A while ago, I was fed up with creating self-signed X.509 certificates
just to manage the bare keys used in JOSE processing. There's a lot of
extraneous effort that goes into making fake certificate chains that are
then dutifully ignored by the application, especially when the JWK
format can hold both public and private keys natively already. So we
switched our apps over to reading the JWK format instead of X.509, but
we still needed something to securely generate the keys themselves. So I
created a commandline Java application to generate keys in JWK format
(based on the NimbusDS JOSE library):
https://github.com/mitreid-connect/json-web-key-generator
It's slightly unwieldy to compile and run but it gets the job done. Last
night, I wrapped that commandline application with a webapp and made it
publicly available:
https://mkjwk.org/
This simple service will generate a JWK in RSA, EC, or Oct (shared
secret) format for you, using Java's cryptographic engine. You can add
in the use, kid, and alg parameters, and the results are formatted into
easily-copyable JSON. It will even wrap the key in a keyset and pull out
the public key separately for you, in case you need those.
We don't log any of the keys being generated by the service, but to be
extra safe I would still recommend using a local generation mechanism
(like the commandline app above) for production systems.
Finally, I put the code to the site online in the name of transparency:
https://github.com/mitreid-connect/mkjwk.org
I hope that people can find this useful, and we can start moving off of
X.509 for bare key storage in applications. Much thanks to MIT KIT for
providing hosting and support.
-- Justin
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
