ByteJSON

PEM to JWK Converter

Convert between PEM and JWK (JSON Web Key) formats. Supports RSA and EC keys, public and private keys.

What is PEM to JWK Converter?

PEM (Privacy-Enhanced Mail) is the most common format for storing cryptographic keys, using Base64-encoded DER with header/footer lines. JWK (JSON Web Key) is a JSON-based representation defined in RFC 7517, widely used in JWT, OAuth 2.0, and OpenID Connect. This tool converts between the two formats using the Web Crypto API built into modern browsers, supporting RSA and EC keys in both public and private forms.

How to Use

  1. Choose the conversion direction using the toggle button (PEM → JWK or JWK → PEM)
  2. Paste your PEM key or JWK JSON in the input area
  3. Click 'Convert' to generate the output
  4. Copy the result and use it in your application

Why Use This Tool?

Convert PEM keys to JWK for JWT signing and JWKS endpoints
Transform JWK keys back to PEM for server configurations
Automatic key type detection (RSA, EC) and format validation
Browser-based processing — your keys never leave your device

Tips & Best Practices

  • PEM headers like -----BEGIN RSA PRIVATE KEY----- indicate PKCS#1 format, while -----BEGIN PRIVATE KEY----- is PKCS#8
  • JWK requires at minimum the 'kty' field. RSA keys need 'n' and 'e'; EC keys need 'crv', 'x', and 'y'
  • The tool automatically adds 'alg' and 'use' fields to JWK output when they can be inferred
  • For maximum security, consider using this tool in an offline environment when converting private keys

Frequently Asked Questions

What key types are supported?

The converter supports RSA keys (PKCS#1 and SPKI/PKCS#8) and EC keys (SEC 1 and SPKI). Both public and private keys can be converted in either direction. Supported curves for EC keys include P-256, P-384, and P-521.

How does the conversion work?

The tool uses the Web Crypto API built into modern browsers. For PEM to JWK, it imports the PEM key using crypto.subtle.importKey and exports it as JWK using crypto.subtle.exportKey. For JWK to PEM, the process is reversed. No data is sent to any server.

Is my private key safe?

Yes. All processing happens entirely in your browser using the Web Crypto API. Your keys are never sent to any server, stored, or transmitted. You can safely convert keys containing sensitive material. For maximum security, consider using this tool offline.

What is the difference between PEM and JWK?

PEM (Privacy-Enhanced Mail) is a Base64-encoded DER format wrapped in header/footer lines like -----BEGIN RSA PRIVATE KEY-----. JWK (JSON Web Key) is a JSON representation of a cryptographic key defined in RFC 7517. JWKs are commonly used in JWT, OAuth 2.0, and OpenID Connect.

What algorithms are supported for the 'alg' field?

For RSA keys, the tool suggests RS256 for signing and RSA-OAEP for encryption. For EC keys, it suggests ES256 (P-256), ES384 (P-384), or ES512 (P-521) depending on the curve. You can override the algorithm in the output JWK.

Related Tools

Base64 EncodeBase64 DecodeJWT DebuggerHMAC Generator