How to generate keys in PEM formatusing the OpenSSL command line tools?
The Generate ECC Key Pair (OPM, QC3GENECC; ILE, Qc3GenECCKeyPair) API generates a random ECC key pair given a set of domain parameters to be used with elliptic curve cryptographic algorithms such as ECDSA. Information on cryptographic standards can be found in Create Algorithm Context (OPM, QC3CRTAX; ILE, Qc3CreateAlgorithmContext) API.
The JOSE standard recommends a minimum RSA key size of 2048 bits.
To generate a 2048-bit RSA private + public key pair for use in RSxxx and PSxxxsignatures:
Elliptic Curve keys
To generate an EC key pair the curve designation must be specified. Note thatJOSE ESxxx signatures require P-256, P-384 and P-521 curves (see theircorresponding OpenSSL identifiers below).
Elliptic Curve Key Generation
Elliptic Curve private + public key pair for use with ES256 signatures:
Elliptic Curve private + public key pair for use with ES384 signatures:
Elliptic Curve private + public key pair for use with ES512 signatures:
PEM key parsing in Java
The BouncyCastle library provides a simpleutility to parse PEM-encoded keys in Java, to use them for JWS or JWE later.
For Maven you should include the following BouncyCastle dependencies (where1.52 is the latest stable version as of May 2015):
Example parsing of an PEM-encoded EC key in Java: