@sidheshwarc
The Apigee X doc explains how to do this over at:
If you are going to use one of the RSXXX algorithms, to sign the JWT, you can generate an RSA Private/Public key pair using openssl like this:
openssl genrsa -out private-key.pem
The openssl command has options for specifying the key size, and also for encrypting the PEM output so that anyone wanting to use the private key (e.g. Apigee) would need a password to decrypt it first.
Ideally, you take the PEM encoded key, and store it in an encrypted KVM in Apigee. Then, you can use the KVM policy to load the private key into a private flow variable, which you can then refer to when when generating the signed JWT.
Now, this is only half of the story. If you want anyone to be able to verify your signed JWTs, you will to provide them the public key associated with your private key.
You can extract the public key with openssl:
openssl rsa -in private-key.pem -pubout > public-key.pem
Also, the general mechanism for publishing public keys (for the purpose of verifying signed JWTs) is to format them as JWKs. There are various online tools, you can use that make it easy to generate a JWK from a public key (e.g. https://russelldavies.github.io/jwk-creator/) . Once you have the JWK, you can publish it to consumers of your JWTs through Apigee as well.