Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
How to generate JWT RS256 key
ssh-keygen -t rsa -b 4096 -m PEM -f jwtRS256.key
# Don't add passphrase
openssl rsa -in jwtRS256.key -pubout -outform PEM -out jwtRS256.key.pub
cat jwtRS256.key
cat jwtRS256.key.pub
@lyoko17220

This comment has been minimized.

Copy link

@lyoko17220 lyoko17220 commented Apr 10, 2017

Thanks for this ! 👍

@vfeskov

This comment has been minimized.

Copy link

@vfeskov vfeskov commented May 21, 2017

thanks!

@darryn02

This comment has been minimized.

Copy link

@darryn02 darryn02 commented Jun 1, 2017

You are using a 4096-bit key... doesn't that make this RS512?

@Limeth

This comment has been minimized.

Copy link

@Limeth Limeth commented Jun 22, 2017

Works flawlessly, thank you very much. :)

@hubertmine

This comment has been minimized.

Copy link

@hubertmine hubertmine commented Jul 7, 2017

Thx !

@tangyouze

This comment has been minimized.

Copy link

@tangyouze tangyouze commented Jul 25, 2017

2048 should be the correct rs256?

ssh-keygen -t rsa -b 2048 -f jwtRS256.key
# Don't add passphrase
openssl rsa -in jwtRS256.key -pubout -outform PEM -out jwtRS256.key.pub
cat jwtRS256.key
cat jwtRS256.key.pub
@matrey

This comment has been minimized.

Copy link

@matrey matrey commented Sep 14, 2017

RSxxx only refers to the SHAxxx hash function. It's not correlated to the RSA key length.

https://tools.ietf.org/html/rfc7518#page-8

      +-------------------+---------------------------------+
      | "alg" Param Value | Digital Signature Algorithm     |
      +-------------------+---------------------------------+
      | RS256             | RSASSA-PKCS1-v1_5 using SHA-256 |
      | RS384             | RSASSA-PKCS1-v1_5 using SHA-384 |
      | RS512             | RSASSA-PKCS1-v1_5 using SHA-512 |
      +-------------------+---------------------------------+

As for the RSA key length, the same RFC states:

A key of size 2048 bits or larger MUST be used with these algorithms.

It seems like 2048 bits is enough for the foreseeable future (2030 horizon)

https://en.wikipedia.org/wiki/Key_size#Asymmetric_algorithm_key_lengths

As of 2003 RSA Security claims that 1024-bit RSA keys are equivalent in strength to 80-bit symmetric keys, 2048-bit RSA keys to 112-bit symmetric keys and 3072-bit RSA keys to 128-bit symmetric keys.
RSA claims that [...] 2048-bit keys are sufficient until 2030.

https://www.yubico.com/2015/02/big-debate-2048-4096-yubicos-stand/

RSA-2048 still has fifteen years of life left before it is considered obsolete. Plenty of time not to be worried now. Just imagine where technology was fifteen years ago!
While it is true that a longer key provides better security, we have shown that by doubling the length of the key from 2048 to 4096, the increase in bits of security is only 18, a mere 16%. Moreover, besides requiring more storage, longer keys also translate into increased CPU usage and higher power consumption.

@joeygreen

This comment has been minimized.

Copy link

@joeygreen joeygreen commented Sep 21, 2017

Can you use these two rsa pem files to create a .crt?

I believe the libraries I'm attempting to use in dotnet core are trying to load a cert as an X509 then get the RSA Private key to send into a jwt.Encode method.

I am not able to just use the pem file.

@its-poole

This comment has been minimized.

Copy link

@its-poole its-poole commented Oct 2, 2017

You will find this helpful should you encounter the following using jsonwebtoken:

Error: PEM_read_bio_PUBKEY failed

@abdelhafiddahhani

This comment has been minimized.

Copy link

@abdelhafiddahhani abdelhafiddahhani commented Dec 27, 2017

how i can execute this command in windows
$ openssl genrsa -out var/jwt/private.pem -aes256 4096
when i execute this command i got this error ==> 'openssl' is not recognized as an internal command
or external, an executable program or a batch file.

@dotkebi

This comment has been minimized.

Copy link

@dotkebi dotkebi commented Jan 17, 2018

thanks!

@jjayaraman

This comment has been minimized.

Copy link

@jjayaraman jjayaraman commented Apr 18, 2018

Many thanks very helpful. Initially, I missed the second step and the verification failed. Now it's fine.

openssl rsa -in jwtRS256.key -pubout -outform PEM -out jwtRS256.key.pub

@mahdyadi

This comment has been minimized.

Copy link

@mahdyadi mahdyadi commented Apr 29, 2018

Thank you!

@sammymhowe

This comment has been minimized.

Copy link

@sammymhowe sammymhowe commented Jun 28, 2018

Thanks!! 💯

@thanachai-t

This comment has been minimized.

Copy link

@thanachai-t thanachai-t commented Jul 19, 2018

Thanks

@josehbez

This comment has been minimized.

Copy link

@josehbez josehbez commented Jul 24, 2018

Thanks for this!

@Ritin

This comment has been minimized.

Copy link

@Ritin Ritin commented Aug 22, 2018

Thanks for the explanation @matrey
Thanks! @ygotthilf 🥇

@crazyinvitation

This comment has been minimized.

Copy link

@crazyinvitation crazyinvitation commented Sep 3, 2018

this error i am getting JsonWebTokenError invalid algorithm.

const privateKey = fs.readFileSync('jwtRS256.key', 'utf8');
const publicKey = fs.readFileSync('jwtRS256.key.pub', 'utf8');

const token = jwt.sign({
data: payload
}, privateKey, { expiresIn: '50000ms' });

jwt.verify(token, publicKey, function(err, decoded) {
'err JsonWebTokenError invalid algorithm.'
});

@thomashzhang

This comment has been minimized.

Copy link

@thomashzhang thomashzhang commented Sep 7, 2018

@crazyinvitation, this works for me. Have you tried specifying the sign and verify algorithm?

// On sign
const signOptions = const JWTSignOptions = {
            algorithm: 'RS256'
        };
jw.sign{payload, privateKey, signOptions}

// On verify
const verifyOptions = {
            algorithms: ['RS256']
        };
jwt.verify(token, publicKey, verifyOptions, callback)
@gboyegadada

This comment has been minimized.

Copy link

@gboyegadada gboyegadada commented Sep 9, 2018

If you are using JWT with a Lumen app and you need to specify a private key in your .env file, you can encode as base64 string so it can appear as a single line:

Bash

cat jwtRS256.key | base64

.env

.
.
.

JWT_KEY=base64:XXXMYXKEYXASXBASE64o=
@mpatelatIBM

This comment has been minimized.

Copy link

@mpatelatIBM mpatelatIBM commented Sep 12, 2018

it worked. Thnx.

@captainju

This comment has been minimized.

Copy link

@captainju captainju commented Sep 21, 2018

Doesn't work for me:

sh-4.4$ ssh-keygen -t rsa -b 4096 -f jwtRS256.key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in jwtRS256.key.
Your public key has been saved in jwtRS256.key.pub.
The key fingerprint is:
SHA256:o7sFPmVly373UJVLlQ0sym6+YVcKxYsH+gf7dw2reIw user@localhost
The key's randomart image is:
+---[RSA 4096]----+
|             ...+|
|           .. ..+|
|         .+.o. o.|
|         =o= .. o|
|      . S.* o ...|
|     . = +o= o.. |
|      + .o*o= oo.|
|       + .EBo.ooo|
|      o.  oooo ..|
+----[SHA256]-----+
sh-4.4$ openssl rsa -in jwtRS256.key -pubout -outform PEM -out jwtRS256.key.pub
unable to load Private Key
140032036131328:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY
sh-4.4$
@sookcha

This comment has been minimized.

Copy link

@sookcha sookcha commented Nov 7, 2018

Now, it doesn't work because newer version of ssh-keygen no longer uses PEM format as default key format. It have changed to RFC4716 for default key format. Thus, I have to set PEM format explicitly :

ssh-keygen -t rsa -b 4096 -m PEM -f jwtRS256.key

This will work 👍

@glynternet

This comment has been minimized.

Copy link

@glynternet glynternet commented Jan 9, 2019

To avoid being prompted for a passphrase, pass -P "" to ssh-keygen

ssh-keygen -t rsa -P "" -b 4096 -m PEM -f jwtRS256.key
@zhangxiangliang

This comment has been minimized.

Copy link

@zhangxiangliang zhangxiangliang commented Mar 1, 2019

Thanks

@bentocin

This comment has been minimized.

Copy link

@bentocin bentocin commented Mar 6, 2019

It is also possible to just do it with ssh-keygen:

ssh-keygen -t rsa -P "" -b 4096 -m PEM -f jwtRS256.key
ssh-keygen -e -m PEM -f jwtRS256.key > jwtRS256.key.pub
@liujinliu

This comment has been minimized.

Copy link

@liujinliu liujinliu commented Apr 29, 2019

thx

@energister

This comment has been minimized.

Copy link

@energister energister commented Jun 1, 2019

It's also possible to generate keys using openssl only:

openssl genrsa -out private.pem 2048
openssl rsa -in private.pem -pubout -out public.pem
@abuzarhamza

This comment has been minimized.

Copy link

@abuzarhamza abuzarhamza commented Jun 26, 2019

thanks :)

@ruaanvds

This comment has been minimized.

Copy link

@ruaanvds ruaanvds commented Oct 10, 2019

Straight to the point - thanks for this.

@MonsterTi

This comment has been minimized.

Copy link

@MonsterTi MonsterTi commented Nov 4, 2019

thanks

@jcramalho

This comment has been minimized.

Copy link

@jcramalho jcramalho commented Dec 9, 2019

This piece of short code/information should be include in JWT packages documentation...
I was fighting against ssh keys formats and this completely solved the problem.
Thanks

@developergoutam

This comment has been minimized.

Copy link

@developergoutam developergoutam commented Dec 27, 2019

Thank you 👍

@propatodiya

This comment has been minimized.

Copy link

@propatodiya propatodiya commented Apr 11, 2020

ssh-keygen -t rsa -b 4096 -m PEM -f jwtRS256.key

Thanks, it's work for me.

@sophiagatliff

This comment has been minimized.

Copy link

@sophiagatliff sophiagatliff commented May 31, 2020

Works perfect! Thank you!!!!!

@70nyIT

This comment has been minimized.

Copy link

@70nyIT 70nyIT commented Jul 6, 2020

Thanks!

@subhadeepdas91

This comment has been minimized.

Copy link

@subhadeepdas91 subhadeepdas91 commented Jul 21, 2020

How to convert multi-line public and private key to single-line
so that it can be put in an environment variable

@IseeUDenis

This comment has been minimized.

Copy link

@IseeUDenis IseeUDenis commented Sep 10, 2020

Thanks!

@sat0yu

This comment has been minimized.

Copy link

@sat0yu sat0yu commented Oct 17, 2020

Thanks🙏

@psych0panda

This comment has been minimized.

Copy link

@psych0panda psych0panda commented Nov 24, 2020

Thanks!

@charlygame

This comment has been minimized.

Copy link

@charlygame charlygame commented Dec 17, 2020

Cool! Thanks.

@JorgeSivil

This comment has been minimized.

Copy link

@JorgeSivil JorgeSivil commented Dec 29, 2020

Hello, can JWT work with a passphrased key?

@kimisme9386

This comment has been minimized.

Copy link

@kimisme9386 kimisme9386 commented Dec 30, 2020

Thanks a lot.

@calebpitan

This comment has been minimized.

Copy link

@calebpitan calebpitan commented Jan 6, 2021

Thanks a lot

@profoundpanda

This comment has been minimized.

Copy link

@profoundpanda profoundpanda commented Jan 20, 2021

Thanks a lot. Super helpful.!

@jokermt235

This comment has been minimized.

Copy link

@jokermt235 jokermt235 commented Jan 21, 2021

like

@mssoylu

This comment has been minimized.

Copy link

@mssoylu mssoylu commented Jan 29, 2021

thank you for this. you saved me.

@Ruborcalor

This comment has been minimized.

Copy link

@Ruborcalor Ruborcalor commented Feb 19, 2021

Thanks for this! If you want to replace all the new lines with literal \n characters you can use the following awk command: awk -v ORS='\\n' '1' jwtRS256.key. It leaves an extra \n at the end of the line though.
https://stackoverflow.com/questions/38672680/replace-newlines-with-literal-n/38674872

@ratio91

This comment has been minimized.

Copy link

@ratio91 ratio91 commented Mar 2, 2021

It is also possible to just do it with ssh-keygen:

ssh-keygen -t rsa -P "" -b 4096 -m PEM -f jwtRS256.key
ssh-keygen -e -m PEM -f jwtRS256.key > jwtRS256.key.pub

thanks @bentocin, works like a charm!

@hermandinho

This comment has been minimized.

Copy link

@hermandinho hermandinho commented Mar 7, 2021

Many Thanks

@prufrock

This comment has been minimized.

Copy link

@prufrock prufrock commented Apr 1, 2021

It is also possible to just do it with ssh-keygen:

ssh-keygen -t rsa -P "" -b 4096 -m PEM -f jwtRS256.key
ssh-keygen -e -m PEM -f jwtRS256.key > jwtRS256.key.pub

Works great for me! Thanks!

@anand-dhage-sp

This comment has been minimized.

Copy link

@anand-dhage-sp anand-dhage-sp commented Apr 27, 2021

How can i use RS384 algorithm in above command to create rsa public and private key.

@ekundayo-ab

This comment has been minimized.

Copy link

@ekundayo-ab ekundayo-ab commented May 28, 2021

It's also possible to generate keys using openssl only:

openssl genrsa -out private.pem 2048
openssl rsa -in private.pem -pubout -out public.pem

👍

@jhaoheng

This comment has been minimized.

Copy link

@jhaoheng jhaoheng commented Jul 8, 2021

very thanks

@yayen-lin

This comment has been minimized.

Copy link

@yayen-lin yayen-lin commented Jul 10, 2021

Thanks so much!
I'm sorry I'm still new to this but does the private key go to .gitignore or both the public and private key go to .gitignore?

@bentocin

This comment has been minimized.

Copy link

@bentocin bentocin commented Jul 10, 2021

Thanks so much!
I'm sorry I'm still new to this but does the private key go to .gitignore or both the public and private key go to .gitignore?

To my best knowledge:

Where you put them depends on your secrets management. We don't put either of it in the repo. This information is rather specific to your deployment and can be considered as part of the environment. It is not specific to your application and thus should be treated accordingly.

Depending on your project setup some of the following solutions might be suitable for you:

Another option might be to create them ad-hoc during your deployment.

@yayen-lin

This comment has been minimized.

Copy link

@yayen-lin yayen-lin commented Jul 11, 2021

Hi @bentocin,

Thanks again for the detailed answer, I looked up a few posts on the intenet and you answer makes sense to me now.
I decided to not put either of it in the repo.
Really appreciate your help and solutions!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment