n, e, d, p, q, dp, dq, and qi. Multi-prime RSA keys with oth are rejected.

Transformation Core:

Key family Public fields Private requirement Supported output
RSA kty, n, e d, p, q, dp, dq, qi SPKI public, PKCS#8 private when CRT fields are present.
EC kty, crv, x, y d P-256, P-384, and P-521 SPKI or PKCS#8.
OKP kty, crv, x d Ed25519, X25519, Ed448, and X448 SPKI or PKCS#8.

The JWK thumbprint follows the JWK thumbprint concept: choose the required public members for the key family, serialize them in canonical member order, hash the UTF-8 JSON with SHA-256, and encode the digest as base64url.

thumbprint = base64url ( SHA-256 ( canonical public JWK JSON ) )

Worked Transform Path:

  1. Parse the source as either a single JWK or a JWKS keys array.
  2. Select one key by index and normalize the requested output target.
  3. Decode base64url public and private fields into bytes, checking curve lengths where applicable.
  4. Build the DER object for SPKI or PKCS#8 using the key-family object identifiers.
  5. Hash the exported DER bytes for the fingerprint, base64-armor the DER bytes, and wrap the PEM body at the chosen line length.

Advisory JWK fields such as kid, alg, use, and key_ops help humans and key-selection systems, but they do not appear inside the generated PEM key bytes.

Privacy Notes:

The conversion runs in the browser. The source JWK text is not written to the shareable URL. Only settings such as selected key index, output target, line wrap, preview length, and active tab are synced.

  • Public JWKs can usually be shared, but still verify their source before trusting them.
  • Private JWK fields such as d, RSA CRT fields, and generated PKCS#8 PEM output should be handled as secrets.
  • Clear the source area after working with private material on a shared machine.

Worked Examples:

RSA public JWK to SPKI

A JWK with kty: RSA, modulus n, exponent e, kid, and alg: RS256 should produce a PUBLIC KEY PEM. Key Details should show RSA, estimated bits from the modulus, DER bytes, and both JWK thumbprint and DER SHA-256 previews.

JWKS key selection

A JWKS with RSA, P-256, and Ed25519 keys can be pasted once, then switched with Selected key. Exporting key 2 should change the key type, PEM body, thumbprint, fingerprint, and filename without changing the source JSON.

Private target without private fields

If Private key PEM (PKCS#8) is selected for a public-only JWK, Conversion Checks should mark the output target as blocked. Switch back to public SPKI or supply a complete private JWK from a trusted source.

FAQ:

What is the difference between SPKI and PKCS#8?

SPKI is the public-key wrapper used by PUBLIC KEY PEM output. PKCS#8 is the private-key wrapper used by PRIVATE KEY PEM output when the JWK includes private fields.

Why did the private export fail?

Private PEM needs private JWK fields. RSA needs d, p, q, dp, dq, and qi; EC and OKP need d. Public JWKS documents usually omit these fields by design.

Does PEM preserve kid or alg?

No. kid, alg, use, and key_ops stay in the details and JSON report, but the PEM key bytes carry key material and algorithm identifiers rather than JOSE metadata.

Why are there two hashes?

The JWK thumbprint hashes canonical public JWK JSON. The DER SHA-256 fingerprint hashes the exported DER bytes. Use the one that matches the system or document you are comparing against.

Glossary:

JWK
JSON Web Key, a JSON representation of cryptographic key material.
JWKS
JSON Web Key Set, a JSON object that contains a keys array.
DER
A binary ASN.1 encoding used inside PEM key files and many certificate-related formats.
PEM
Base64 text armor around DER bytes with header and footer labels.
SPKI
SubjectPublicKeyInfo, the common ASN.1 public-key wrapper.
PKCS#8
A common ASN.1 private-key wrapper.

References: