How to generate a JWK representing a self-signed certificate
1 min readJun 9, 2022
This short article shows command lines to generate a key pair in PEM format and a JWK representing a self-signed certificate for the key pair with the x5c claim.
1. Create a private key
openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 > private_key.pemNOTE: Be sure that openssl is from OpenSSL, not LibreSSL.
2. Extract the public key from the private key
openssl pkey -pubout -in private_key.pem > public_key.pem3. Generate a self-signed certificate for the key pair
openssl req -x509 -key private_key.pem -subj /CN=client.example.com -days 1000 > certificate.pem4. Convert the format of the public key from PEM to JWK
npm install -g eckleseckles public_key.pem > public_key.jwk
5. Generate a JWK including the certificate
CERT=$(sed /-/d certificate.pem | tr -d \\n)jq ".+{\"x5c\":[\"$CERT\"]}" public_key.jwk > pub+cert.jwk
Output: pub+cert.jwk
{
"kty": "EC",
"crv": "P-256",
"x": "btjiy3sbUjxc4LKyDujKCzgh0Nv0WiVgY5k61-ZRUkI",
"y": "Gck9a3RVmUADrHp2XPBOFxb31QIzUk6KtiWU320Qc2s",
"x5c": [
"MIIBjzCCATWgAwIBAgIUeaASdMyJhml/k/PQ46j9f2XJzPQwCgYIKoZIzj0EAwIwHTEbMBkGA1UEAwwSY2xpZW50LmV4YW1wbGUuY29tMB4XDTIyMDYwOTA0MTE1OVoXDTI1MDMwNTA0MTE1OVowHTEbMBkGA1UEAwwSY2xpZW50LmV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbtjiy3sbUjxc4LKyDujKCzgh0Nv0WiVgY5k61+ZRUkIZyT1rdFWZQAOsenZc8E4XFvfVAjNSToq2JZTfbRBza6NTMFEwHQYDVR0OBBYEFO4bTj08bx2Xk4SCXcndo4QaMi+yMB8GA1UdIwQYMBaAFO4bTj08bx2Xk4SCXcndo4QaMi+yMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAKcCvn43iBxdVzE1JrEfXcEbF9TX6vxwPWyAvCzEHsQjAiBCxSFx59KDRAJys0umzxmpJkWRX1EcJkR1h9tYD8Dn1g=="
]
}