How to generate a JWT signing keys

6 min readJan 19, 2022

JWT tokens provide a secure way of knowing who shared the information in a token.

Plenty of people have written about what JWT tokens are and what they contain. I wanted to provide easy practical instructions on JWT token generation. This article is part of a series, including:

How to generate a JWT signing keys (this story)
Generating a JWT token in native NodeJS
Decoding and Validating a JWT token in native NodeJS

TL; DR;

Summary of commands for JWT signing keys.

# Generate key
ssh-keygen -t rsa -b 4096 -m PEM -f ./myRSA256.key# Generate public key
openssl rsa -in myRSA256.key -pubout -outform PEM -out myRSA256.key.pub

If you need to test these keys using an unencrypted private key on a site like jwt.io, then you can convert your private key using the following command.

# For testing on sites like jwt.io
openssl pkcs8 -topk8 -inform PEM outform PEM -in myRSA256.key -out myRSA256.pem.key -nocrypt

Step 1 — Generate a RSA signing keys for JWT

Command

ssh-keygen -t rsa -b 4096 -m PEM -f ./myRSA256.key

A brief summary of the above command:

ssh-keygen : This is a tool for generating secure keys as part of OpenSSH key management.

-t rsa : Specifies the type of key to create. A number of options exist, I have found in my travels rsa provides the greatest compatibility. Some systems may require you to use a specific key type.¹

-b 4096 : Specifies the number of bits in the key to create. Generally 3072 is considered sufficient for rsa keys, but the cost of a more complex key is negligible for most tasks, so I use 4096.¹

-m PEM : Specifies the key format for the key generation. We use the PEM option which tell ssh-keygen to generate a (PEM public key). The format is set to PEM when generating private key.¹

-f ./myRSA265.key : Simply tell the command the file to output my key. Removing this options generally tries to save this into the machines standard location ~/.ssh/id_rsa which is not the outcome we want.¹

Output ( powershell windows & mac OS ):

When the command runs you will be prompted to enter your passphrase (twice). Remember this we will use it in the next step and it secures your private key from unauthorized used.

Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in ./myRSA256.key.
Your public key has been saved in ./myRSA256.key.pub.
The key fingerprint is:
SHA256:HbEBeGu6CZj852WHvBxnPxdvZC5sxH0iKtpRBcwnCLo yourusername@YOURMACHINE
The key's randomart image is:
+---[RSA 4096]----+
|      .o.=+      |
|     .. o +=.    |
|    .  . .oo.    |
|     .  o. o     |
| . oE  oS o  . . |
|  + . .. o  . = =|
|   . . oB +. + B.|
|    . +=.B... = +|
|     oo.+.  .+ o |
+----[SHA256]-----+

My file myRSA256.key generated if you use the passphrase mykey is.

NOTE : your file will not be same because of the random nature of the cypher.

My file myRSA256.key.pub generated if you use the passphrase mykey is. The format of this file is not in the PEM format like the private key above.

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7DXLOSZtjloUKhf6TVl/RNyccAFJ1zoCM1Qb57OjNYL+NHo8rzPBYpZ6cdkadT/Pkkg9KJRE77/w/rAXm1q1au14ktIvyFdqf52jmALHbrCIgE2sjdXW1zjfXm++nnLHeFmiSsThS5759OIpruE5Vp43xxc/Y29UrBxCcFK445gGwzcGqyxZpqgEnhwD1BM8gmvJ4JkZEFQqDrua0qjVgyFPcs46LrBhYeq7abcq2ALWEKxv4y5D37R7nEfes7rAzMXJd/6xQb4yaLPjhBnv6JsLektY2k6KM5yk84OlWxY5AQRQdisimITx1sDi5qgRc1RIh22sDcMbtYSJ+CNWa2W65je0mKBKJRqqDEMfsZf3LPXBUSl0yWkGSPHTZC3PZCLbiip5ktyx+DtUXhgQHn6gSxrntQ9di7BuGjUoJTbcFfVKtp3CWIk0IJsf/g2SgYy2HALFzC3Oipw4mt9mRE6SVhbljfV5DeuXdZLowGrgGN+MYp5c/j3ID5e44VLMc6gaV31E2FkHWY56fxIH4m+YzV6EXs8yP0lKYH6sbw64K4Vsw2KDk27yP4a4wLvwSLpOx8WPCn7m8Z/u6/lSBq5+RyAt83HTi3iaRdB15INi9loGEvy64sbxQLp8h7ZJAb3ZSqwUqrznWmMyHtsrucelqxrE9+ewTh0XQGjKGZw== yourusername@YOURMACHINE

Step 2 — Generate public key in JWT format

openssl rsa -in myRSA256.key -pubout -outform PEM -out myRSA256.key.pub# ORopenssl rsa -in myRSA256.key -passin pass:<my passphrase> -pubout -outform PEM -out myRSA256.key.pub

openssl : OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards required by them.²

rsa : openssl toolkit works with many key types and crytography. rsa tells the command the following operations are rsa based.³

-in myRSA256.key : Specifies the source key from a file, it can also be sourced from standard input, if chained with other commands.³

-pubout : By default the command will output a private key, with this option a public key is output instead.

-out myRSA256.key.pub :

optional -outform PEM : This is the default option for the command. The PEM format is the familiar format displayed as

 ----- BEGIN object-type -----
 81GivoQ9F1U0Qr+DH3ZfaH8eIkXxT0ToMPJUzWAn8pZv0snA0um6SIgi
 UM6j0ZuSMFOCr/lGPAoOQU0fskidGEHi1/kW+suSr28TqsyYZpwBDQ==
 ----- END object-type -----

Output ( powershell windows & mac OS ):

When the command is run you will be asked to enter the passphrase again, this unlocks the private key generated with the passphrase using the ssh-keygen command above.

Enter pass phrase for myRSA256.key:
writing RSA key

The file myRSA256.key.pub generated if you use the passphrase mykey is :

NOTE : your file will not be same because of the random nature of the cypher.

Optional : Step 3 —Test Keys

An important step is to make sure your keys work the way you expect them to work. Using the above process you can generate a test key (do not use your real keys in testing) on third party sites.

For this test I am going to run the following commands:

# Generate 2 private RSA keys 
ssh-keygen -t rsa -b 4096 -m PEM -f ./testKey1.key
ssh-keygen -t rsa -b 4096 -m PEM -f ./testKey2.key# Generate public keys
openssl rsa -in testKey1.key -pubout -outform PEM -out testKey1.key.pub
openssl rsa -in testKey2.key -pubout -outform PEM -out testKey2.key.pub# Convert Private keys for testing
openssl pkcs8 -topk8 -inform PEM -outform PEM -in testKey1.key -out testKey1.pem.key -nocrypt
openssl pkcs8 -topk8 -inform PEM -outform PEM -in testKey2.key -out testKey2.pem.key -nocrypt

The last command openssl pkcs8 convert the RSA private key with passphrase into a key with no passphrase in a PEM format. This is required for the tools we will test the keys with.

The reason we generate two keys is to show through testing that the keys cannot be interchanged.

I am going to test the keys using two separate external sites:

token.dev and
jwt.io

token.dev :

select the algorithm RS256,
delete the contents of the Public Key field,
copy the testKey1.pem.key file contents into the Private Key field
you will now have a JWT String for your signed token, copy this token.

jwt.io :

paste the token you generated on token.dev into Encoded, the algorithm is read from the token header and automagically set to RSA256 The site will say Invalid Signature because we have not loaded the public key.

copy the testKey.key.pub file contents into the Verify Signature -> Public Key… field.

Testing generated JWT token in jwt.io note the **Signature Verified**

One final test, lets use the public key we generated for testKey2 and make sure it is not a valid signature for testKey1. Copy the testKey2.key.pub into the Verify Signature -> Public Key… field.