diff --git a/CHANGELOG.md b/CHANGELOG.md
index abceeda3..a15b015e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,9 @@ All major and minor version changes will be documented in this file. Details of
 
 ## Details
 
+### [10.16.0] - 2024-04-12
+- Added 'JA4Server Fingerprint' operation [@n1474335] | [#1789]
+
 ### [10.15.0] - 2024-04-02
 - Fix Ciphersaber2 key concatenation [@zb3] | [#1765]
 - Fix DeriveEVPKey's array parsing [@zb3] | [#1767]
@@ -418,6 +421,7 @@ All major and minor version changes will be documented in this file. Details of
 ## [4.0.0] - 2016-11-28
 -  Initial open source commit [@n1474335] | [b1d73a72](https://github.com/gchq/CyberChef/commit/b1d73a725dc7ab9fb7eb789296efd2b7e4b08306)
 
+[10.16.0]: https://github.com/gchq/CyberChef/releases/tag/v10.16.0
 [10.15.0]: https://github.com/gchq/CyberChef/releases/tag/v10.15.0
 [10.14.0]: https://github.com/gchq/CyberChef/releases/tag/v10.14.0
 [10.13.0]: https://github.com/gchq/CyberChef/releases/tag/v10.13.0
@@ -744,3 +748,5 @@ All major and minor version changes will be documented in this file. Details of
 [#1504]: https://github.com/gchq/CyberChef/issues/1504
 [#512]: https://github.com/gchq/CyberChef/issues/512
 [#1732]: https://github.com/gchq/CyberChef/issues/1732
+[#1789]: https://github.com/gchq/CyberChef/issues/1789
+
diff --git a/package-lock.json b/package-lock.json
index 20935e27..caa403d3 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "cyberchef",
-  "version": "10.15.1",
+  "version": "10.16.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "cyberchef",
-      "version": "10.15.1",
+      "version": "10.16.0",
       "hasInstallScript": true,
       "license": "Apache-2.0",
       "dependencies": {
diff --git a/package.json b/package.json
index c623c647..6fb02475 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "cyberchef",
-  "version": "10.15.1",
+  "version": "10.16.0",
   "description": "The Cyber Swiss Army Knife for encryption, encoding, compression and data analysis.",
   "author": "n1474335 <n1474335@gmail.com>",
   "homepage": "https://gchq.github.io/CyberChef",
diff --git a/src/core/config/Categories.json b/src/core/config/Categories.json
index 8f8a14f9..f0624fc7 100644
--- a/src/core/config/Categories.json
+++ b/src/core/config/Categories.json
@@ -168,6 +168,8 @@
             "Hex to PEM",
             "Hex to Object Identifier",
             "Object Identifier to Hex",
+            "PEM to JWK",
+            "JWK to PEM",
             "Generate PGP Key Pair",
             "PGP Encrypt",
             "PGP Decrypt",
@@ -180,7 +182,9 @@
             "RSA Encrypt",
             "RSA Decrypt",
             "Parse SSH Host Key",
-            "Parse CSR"
+            "Parse CSR",
+            "Public Key from Certificate",
+            "Public Key from Private Key"
         ]
     },
     {
@@ -238,6 +242,7 @@
             "JA3 Fingerprint",
             "JA3S Fingerprint",
             "JA4 Fingerprint",
+            "JA4Server Fingerprint",
             "HASSH Client Fingerprint",
             "HASSH Server Fingerprint",
             "Format MAC addresses",
diff --git a/src/core/lib/JA4.mjs b/src/core/lib/JA4.mjs
index b0b423a2..5e606f46 100644
--- a/src/core/lib/JA4.mjs
+++ b/src/core/lib/JA4.mjs
@@ -25,6 +25,9 @@ export function toJA4(bytes) {
     let tlsr = {};
     try {
         tlsr = parseTLSRecord(bytes);
+        if (tlsr.handshake.value.handshakeType.value !== 0x01) {
+            throw new Error();
+        }
     } catch (err) {
         throw new OperationError("Data is not a valid TLS Client Hello. QUIC is not yet supported.\n" + err);
     }
@@ -48,16 +51,7 @@ export function toJA4(bytes) {
             break;
         }
     }
-    switch (version) {
-        case 0x0304: version = "13"; break; // TLS 1.3
-        case 0x0303: version = "12"; break; // TLS 1.2
-        case 0x0302: version = "11"; break; // TLS 1.1
-        case 0x0301: version = "10"; break; // TLS 1.0
-        case 0x0300: version = "s3"; break; // SSL 3.0
-        case 0x0200: version = "s2"; break; // SSL 2.0
-        case 0x0100: version = "s1"; break; // SSL 1.0
-        default: version = "00"; // Unknown
-    }
+    version = tlsVersionMapper(version);
 
     /* SNI
         If the SNI extension (0x0000) exists, then the destination of the connection is a domain, or “d” in the fingerprint.
@@ -99,6 +93,7 @@ export function toJA4(bytes) {
         if (ext.type.value === "application_layer_protocol_negotiation") {
             alpn = parseFirstALPNValue(ext.value.data);
             alpn = alpn.charAt(0) + alpn.charAt(alpn.length - 1);
+            if (alpn.charCodeAt(0) > 127) alpn = "99";
             break;
         }
     }
@@ -164,3 +159,106 @@ export function toJA4(bytes) {
         "JA4_ro": `${ptype}${version}${sni}${cipherLen}${extLen}${alpn}_${originalCiphersRaw}_${originalExtensionsRaw}`,
     };
 }
+
+
+/**
+ * Calculate the JA4Server from a given TLS Server Hello Stream
+ * @param {Uint8Array} bytes
+ * @returns {string}
+ */
+export function toJA4S(bytes) {
+    let tlsr = {};
+    try {
+        tlsr = parseTLSRecord(bytes);
+        if (tlsr.handshake.value.handshakeType.value !== 0x02) {
+            throw new Error();
+        }
+    } catch (err) {
+        throw new OperationError("Data is not a valid TLS Server Hello. QUIC is not yet supported.\n" + err);
+    }
+
+    /* QUIC
+        “q” or “t”, which denotes whether the hello packet is for QUIC or TCP.
+        TODO: Implement QUIC
+    */
+    const ptype = "t";
+
+    /* TLS Version
+        TLS version is shown in 3 different places. If extension 0x002b exists (supported_versions), then the version
+        is the highest value in the extension. Remember to ignore GREASE values. If the extension doesn’t exist, then
+        the TLS version is the value of the Protocol Version. Handshake version (located at the top of the packet)
+        should be ignored.
+    */
+    let version = tlsr.version.value;
+    for (const ext of tlsr.handshake.value.extensions.value) {
+        if (ext.type.value === "supported_versions") {
+            version = parseHighestSupportedVersion(ext.value.data);
+            break;
+        }
+    }
+    version = tlsVersionMapper(version);
+
+    /* Number of Extensions
+        2 character number of cipher suites, so if there’s 6 cipher suites in the hello packet, then the value should be “06”.
+        If there’s > 99, which there should never be, then output “99”.
+    */
+    let extLen = tlsr.handshake.value.extensions.value.length;
+    extLen = extLen > 99 ? "99" : extLen.toString().padStart(2, "0");
+
+    /* ALPN Extension Chosen Value
+        The first and last characters of the ALPN (Application-Layer Protocol Negotiation) first value.
+        If there are no ALPN values or no ALPN extension then we print “00” as the value in the fingerprint.
+    */
+    let alpn = "00";
+    for (const ext of tlsr.handshake.value.extensions.value) {
+        if (ext.type.value === "application_layer_protocol_negotiation") {
+            alpn = parseFirstALPNValue(ext.value.data);
+            alpn = alpn.charAt(0) + alpn.charAt(alpn.length - 1);
+            if (alpn.charCodeAt(0) > 127) alpn = "99";
+            break;
+        }
+    }
+
+    /* Chosen Cipher
+        The hex value of the chosen cipher suite
+    */
+    const cipher = toHexFast(tlsr.handshake.value.cipherSuite.data);
+
+    /* Extension hash
+        A 12 character truncated sha256 hash of the list of extensions.
+        The extension list is created using the 4 character hex values of the extensions, lower case, comma delimited.
+    */
+    const extensionsList = [];
+    for (const ext of tlsr.handshake.value.extensions.value) {
+        extensionsList.push(toHexFast(ext.type.data));
+    }
+    const extensionsRaw = extensionsList.join(",");
+    const extensionsHash = runHash(
+        "sha256",
+        Utils.strToArrayBuffer(extensionsRaw)
+    ).substring(0, 12);
+
+    return {
+        "JA4S":    `${ptype}${version}${extLen}${alpn}_${cipher}_${extensionsHash}`,
+        "JA4S_r":  `${ptype}${version}${extLen}${alpn}_${cipher}_${extensionsRaw}`,
+    };
+}
+
+
+/**
+ * Takes a TLS version value and returns a JA4 TLS version string
+ * @param {Uint8Array} version - Two byte array of version number
+ * @returns {string}
+ */
+function tlsVersionMapper(version) {
+    switch (version) {
+        case 0x0304: return "13"; // TLS 1.3
+        case 0x0303: return "12"; // TLS 1.2
+        case 0x0302: return "11"; // TLS 1.1
+        case 0x0301: return "10"; // TLS 1.0
+        case 0x0300: return "s3"; // SSL 3.0
+        case 0x0200: return "s2"; // SSL 2.0
+        case 0x0100: return "s1"; // SSL 1.0
+        default: return "00"; // Unknown
+    }
+}
diff --git a/src/core/lib/TLS.mjs b/src/core/lib/TLS.mjs
index e3f18eb3..6373bfa2 100644
--- a/src/core/lib/TLS.mjs
+++ b/src/core/lib/TLS.mjs
@@ -70,13 +70,11 @@ function parseHandshake(bytes) {
 
     // Handshake type
     h.handshakeType = {
-        description: "Client Hello",
+        description: "Handshake Type",
         length: 1,
         data: b.getBytes(1),
         value: s.readInt(1)
     };
-    if (h.handshakeType.value !== 0x01)
-        throw new OperationError("Not a Client Hello.");
 
     // Handshake length
     h.handshakeLength = {
@@ -86,8 +84,33 @@ function parseHandshake(bytes) {
         value: s.readInt(3)
     };
     if (s.length !== h.handshakeLength.value + 4)
-        throw new OperationError("Not enough data in Client Hello.");
+        throw new OperationError("Not enough data in Handshake message.");
 
+
+    switch (h.handshakeType.value) {
+        case 0x01:
+            h.handshakeType.description = "Client Hello";
+            parseClientHello(s, b, h);
+            break;
+        case 0x02:
+            h.handshakeType.description = "Server Hello";
+            parseServerHello(s, b, h);
+            break;
+        default:
+            throw new OperationError("Not a known handshake message.");
+    }
+
+    return h;
+}
+
+/**
+ * Parse a TLS Client Hello
+ * @param {Stream} s
+ * @param {Stream} b
+ * @param {Object} h
+ * @returns {JSON}
+ */
+function parseClientHello(s, b, h) {
     // Hello version
     h.helloVersion = {
         description: "Client Hello Version",
@@ -171,6 +194,79 @@ function parseHandshake(bytes) {
     return h;
 }
 
+/**
+ * Parse a TLS Server Hello
+ * @param {Stream} s
+ * @param {Stream} b
+ * @param {Object} h
+ * @returns {JSON}
+ */
+function parseServerHello(s, b, h) {
+    // Hello version
+    h.helloVersion = {
+        description: "Server Hello Version",
+        length: 2,
+        data: b.getBytes(2),
+        value: s.readInt(2)
+    };
+
+    // Random
+    h.random = {
+        description: "Server Random",
+        length: 32,
+        data: b.getBytes(32),
+        value: s.getBytes(32)
+    };
+
+    // Session ID Length
+    h.sessionIDLength = {
+        description: "Session ID Length",
+        length: 1,
+        data: b.getBytes(1),
+        value: s.readInt(1)
+    };
+
+    // Session ID
+    h.sessionID = {
+        description: "Session ID",
+        length: h.sessionIDLength.value,
+        data: b.getBytes(h.sessionIDLength.value),
+        value: s.getBytes(h.sessionIDLength.value)
+    };
+
+    // Cipher Suite
+    h.cipherSuite = {
+        description: "Selected Cipher Suite",
+        length: 2,
+        data: b.getBytes(2),
+        value: CIPHER_SUITES_LOOKUP[s.readInt(2)] || "Unknown"
+    };
+
+    // Compression Method
+    h.compressionMethod = {
+        description: "Selected Compression Method",
+        length: 1,
+        data: b.getBytes(1),
+        value: s.readInt(1) // TODO: Compression method name here
+    };
+
+    // Extensions Length
+    h.extensionsLength = {
+        description: "Extensions Length",
+        length: 2,
+        data: b.getBytes(2),
+        value: s.readInt(2)
+    };
+
+    // Extensions
+    h.extensions = {
+        description: "Extensions",
+        length: h.extensionsLength.value,
+        data: b.getBytes(h.extensionsLength.value),
+        value: parseExtensions(s.getBytes(h.extensionsLength.value))
+    };
+}
+
 /**
  * Parse Cipher Suites
  * @param {Uint8Array} bytes
@@ -748,6 +844,11 @@ export const GREASE_VALUES = [
 export function parseHighestSupportedVersion(bytes) {
     const s = new Stream(bytes);
 
+    // The Server Hello supported_versions extension simply contains the chosen version
+    if (s.length === 2) {
+        return s.readInt(2);
+    }
+
     // Length
     let i = s.readInt(1);
 
diff --git a/src/core/operations/JA4ServerFingerprint.mjs b/src/core/operations/JA4ServerFingerprint.mjs
new file mode 100644
index 00000000..662285a8
--- /dev/null
+++ b/src/core/operations/JA4ServerFingerprint.mjs
@@ -0,0 +1,66 @@
+/**
+ * @author n1474335 [n1474335@gmail.com]
+ * @copyright Crown Copyright 2024
+ * @license Apache-2.0
+ */
+
+import Operation from "../Operation.mjs";
+import Utils from "../Utils.mjs";
+import {toJA4S} from "../lib/JA4.mjs";
+
+/**
+ * JA4Server Fingerprint operation
+ */
+class JA4ServerFingerprint extends Operation {
+
+    /**
+     * JA4ServerFingerprint constructor
+     */
+    constructor() {
+        super();
+
+        this.name = "JA4Server Fingerprint";
+        this.module = "Crypto";
+        this.description = "Generates a JA4Server Fingerprint (JA4S) to help identify TLS servers or sessions based on hashing together values from the Server Hello.<br><br>Input: A hex stream of the TLS or QUIC Server Hello packet application layer.";
+        this.infoURL = "https://medium.com/foxio/ja4-network-fingerprinting-9376fe9ca637";
+        this.inputType = "string";
+        this.outputType = "string";
+        this.args = [
+            {
+                name: "Input format",
+                type: "option",
+                value: ["Hex", "Base64", "Raw"]
+            },
+            {
+                name: "Output format",
+                type: "option",
+                value: ["JA4S", "JA4S Raw", "Both"]
+            }
+        ];
+    }
+
+    /**
+     * @param {string} input
+     * @param {Object[]} args
+     * @returns {string}
+     */
+    run(input, args) {
+        const [inputFormat, outputFormat] = args;
+        input = Utils.convertToByteArray(input, inputFormat);
+        const ja4s = toJA4S(new Uint8Array(input));
+
+        // Output
+        switch (outputFormat) {
+            case "JA4S":
+                return ja4s.JA4S;
+            case "JA4S Raw":
+                return ja4s.JA4S_r;
+            case "Both":
+            default:
+                return `JA4S:   ${ja4s.JA4S}\nJA4S_r: ${ja4s.JA4S_r}`;
+        }
+    }
+
+}
+
+export default JA4ServerFingerprint;
diff --git a/src/core/operations/JWKToPem.mjs b/src/core/operations/JWKToPem.mjs
new file mode 100644
index 00000000..c8c00270
--- /dev/null
+++ b/src/core/operations/JWKToPem.mjs
@@ -0,0 +1,80 @@
+/**
+ * @author cplussharp
+ * @copyright Crown Copyright 2021
+ * @license Apache-2.0
+ */
+
+import r from "jsrsasign";
+import Operation from "../Operation.mjs";
+import OperationError from "../errors/OperationError.mjs";
+
+/**
+ * PEM to JWK operation
+ */
+class PEMToJWK extends Operation {
+
+    /**
+     * PEMToJWK constructor
+     */
+    constructor() {
+        super();
+
+        this.name = "JWK to PEM";
+        this.module = "PublicKey";
+        this.description = "Converts Keys in JSON Web Key format to PEM format (PKCS#8).";
+        this.infoURL = "https://datatracker.ietf.org/doc/html/rfc7517";
+        this.inputType = "string";
+        this.outputType = "string";
+        this.args = [];
+        this.checks = [
+            {
+                "pattern": "\"kty\":\\s*\"(EC|RSA)\"",
+                "flags": "gm",
+                "args": []
+            }
+        ];
+    }
+
+    /**
+     * @param {string} input
+     * @param {Object[]} args
+     * @returns {string}
+     */
+    run(input, args) {
+        const inputJson = JSON.parse(input);
+
+        let keys = [];
+        if (Array.isArray(inputJson)) {
+            // list of keys => transform all keys
+            keys = inputJson;
+        } else if (Array.isArray(inputJson.keys)) {
+            // JSON Web Key Set => transform all keys
+            keys = inputJson.keys;
+        } else if (typeof inputJson === "object") {
+            // single key
+            keys.push(inputJson);
+        } else {
+            throw new OperationError("Input is not a JSON Web Key");
+        }
+
+        let output = "";
+        for (let i=0; i<keys.length; i++) {
+            const jwk = keys[i];
+            if (typeof jwk.kty !== "string") {
+                throw new OperationError("Invalid JWK format");
+            } else if ("|RSA|EC|".indexOf(jwk.kty) === -1) {
+                throw new OperationError(`Unsupported JWK key type '${inputJson.kty}'`);
+            }
+
+            const key = r.KEYUTIL.getKey(jwk);
+            const pem = key.isPrivate ? r.KEYUTIL.getPEM(key, "PKCS8PRV") : r.KEYUTIL.getPEM(key);
+
+            // PEM ends with '\n', so a new key always starts on a new line
+            output += pem;
+        }
+
+        return output;
+    }
+}
+
+export default PEMToJWK;
diff --git a/src/core/operations/PEMToJWK.mjs b/src/core/operations/PEMToJWK.mjs
new file mode 100644
index 00000000..61fde371
--- /dev/null
+++ b/src/core/operations/PEMToJWK.mjs
@@ -0,0 +1,88 @@
+/**
+ * @author cplussharp
+ * @copyright Crown Copyright 2021
+ * @license Apache-2.0
+ */
+
+import r from "jsrsasign";
+import Operation from "../Operation.mjs";
+import OperationError from "../errors/OperationError.mjs";
+
+/**
+ * PEM to JWK operation
+ */
+class PEMToJWK extends Operation {
+
+    /**
+     * PEMToJWK constructor
+     */
+    constructor() {
+        super();
+
+        this.name = "PEM to JWK";
+        this.module = "PublicKey";
+        this.description = "Converts Keys in PEM format to a JSON Web Key format.";
+        this.infoURL = "https://datatracker.ietf.org/doc/html/rfc7517";
+        this.inputType = "string";
+        this.outputType = "string";
+        this.args = [];
+        this.checks = [
+            {
+                "pattern": "-----BEGIN ((RSA |EC )?(PRIVATE|PUBLIC) KEY|CERTIFICATE)-----",
+                "args": []
+            }
+        ];
+    }
+
+    /**
+     * @param {string} input
+     * @param {Object[]} args
+     * @returns {string}
+     */
+    run(input, args) {
+        let output = "";
+        let match;
+        const regex = /-----BEGIN ([A-Z][A-Z ]+[A-Z])-----/g;
+        while ((match = regex.exec(input)) !== null) {
+            // find corresponding end tag
+            const indexBase64 = match.index + match[0].length;
+            const header = input.substring(match.index, indexBase64);
+            const footer = `-----END ${match[1]}-----`;
+            const indexFooter = input.indexOf(footer, indexBase64);
+            if (indexFooter === -1) {
+                throw new OperationError(`PEM footer '${footer}' not found`);
+            }
+
+            const pem = input.substring(match.index, indexFooter + footer.length);
+            if (match[1].indexOf("KEY") !== -1) {
+                if (header === "-----BEGIN RSA PUBLIC KEY-----") {
+                    throw new OperationError("Unsupported RSA public key format. Only PKCS#8 is supported.");
+                }
+
+                const key = r.KEYUTIL.getKey(pem);
+                if (key.type === "DSA") {
+                    throw new OperationError("DSA keys are not supported for JWK");
+                }
+                const jwk = r.KEYUTIL.getJWKFromKey(key);
+                if (output.length > 0) {
+                    output += "\n";
+                }
+                output += JSON.stringify(jwk);
+            } else if (match[1] === "CERTIFICATE") {
+                const cert = new r.X509();
+                cert.readCertPEM(pem);
+                const key = cert.getPublicKey();
+                const jwk = r.KEYUTIL.getJWKFromKey(key);
+                if (output.length > 0) {
+                    output += "\n";
+                }
+                output += JSON.stringify(jwk);
+            } else {
+                throw new OperationError(`Unsupported PEM type '${match[1]}'`);
+            }
+        }
+        return output;
+    }
+}
+
+export default PEMToJWK;
diff --git a/src/core/operations/PubKeyFromCert.mjs b/src/core/operations/PubKeyFromCert.mjs
new file mode 100644
index 00000000..0233b04a
--- /dev/null
+++ b/src/core/operations/PubKeyFromCert.mjs
@@ -0,0 +1,68 @@
+/**
+ * @author cplussharp
+ * @copyright Crown Copyright 2023
+ * @license Apache-2.0
+ */
+
+import r from "jsrsasign";
+import Operation from "../Operation.mjs";
+import OperationError from "../errors/OperationError.mjs";
+
+/**
+ * Public Key from Certificate operation
+ */
+class PubKeyFromCert extends Operation {
+
+    /**
+     * PubKeyFromCert constructor
+     */
+    constructor() {
+        super();
+
+        this.name = "Public Key from Certificate";
+        this.module = "PublicKey";
+        this.description = "Extracts the Public Key from a Certificate.";
+        this.infoURL = "https://en.wikipedia.org/wiki/X.509";
+        this.inputType = "string";
+        this.outputType = "string";
+        this.args = [];
+        this.checks = [];
+    }
+
+    /**
+     * @param {string} input
+     * @param {Object[]} args
+     * @returns {string}
+     */
+    run(input, args) {
+        let output = "";
+        let match;
+        const regex = /-----BEGIN CERTIFICATE-----/g;
+        while ((match = regex.exec(input)) !== null) {
+            // find corresponding end tag
+            const indexBase64 = match.index + match[0].length;
+            const footer = "-----END CERTIFICATE-----";
+            const indexFooter = input.indexOf(footer, indexBase64);
+            if (indexFooter === -1) {
+                throw new OperationError(`PEM footer '${footer}' not found`);
+            }
+
+            const certPem = input.substring(match.index, indexFooter + footer.length);
+            const cert = new r.X509();
+            cert.readCertPEM(certPem);
+            let pubKey;
+            try {
+                pubKey = cert.getPublicKey();
+            } catch {
+                throw new OperationError("Unsupported public key type");
+            }
+            const pubKeyPem = r.KEYUTIL.getPEM(pubKey);
+
+            // PEM ends with '\n', so a new key always starts on a new line
+            output += pubKeyPem;
+        }
+        return output;
+    }
+}
+
+export default PubKeyFromCert;
diff --git a/src/core/operations/PubKeyFromPrivKey.mjs b/src/core/operations/PubKeyFromPrivKey.mjs
new file mode 100644
index 00000000..5a08882b
--- /dev/null
+++ b/src/core/operations/PubKeyFromPrivKey.mjs
@@ -0,0 +1,82 @@
+/**
+ * @author cplussharp
+ * @copyright Crown Copyright 2023
+ * @license Apache-2.0
+ */
+
+import r from "jsrsasign";
+import Operation from "../Operation.mjs";
+import OperationError from "../errors/OperationError.mjs";
+
+/**
+ * Public Key from Private Key operation
+ */
+class PubKeyFromPrivKey extends Operation {
+
+    /**
+     * PubKeyFromPrivKey constructor
+     */
+    constructor() {
+        super();
+
+        this.name = "Public Key from Private Key";
+        this.module = "PublicKey";
+        this.description = "Extracts the Public Key from a Private Key.";
+        this.infoURL = "https://en.wikipedia.org/wiki/PKCS_8";
+        this.inputType = "string";
+        this.outputType = "string";
+        this.args = [];
+        this.checks = [];
+    }
+
+    /**
+     * @param {string} input
+     * @param {Object[]} args
+     * @returns {string}
+     */
+    run(input, args) {
+        let output = "";
+        let match;
+        const regex = /-----BEGIN ((RSA |EC |DSA )?PRIVATE KEY)-----/g;
+        while ((match = regex.exec(input)) !== null) {
+            // find corresponding end tag
+            const indexBase64 = match.index + match[0].length;
+            const footer = `-----END ${match[1]}-----`;
+            const indexFooter = input.indexOf(footer, indexBase64);
+            if (indexFooter === -1) {
+                throw new OperationError(`PEM footer '${footer}' not found`);
+            }
+
+            const privKeyPem = input.substring(match.index, indexFooter + footer.length);
+            let privKey;
+            try {
+                privKey = r.KEYUTIL.getKey(privKeyPem);
+            } catch (err) {
+                throw new OperationError(`Unsupported key type: ${err}`);
+            }
+            let pubKey;
+            if (privKey.type && privKey.type === "EC") {
+                pubKey = new r.KJUR.crypto.ECDSA({ curve: privKey.curve });
+                pubKey.setPublicKeyHex(privKey.generatePublicKeyHex());
+            } else if (privKey.type && privKey.type === "DSA") {
+                if (!privKey.y) {
+                    throw new OperationError(`DSA Private Key in PKCS#8 is not supported`);
+                }
+                pubKey = new r.KJUR.crypto.DSA();
+                pubKey.setPublic(privKey.p, privKey.q, privKey.g, privKey.y);
+            } else if (privKey.n && privKey.e) {
+                pubKey = new r.RSAKey();
+                pubKey.setPublic(privKey.n, privKey.e);
+            } else {
+                throw new OperationError(`Unsupported key type`);
+            }
+            const pubKeyPem = r.KEYUTIL.getPEM(pubKey);
+
+            // PEM ends with '\n', so a new key always starts on a new line
+            output += pubKeyPem;
+        }
+        return output;
+    }
+}
+
+export default PubKeyFromPrivKey;
diff --git a/src/web/HTMLOperation.mjs b/src/web/HTMLOperation.mjs
index ae61b58d..30cfd1d9 100755
--- a/src/web/HTMLOperation.mjs
+++ b/src/web/HTMLOperation.mjs
@@ -85,6 +85,7 @@ class HTMLOperation {
         <div class="recip-icons">
             <i class="material-icons breakpoint" title="Set breakpoint" break="false" data-help-title="Setting breakpoints" data-help="Setting a breakpoint on an operation will cause execution of the Recipe to pause when it reaches that operation.">pause</i>
             <i class="material-icons disable-icon" title="Disable operation" disabled="false" data-help-title="Disabling operations" data-help="Disabling an operation will prevent it from being executed when the Recipe is baked. Execution will skip over the disabled operation and continue with subsequent operations.">not_interested</i>
+            <i class="material-icons hide-args-icon" title="Hide operation's arguments" hide-args="false" data-help-title="Hide operation's arguments" data-help="Hiding an operation's argument will save space in the Recipe window. Execution will still take place with the selected argument options.">keyboard_arrow_up</i>
         </div>
         <div class="clearfix">&nbsp;</div>`;
 
diff --git a/src/web/Manager.mjs b/src/web/Manager.mjs
index b02a7eee..b188b3b9 100755
--- a/src/web/Manager.mjs
+++ b/src/web/Manager.mjs
@@ -139,6 +139,7 @@ class Manager {
         document.getElementById("load-delete-button").addEventListener("click", this.controls.loadDeleteClick.bind(this.controls));
         document.getElementById("load-name").addEventListener("change", this.controls.loadNameChange.bind(this.controls));
         document.getElementById("load-button").addEventListener("click", this.controls.loadButtonClick.bind(this.controls));
+        document.getElementById("hide-icon").addEventListener("click", this.controls.hideRecipeArgsClick.bind(this.recipe));
         document.getElementById("support").addEventListener("click", this.controls.supportButtonClick.bind(this.controls));
         this.addMultiEventListeners("#save-texts textarea", "keyup paste", this.controls.saveTextChange, this.controls);
 
@@ -154,6 +155,7 @@ class Manager {
         // Recipe
         this.addDynamicListener(".arg:not(select)", "input", this.recipe.ingChange, this.recipe);
         this.addDynamicListener(".arg[type=checkbox], .arg[type=radio], select.arg", "change", this.recipe.ingChange, this.recipe);
+        this.addDynamicListener(".hide-args-icon", "click", this.recipe.hideArgsClick, this.recipe);
         this.addDynamicListener(".disable-icon", "click", this.recipe.disableClick, this.recipe);
         this.addDynamicListener(".breakpoint", "click", this.recipe.breakpointClick, this.recipe);
         this.addDynamicListener("#rec-list li.operation", "dblclick", this.recipe.operationDblclick, this.recipe);
diff --git a/src/web/html/index.html b/src/web/html/index.html
index 34c71d24..baeec278 100755
--- a/src/web/html/index.html
+++ b/src/web/html/index.html
@@ -181,6 +181,9 @@
                     <div class="title no-select">
                         Recipe
                         <span class="pane-controls hide-on-maximised-output">
+                            <button type="button" aria-label="Hide arguments" class="btn btn-primary bmd-btn-icon" id="hide-icon" data-toggle="tooltip" title="Hide arguments" hide-args="false" data-help-title="Hiding every Operation's argument view in a Recipe" data-help="Clicking 'Hide arguments' will hide all the argument views for every Operation in the Recipe, to save space when you have too many Operation in your Recipe">
+                                <i class="material-icons">keyboard_arrow_up</i>
+                            </button>
                             <button type="button" aria-label="Save recipe" class="btn btn-primary bmd-btn-icon" id="save" data-toggle="tooltip" title="Save recipe" data-help-title="Saving a recipe" data-help="<p>Recipes can be represented in a few different formats and saved for use at a later date. You can either copy the Recipe configuration and save it somewhere offline for later use, or use your browser's local storage.</p><ul><li><b>Deep link:</b> The easiest way to share a CyberChef Recipe is to copy the deep link, either from the address bar (which is updated as the Recipe or Input changes), or from the 'Save recipe' pane. When you visit this link, the Recipe and Input should be populated from where you left off.</li><li><b>Chef format:</b> This custom format is designed to be compact and easily readable. It is the format used in CyberChef's URL, so it largely uses characters that do not have to be escaped in URL encoding, making it a little easier to understand what a CyberChef URL contains.</li><li><b>Clean JSON:</b> This JSON format uses whitespace and indentation in a way that makes the Recipe easy to read.</li><li><b>Compact JSON:</b> This is the most compact way that the Recipe can be represented in JSON.</li><li><b>Local storage:</b> Alternatively, you can enter a name into the 'Recipe name' field and save to your browser's local storage. The Recipe will then be available to load from the 'Load Recipe' pane as long as you are using the same browser profile. Be aware that if your browser profile is cleaned, you may lose this data.</li></ul>">
                                 <i class="material-icons" aria-hidden="true">save</i>
                             </button>
diff --git a/src/web/waiters/ControlsWaiter.mjs b/src/web/waiters/ControlsWaiter.mjs
index 660a7ec5..d1de20e8 100755
--- a/src/web/waiters/ControlsWaiter.mjs
+++ b/src/web/waiters/ControlsWaiter.mjs
@@ -345,6 +345,36 @@ class ControlsWaiter {
     }
 
 
+    /**
+     * Hides the arguments for all the operations in the current recipe.
+     */
+    hideRecipeArgsClick() {
+        const icon = document.getElementById("hide-icon");
+
+        if (icon.getAttribute("hide-args") === "false") {
+            icon.setAttribute("hide-args", "true");
+            icon.setAttribute("data-original-title", "Show arguments");
+            icon.children[0].innerText = "keyboard_arrow_down";
+            Array.from(document.getElementsByClassName("hide-args-icon")).forEach(function(item) {
+                item.setAttribute("hide-args", "true");
+                item.innerText = "keyboard_arrow_down";
+                item.classList.add("hide-args-selected");
+                item.parentNode.previousElementSibling.style.display = "none";
+            });
+        } else {
+            icon.setAttribute("hide-args", "false");
+            icon.setAttribute("data-original-title", "Hide arguments");
+            icon.children[0].innerText = "keyboard_arrow_up";
+            Array.from(document.getElementsByClassName("hide-args-icon")).forEach(function(item) {
+                item.setAttribute("hide-args", "false");
+                item.innerText = "keyboard_arrow_up";
+                item.classList.remove("hide-args-selected");
+                item.parentNode.previousElementSibling.style.display = "grid";
+            });
+        }
+    }
+
+
     /**
      * Populates the bug report information box with useful technical info.
      *
diff --git a/src/web/waiters/RecipeWaiter.mjs b/src/web/waiters/RecipeWaiter.mjs
index 42e763b0..3f5aa302 100755
--- a/src/web/waiters/RecipeWaiter.mjs
+++ b/src/web/waiters/RecipeWaiter.mjs
@@ -215,6 +215,45 @@ class RecipeWaiter {
         window.dispatchEvent(this.manager.statechange);
     }
 
+    /**
+     * Handler for hide-args click events.
+     * Updates the icon status.
+     *
+     * @fires Manager#statechange
+     * @param {event} e
+     */
+    hideArgsClick(e) {
+        const icon = e.target;
+
+        if (icon.getAttribute("hide-args") === "false") {
+            icon.setAttribute("hide-args", "true");
+            icon.innerText = "keyboard_arrow_down";
+            icon.classList.add("hide-args-selected");
+            icon.parentNode.previousElementSibling.style.display = "none";
+        } else {
+            icon.setAttribute("hide-args", "false");
+            icon.innerText = "keyboard_arrow_up";
+            icon.classList.remove("hide-args-selected");
+            icon.parentNode.previousElementSibling.style.display = "grid";
+        }
+
+        const icons = Array.from(document.getElementsByClassName("hide-args-icon"));
+        if (icons.length > 1) {
+            // Check if ALL the icons are hidden/shown
+            const uniqueIcons = icons.map(function(item) {
+                return item.getAttribute("hide-args");
+            }).unique();
+
+            const controlsIconStatus = document.getElementById("hide-icon").getAttribute("hide-args");
+
+            // If all icons are in the same state and the global icon isn't, fix it
+            if (uniqueIcons.length === 1 && icon.getAttribute("hide-args") !== controlsIconStatus) {
+                this.manager.controls.hideRecipeArgsClick();
+            }
+        }
+
+        window.dispatchEvent(this.manager.statechange);
+    }
 
     /**
      * Handler for disable click events.
diff --git a/tests/operations/index.mjs b/tests/operations/index.mjs
index 9d0e418b..606675b7 100644
--- a/tests/operations/index.mjs
+++ b/tests/operations/index.mjs
@@ -83,12 +83,13 @@ import "./tests/HKDF.mjs";
 import "./tests/Image.mjs";
 import "./tests/IndexOfCoincidence.mjs";
 import "./tests/JA3Fingerprint.mjs";
-import "./tests/JA4Fingerprint.mjs";
+import "./tests/JA4.mjs";
 import "./tests/JA3SFingerprint.mjs";
 import "./tests/JSONBeautify.mjs";
 import "./tests/JSONMinify.mjs";
 import "./tests/JSONtoCSV.mjs";
 import "./tests/Jump.mjs";
+import "./tests/JWK.mjs";
 import "./tests/JWTDecode.mjs";
 import "./tests/JWTSign.mjs";
 import "./tests/JWTVerify.mjs";
@@ -120,6 +121,8 @@ import "./tests/PGP.mjs";
 import "./tests/PHP.mjs";
 import "./tests/PowerSet.mjs";
 import "./tests/Protobuf.mjs";
+import "./tests/PubKeyFromCert.mjs";
+import "./tests/PubKeyFromPrivKey.mjs";
 import "./tests/Rabbit.mjs";
 import "./tests/RAKE.mjs";
 import "./tests/Regex.mjs";
diff --git a/tests/operations/tests/JA4Fingerprint.mjs b/tests/operations/tests/JA4.mjs
similarity index 63%
rename from tests/operations/tests/JA4Fingerprint.mjs
rename to tests/operations/tests/JA4.mjs
index dba84a38..0fb4624e 100644
--- a/tests/operations/tests/JA4Fingerprint.mjs
+++ b/tests/operations/tests/JA4.mjs
@@ -1,5 +1,5 @@
 /**
- * JA4Fingerprint tests.
+ * JA4 tests.
  *
  * @author n1474335 [n1474335@gmail.com]
  * @copyright Crown Copyright 2024
@@ -52,4 +52,70 @@ TestRegister.addTests([
             }
         ],
     },
+    {
+        name: "JA4Server Fingerprint: TLS 1.2 h2 ALPN",
+        input: "16030300640200006003035f0236c07f47bfb12dc2da706ecb3fe7f9eeac9968cc2ddf444f574e4752440120b89ff1ab695278c69b8a73f76242ef755e0b13dc6d459aaaa784fec9c2dfce34cca900001800000000ff01000100000b00020100001000050003026832",
+        expectedOutput: "t1204h2_cca9_1428ce7b4018",
+        recipeConfig: [
+            {
+                "op": "JA4Server Fingerprint",
+                "args": ["Hex", "JA4S"]
+            }
+        ]
+    },
+    {
+        name: "JA4Server Fingerprint: TLS 1.2 h2 ALPN Raw",
+        input: "16030300640200006003035f0236c07f47bfb12dc2da706ecb3fe7f9eeac9968cc2ddf444f574e4752440120b89ff1ab695278c69b8a73f76242ef755e0b13dc6d459aaaa784fec9c2dfce34cca900001800000000ff01000100000b00020100001000050003026832",
+        expectedOutput: "t1204h2_cca9_0000,ff01,000b,0010",
+        recipeConfig: [
+            {
+                "op": "JA4Server Fingerprint",
+                "args": ["Hex", "JA4S Raw"]
+            }
+        ]
+    },
+    {
+        name: "JA4Server Fingerprint: TLS 1.3",
+        input: "160303007a020000760303236d214556452c55a0754487e64b1a8b0262c50ba23004c9d504166a6de3439920d0b0099243c9296a0c84153ea4ada7d87ad017f4211c2ea1350b0b3cc5514d5f130100002e00330024001d002099e3cc43a2c9941ae75af1b2c7a629bee3ee7031973cad85c82f2f23677fb244002b00020304",
+        expectedOutput: "t130200_1301_234ea6891581",
+        recipeConfig: [
+            {
+                "op": "JA4Server Fingerprint",
+                "args": ["Hex", "JA4S"]
+            }
+        ]
+    },
+    {
+        name: "JA4Server Fingerprint: TLS 1.3 Raw",
+        input: "160303007a020000760303236d214556452c55a0754487e64b1a8b0262c50ba23004c9d504166a6de3439920d0b0099243c9296a0c84153ea4ada7d87ad017f4211c2ea1350b0b3cc5514d5f130100002e00330024001d002099e3cc43a2c9941ae75af1b2c7a629bee3ee7031973cad85c82f2f23677fb244002b00020304",
+        expectedOutput: "t130200_1301_0033,002b",
+        recipeConfig: [
+            {
+                "op": "JA4Server Fingerprint",
+                "args": ["Hex", "JA4S Raw"]
+            }
+        ]
+    },
+    {
+        name: "JA4Server Fingerprint: TLS 1.3 non-ascii ALPN",
+        input: "160303007a020000760303897c232e3ee313314f2b662307ff4f7e2cf1caeec1b27711bca77f469519168520bc58b92f865e6b9aa4a6371cadcb0afe1da1c0f705209a11d52357f56d5dd962130100002e00330024001d002076b8b7ed0f96b63a773d85ab6f3a87a151c130529785b41a4defb53184055957002b00020304",
+        expectedOutput: "t130200_1301_234ea6891581",
+        recipeConfig: [
+            {
+                "op": "JA4Server Fingerprint",
+                "args": ["Hex", "JA4S"]
+            }
+        ]
+    },
+    {
+        name: "JA4Server Fingerprint: TLS 1.3 non-ascii ALPN Raw",
+        input: "160303007a020000760303897c232e3ee313314f2b662307ff4f7e2cf1caeec1b27711bca77f469519168520bc58b92f865e6b9aa4a6371cadcb0afe1da1c0f705209a11d52357f56d5dd962130100002e00330024001d002076b8b7ed0f96b63a773d85ab6f3a87a151c130529785b41a4defb53184055957002b00020304",
+        expectedOutput: "t130200_1301_0033,002b",
+        recipeConfig: [
+            {
+                "op": "JA4Server Fingerprint",
+                "args": ["Hex", "JA4S Raw"]
+            }
+        ]
+    },
 ]);
diff --git a/tests/operations/tests/JWK.mjs b/tests/operations/tests/JWK.mjs
new file mode 100644
index 00000000..c77c983e
--- /dev/null
+++ b/tests/operations/tests/JWK.mjs
@@ -0,0 +1,359 @@
+/**
+ * JWK conversion
+ *
+ * @author cplussharp
+ * @copyright Crown Copyright 2021
+ * @license Apache-2.0
+ */
+import TestRegister from "../../lib/TestRegister.mjs";
+
+// test data for RSA key pair
+const RSA_512 = {
+    private: {
+        pem1: `-----BEGIN RSA PRIVATE KEY-----
+MIIBOQIBAAJBAPKr0Dp6YdItzOfk6a7ma7L4BF4LnelMYKtboGLrk6ihtqFPZFRL
+NcJi68Hvnt8stMrP50t6jqwWQ2EjMdkj6fsCAwEAAQJAOJUpM0lv36MAQR3WAwsF
+F7DOy+LnigteCvaNWiNVxZ6jByB5Qb7sall/Qlu9sFI0ZwrlVcKS0kldee7JTYlL
+WQIhAP3UKEfOtpTgT1tYmdhaqjxqMfxBom0Ri+rt9ajlzs6vAiEA9L85B8/Gnb7p
+6Af7/wpmafL277OV4X4xBfzMR+TUzHUCIBq+VLQkInaTH6lXL3ZtLwyIf9W9MJjf
+RWeuRLjT5bM/AiBF7Kw6kx5Hy1fAtydEApCoDIaIjWJw/kC7WTJ0B+jUUQIgV6dw
+NSyj0feakeD890gmId+lvl/w/3oUXiczqvl/N9o=
+-----END RSA PRIVATE KEY-----`,
+        pem8: `-----BEGIN PRIVATE KEY-----
+MIIBUwIBADANBgkqhkiG9w0BAQEFAASCAT0wggE5AgEAAkEA8qvQOnph0i3M5+Tp
+ruZrsvgEXgud6Uxgq1ugYuuTqKG2oU9kVEs1wmLrwe+e3yy0ys/nS3qOrBZDYSMx
+2SPp+wIDAQABAkA4lSkzSW/fowBBHdYDCwUXsM7L4ueKC14K9o1aI1XFnqMHIHlB
+vuxqWX9CW72wUjRnCuVVwpLSSV157slNiUtZAiEA/dQoR862lOBPW1iZ2FqqPGox
+/EGibRGL6u31qOXOzq8CIQD0vzkHz8advunoB/v/CmZp8vbvs5XhfjEF/MxH5NTM
+dQIgGr5UtCQidpMfqVcvdm0vDIh/1b0wmN9FZ65EuNPlsz8CIEXsrDqTHkfLV8C3
+J0QCkKgMhoiNYnD+QLtZMnQH6NRRAiBXp3A1LKPR95qR4Pz3SCYh36W+X/D/ehRe
+JzOq+X832g==
+-----END PRIVATE KEY-----`,
+        jwk: {
+            "kty": "RSA",
+            "n": "8qvQOnph0i3M5-TpruZrsvgEXgud6Uxgq1ugYuuTqKG2oU9kVEs1wmLrwe-e3yy0ys_nS3qOrBZDYSMx2SPp-w",
+            "e": "AQAB",
+            "d": "OJUpM0lv36MAQR3WAwsFF7DOy-LnigteCvaNWiNVxZ6jByB5Qb7sall_Qlu9sFI0ZwrlVcKS0kldee7JTYlLWQ",
+            "p": "_dQoR862lOBPW1iZ2FqqPGox_EGibRGL6u31qOXOzq8",
+            "q": "9L85B8_Gnb7p6Af7_wpmafL277OV4X4xBfzMR-TUzHU",
+            "dp": "Gr5UtCQidpMfqVcvdm0vDIh_1b0wmN9FZ65EuNPlsz8",
+            "dq": "ReysOpMeR8tXwLcnRAKQqAyGiI1icP5Au1kydAfo1FE",
+            "qi": "V6dwNSyj0feakeD890gmId-lvl_w_3oUXiczqvl_N9o"
+        }
+    },
+    public: {
+        pem1: `-----BEGIN RSA PUBLIC KEY-----
+MEgCQQDyq9A6emHSLczn5Omu5muy+AReC53pTGCrW6Bi65OoobahT2RUSzXCYuvB
+757fLLTKz+dLeo6sFkNhIzHZI+n7AgMBAAE=
+-----END RSA PUBLIC KEY-----`,
+        pem8: `-----BEGIN PUBLIC KEY-----
+MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAPKr0Dp6YdItzOfk6a7ma7L4BF4LnelM
+YKtboGLrk6ihtqFPZFRLNcJi68Hvnt8stMrP50t6jqwWQ2EjMdkj6fsCAwEAAQ==
+-----END PUBLIC KEY-----`,
+        cert: `-----BEGIN CERTIFICATE-----
+MIIBfTCCASegAwIBAgIUeisK5Nwss2DGg5PCs4uSxxXyyNkwDQYJKoZIhvcNAQEL
+BQAwEzERMA8GA1UEAwwIUlNBIHRlc3QwHhcNMjExMTE5MTcyMDI2WhcNMzExMTE3
+MTcyMDI2WjATMREwDwYDVQQDDAhSU0EgdGVzdDBcMA0GCSqGSIb3DQEBAQUAA0sA
+MEgCQQDyq9A6emHSLczn5Omu5muy+AReC53pTGCrW6Bi65OoobahT2RUSzXCYuvB
+757fLLTKz+dLeo6sFkNhIzHZI+n7AgMBAAGjUzBRMB0GA1UdDgQWBBRO+jvkqq5p
+pnQgwMMnRoun6e7eiTAfBgNVHSMEGDAWgBRO+jvkqq5ppnQgwMMnRoun6e7eiTAP
+BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA0EAR/5HAZM5qBhU/ezDUIFx
+gmUGoFbIb5kJD41YCnaSdrgWglh4He4melSs42G/oxBBjuCJ0bUpqWnLl+lJkv1z
+IA==
+-----END CERTIFICATE-----`,
+        jwk: {
+            "kty": "RSA",
+            "n": "8qvQOnph0i3M5-TpruZrsvgEXgud6Uxgq1ugYuuTqKG2oU9kVEs1wmLrwe-e3yy0ys_nS3qOrBZDYSMx2SPp-w",
+            "e": "AQAB"
+        }
+    }
+};
+
+// test data for EC key pair
+const EC_P256 = {
+    private: {
+        pem1: `-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEINtTjwUkgfAiSwqgcGAXWyE0ueIW6n2k395dmQZ3vGr4oAoGCCqGSM49
+AwEHoUQDQgAEDUc8A0EDNKoCYIPWMHz1yUzqE5mJgusgcAE8H6810fkJ8ZmTNiCC
+a6sLgR2vD1VNh2diirWgKPH4PVMKav5e6Q==
+-----END EC PRIVATE KEY-----`,
+        pem8: `-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg21OPBSSB8CJLCqBw
+YBdbITS54hbqfaTf3l2ZBne8avihRANCAAQNRzwDQQM0qgJgg9YwfPXJTOoTmYmC
+6yBwATwfrzXR+QnxmZM2IIJrqwuBHa8PVU2HZ2KKtaAo8fg9Uwpq/l7p
+-----END PRIVATE KEY-----`,
+        jwk: {
+            "kty": "EC",
+            "crv": "P-256",
+            "x": "DUc8A0EDNKoCYIPWMHz1yUzqE5mJgusgcAE8H6810fk",
+            "y": "CfGZkzYggmurC4Edrw9VTYdnYoq1oCjx-D1TCmr-Xuk",
+            "d": "21OPBSSB8CJLCqBwYBdbITS54hbqfaTf3l2ZBne8avg"
+        }
+    },
+    public: {
+        pem8: `-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEDUc8A0EDNKoCYIPWMHz1yUzqE5mJ
+gusgcAE8H6810fkJ8ZmTNiCCa6sLgR2vD1VNh2diirWgKPH4PVMKav5e6Q==
+-----END PUBLIC KEY-----`,
+        cert: `-----BEGIN CERTIFICATE-----
+MIIBfzCCASWgAwIBAgIUK4H8J3Hr7NpRLPrACj8Pje4JJJ0wCgYIKoZIzj0EAwIw
+FTETMBEGA1UEAwwKUC0yNTYgdGVzdDAeFw0yMTExMTkxNzE5NDVaFw0zMTExMTcx
+NzE5NDVaMBUxEzARBgNVBAMMClAtMjU2IHRlc3QwWTATBgcqhkjOPQIBBggqhkjO
+PQMBBwNCAAQNRzwDQQM0qgJgg9YwfPXJTOoTmYmC6yBwATwfrzXR+QnxmZM2IIJr
+qwuBHa8PVU2HZ2KKtaAo8fg9Uwpq/l7po1MwUTAdBgNVHQ4EFgQU/SxodXrpkybM
+gcIgkxnRKd7HMzowHwYDVR0jBBgwFoAU/SxodXrpkybMgcIgkxnRKd7HMzowDwYD
+VR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNIADBFAiBU9PrOa/kXCpTTBInRf/sN
+ac2iDHmbdpWzcXI+xLKNYAIhAIRR1LRSHVwOTLQ/iBXd+8LCkm5aTB27RW46LN80
+ylxt
+-----END CERTIFICATE-----`,
+        jwk: {
+            "kty": "EC",
+            "crv": "P-256",
+            "x": "DUc8A0EDNKoCYIPWMHz1yUzqE5mJgusgcAE8H6810fk",
+            "y": "CfGZkzYggmurC4Edrw9VTYdnYoq1oCjx-D1TCmr-Xuk"
+        }
+    }
+};
+
+const PEM_PRIV_DSA1024 = `-----BEGIN DSA PRIVATE KEY-----
+MIIBuwIBAAKBgQCkFEttBrPHEJRgcvaT8HbZs9h1pVQLHhn2F452izusRox1czMM
+IC8Z7YQiM1pt6bgEmf0h8ldx6UFT0YL9JWSbyBy1U5pHKfnz/xjeg7ZMReL4F0/T
+Gwmu4ercqfM//TmEg9nL3nDxb4WmF2al/SmHN3qlzYmYaIDEFfEuu8vWbwIVAMOq
+7pqQiMGUu6uJY/nQTWW0c3IfAoGARWryStp2AElj538qN9tWRuyobRA93Q1ujrdM
+EqsqVpMZd1a8qtRyMaZVVdB7N3EweNUuFOoSAp10s/SQEH9qhVo6NwvzhB7lEtm4
+5FjWW9+9WCuuFOGZpTy8PSFAvQcfUqunP/DeaDliNmgKci+n0nfIBakuQn10Zmqk
+vGu8NZICgYBUsoQeXSJ19e6XZenk6G8wVI3yXFqnRAwb6s7sAVoPwfDCsOXTxC7W
+Mlfz0HcYMiifFKEd28NnuAZ2e0ngyPHsb9s5phzTgRfO3GFzOjsjwgx3DmQI2Ck2
+yOWHSAtaNhH4DoBZEyNsb1akiB50vx9b09EHN4weqbgAu743NMDHRQIVAIG5uiiO
+OnWUYieHAiVIPkBCrYUd
+-----END DSA PRIVATE KEY-----`;
+
+// https://datatracker.ietf.org/doc/html/rfc8037#appendix-A.2
+const JWK_PUB_ED25591 = {
+    "kty": "OKP",
+    "crv": "Ed25519",
+    "x": "11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwIaaPcHURo"
+};
+
+TestRegister.addTests([
+    {
+        name: "PEM to JWK: Missing footer",
+        input: RSA_512.private.pem1.substring(0, RSA_512.private.pem1.length / 2),
+        expectedOutput: "PEM footer '-----END RSA PRIVATE KEY-----' not found",
+        recipeConfig: [
+            {
+                op: "PEM to JWK",
+                args: [],
+            }
+        ],
+    },
+    {
+        name: "PEM to JWK: DSA not supported",
+        input: PEM_PRIV_DSA1024,
+        expectedOutput: "DSA keys are not supported for JWK",
+        recipeConfig: [
+            {
+                op: "PEM to JWK",
+                args: [],
+            }
+        ],
+    },
+
+    // test RSA key convertion
+    {
+        name: "PEM to JWK: RSA Private Key PKCS1",
+        input: RSA_512.private.pem1,
+        expectedOutput: JSON.stringify(RSA_512.private.jwk),
+        recipeConfig: [
+            {
+                op: "PEM to JWK",
+                args: [],
+            }
+        ],
+    },
+    {
+        name: "PEM to JWK: RSA Private Key PKCS8",
+        input: RSA_512.private.pem8,
+        expectedOutput: JSON.stringify(RSA_512.private.jwk),
+        recipeConfig: [
+            {
+                op: "PEM to JWK",
+                args: [],
+            }
+        ],
+    },
+    {
+        name: "PEM to JWK: RSA Public Key PKCS1",
+        input: RSA_512.public.pem1,
+        expectedOutput: "Unsupported RSA public key format. Only PKCS#8 is supported.",
+        recipeConfig: [
+            {
+                op: "PEM to JWK",
+                args: [],
+            }
+        ],
+    },
+    {
+        name: "PEM to JWK: RSA Public Key PKCS8",
+        input: RSA_512.public.pem8,
+        expectedOutput: JSON.stringify(RSA_512.public.jwk),
+        recipeConfig: [
+            {
+                op: "PEM to JWK",
+                args: [],
+            }
+        ],
+    },
+    {
+        name: "PEM to JWK: Certificate with RSA Public Key",
+        input: RSA_512.public.cert,
+        expectedOutput: JSON.stringify(RSA_512.public.jwk),
+        recipeConfig: [
+            {
+                op: "PEM to JWK",
+                args: [],
+            }
+        ],
+    },
+
+    // test EC key conversion
+    {
+        name: "PEM to JWK: EC Private Key PKCS1",
+        input: EC_P256.private.pem1,
+        expectedOutput: JSON.stringify(EC_P256.private.jwk),
+        recipeConfig: [
+            {
+                op: "PEM to JWK",
+                args: [],
+            }
+        ],
+    },
+    {
+        name: "PEM to JWK: EC Private Key PKCS8",
+        input: EC_P256.private.pem8,
+        expectedOutput: JSON.stringify(EC_P256.private.jwk),
+        recipeConfig: [
+            {
+                op: "PEM to JWK",
+                args: [],
+            }
+        ],
+    },
+    {
+        name: "PEM to JWK: EC Public Key",
+        input: EC_P256.public.pem8,
+        expectedOutput: JSON.stringify(EC_P256.public.jwk),
+        recipeConfig: [
+            {
+                op: "PEM to JWK",
+                args: [],
+            }
+        ],
+    },
+    {
+        name: "PEM to JWK: Certificate with EC Public Key",
+        input: EC_P256.public.cert,
+        expectedOutput: JSON.stringify(EC_P256.public.jwk),
+        recipeConfig: [
+            {
+                op: "PEM to JWK",
+                args: [],
+            }
+        ],
+    },
+
+
+    {
+        name: "JWK to PEM: not a JWK",
+        input: "\"foobar\"",
+        expectedOutput: "Input is not a JSON Web Key",
+        recipeConfig: [
+            {
+                op: "JWK to PEM",
+                args: [],
+            }
+        ],
+    },
+    {
+        name: "JWK to PEM: unsupported key type",
+        input: JSON.stringify(JWK_PUB_ED25591),
+        expectedOutput: "Unsupported JWK key type 'OKP'",
+        recipeConfig: [
+            {
+                op: "JWK to PEM",
+                args: [],
+            }
+        ],
+    },
+
+    // test RSA key conversion
+    {
+        name: "JWK to PEM: RSA Private Key",
+        input: JSON.stringify(RSA_512.private.jwk),
+        expectedOutput: RSA_512.private.pem8.replace(/\r/g, "").replace(/\n/g, "\r\n")+"\r\n",
+        recipeConfig: [
+            {
+                op: "JWK to PEM",
+                args: [],
+            }
+        ],
+    },
+    {
+        name: "JWK to PEM: RSA Public Key",
+        input: JSON.stringify(RSA_512.public.jwk),
+        expectedOutput: RSA_512.public.pem8.replace(/\r/g, "").replace(/\n/g, "\r\n")+"\r\n",
+        recipeConfig: [
+            {
+                op: "JWK to PEM",
+                args: [],
+            }
+        ],
+    },
+
+    // test EC key conversion
+    {
+        name: "JWK to PEM: EC Private Key",
+        input: JSON.stringify(EC_P256.private.jwk),
+        expectedOutput: EC_P256.private.pem8.replace(/\r/g, "").replace(/\n/g, "\r\n")+"\r\n",
+        recipeConfig: [
+            {
+                op: "JWK to PEM",
+                args: [],
+            }
+        ],
+    },
+    {
+        name: "JWK to PEM: EC Public Key",
+        input: JSON.stringify(EC_P256.public.jwk),
+        expectedOutput: EC_P256.public.pem8.replace(/\r/g, "").replace(/\n/g, "\r\n")+"\r\n",
+        recipeConfig: [
+            {
+                op: "JWK to PEM",
+                args: [],
+            }
+        ],
+    },
+
+    {
+        name: "JWK to PEM: Array of keys",
+        input: JSON.stringify([RSA_512.public.jwk, EC_P256.public.jwk]),
+        expectedOutput: (RSA_512.public.pem8 + "\n" + EC_P256.public.pem8 + "\n").replace(/\r/g, "").replace(/\n/g, "\r\n"),
+        recipeConfig: [
+            {
+                op: "JWK to PEM",
+                args: [],
+            }
+        ],
+    },
+    {
+        name: "JWK to PEM: JSON Web Key Set",
+        input: JSON.stringify({"keys": [RSA_512.public.jwk, EC_P256.public.jwk]}),
+        expectedOutput: (RSA_512.public.pem8 + "\n" + EC_P256.public.pem8 + "\n").replace(/\r/g, "").replace(/\n/g, "\r\n"),
+        recipeConfig: [
+            {
+                op: "JWK to PEM",
+                args: [],
+            }
+        ],
+    }
+]);
diff --git a/tests/operations/tests/PubKeyFromCert.mjs b/tests/operations/tests/PubKeyFromCert.mjs
new file mode 100644
index 00000000..ae5609aa
--- /dev/null
+++ b/tests/operations/tests/PubKeyFromCert.mjs
@@ -0,0 +1,215 @@
+/**
+ * Public Key from Certificate
+ *
+ * @author cplussharp
+ * @copyright Crown Copyright 2023
+ * @license Apache-2.0
+ */
+import TestRegister from "../../lib/TestRegister.mjs";
+
+const RSA_CERT = `-----BEGIN CERTIFICATE-----
+MIIBfTCCASegAwIBAgIUeisK5Nwss2DGg5PCs4uSxxXyyNkwDQYJKoZIhvcNAQEL
+BQAwEzERMA8GA1UEAwwIUlNBIHRlc3QwHhcNMjExMTE5MTcyMDI2WhcNMzExMTE3
+MTcyMDI2WjATMREwDwYDVQQDDAhSU0EgdGVzdDBcMA0GCSqGSIb3DQEBAQUAA0sA
+MEgCQQDyq9A6emHSLczn5Omu5muy+AReC53pTGCrW6Bi65OoobahT2RUSzXCYuvB
+757fLLTKz+dLeo6sFkNhIzHZI+n7AgMBAAGjUzBRMB0GA1UdDgQWBBRO+jvkqq5p
+pnQgwMMnRoun6e7eiTAfBgNVHSMEGDAWgBRO+jvkqq5ppnQgwMMnRoun6e7eiTAP
+BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA0EAR/5HAZM5qBhU/ezDUIFx
+gmUGoFbIb5kJD41YCnaSdrgWglh4He4melSs42G/oxBBjuCJ0bUpqWnLl+lJkv1z
+IA==
+-----END CERTIFICATE-----`;
+
+const RSA_PUBKEY = `-----BEGIN PUBLIC KEY-----
+MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAPKr0Dp6YdItzOfk6a7ma7L4BF4LnelM
+YKtboGLrk6ihtqFPZFRLNcJi68Hvnt8stMrP50t6jqwWQ2EjMdkj6fsCAwEAAQ==
+-----END PUBLIC KEY-----`;
+
+const EC_P256_CERT = `-----BEGIN CERTIFICATE-----
+MIIBfzCCASWgAwIBAgIUK4H8J3Hr7NpRLPrACj8Pje4JJJ0wCgYIKoZIzj0EAwIw
+FTETMBEGA1UEAwwKUC0yNTYgdGVzdDAeFw0yMTExMTkxNzE5NDVaFw0zMTExMTcx
+NzE5NDVaMBUxEzARBgNVBAMMClAtMjU2IHRlc3QwWTATBgcqhkjOPQIBBggqhkjO
+PQMBBwNCAAQNRzwDQQM0qgJgg9YwfPXJTOoTmYmC6yBwATwfrzXR+QnxmZM2IIJr
+qwuBHa8PVU2HZ2KKtaAo8fg9Uwpq/l7po1MwUTAdBgNVHQ4EFgQU/SxodXrpkybM
+gcIgkxnRKd7HMzowHwYDVR0jBBgwFoAU/SxodXrpkybMgcIgkxnRKd7HMzowDwYD
+VR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNIADBFAiBU9PrOa/kXCpTTBInRf/sN
+ac2iDHmbdpWzcXI+xLKNYAIhAIRR1LRSHVwOTLQ/iBXd+8LCkm5aTB27RW46LN80
+ylxt
+-----END CERTIFICATE-----`;
+
+const EC_P256_PUBKEY = `-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEDUc8A0EDNKoCYIPWMHz1yUzqE5mJ
+gusgcAE8H6810fkJ8ZmTNiCCa6sLgR2vD1VNh2diirWgKPH4PVMKav5e6Q==
+-----END PUBLIC KEY-----`;
+
+const DSA_CERT = `-----BEGIN CERTIFICATE-----
+MIIEXzCCBA2gAwIBAgIUYYcPJB8UQLzUnqkGJvs3J4RI0OgwCwYJYIZIAWUDBAMC
+MBMxETAPBgNVBAMMCERTQSBUZXN0MB4XDTIzMTAxNTAwMjEzNVoXDTMzMTAxMjAw
+MjEzNVowEzERMA8GA1UEAwwIRFNBIFRlc3QwggNCMIICNQYHKoZIzjgEATCCAigC
+ggEBALoLV+uz7vMYZCIuwXNkgZawvDgZAG1T7IiG030WgqesRNncuoUQOmAJCiuN
+zkjVNSY08rabex/RIkWILvxP91SlzhA9t9+dp87p238ecxGa1sD2re+y35RP7IxN
+T33633NtwGItZ3BqqAhoMmuwwwxau0E8zwYodTTlwTRp4QVPpMH1eJCUBeEzcWP5
+ZZ1lRNhR5M2TqzSU3ya5/4c3a9rI86h9VIVgw8yVvw3y6yclzjALm2ntD5riskdM
+Z6mMkfYQwEbIGRTELX6A7LZ0lX1CislenF9ASb2E4g2nGcMQ0uSGzA4W9mf6wwmP
+S6iwX5+Qu/i6jCm5i37fQ1H5HHUCHQDA+UnPHM6PZEgfFen8djZpl/cl05MpWk+d
+nikFAoIBADXOTpBw0WA+UihxDG+6qqM05kxVMYmz6IRZ/06ffZSGVFN6Bx1i0s3v
+kzM5V8GsKpkKkSk7V8fTQnAIIlMmt1Y7ff+ng7+TfYotMrvvEYlolYK06J2WWoUA
+8iKp8+n58vdoky+xZmuGmcvCAojVDbEeU2wEqYE1PzrHCSOoOiKB2P4fOhyuF+qx
+E8nkzURIg2RmSSkqWOkXiWyKyfpUaB+4cEisp4ThENEPmdntE1vLh2r7EOIxpE5D
+0NAy2wFKqe3ljfgE6XsPZKgVAguRDVpzdmL6WDY7DM/BcS726vx+kX55QDkszvec
+raNirnir2QrB/a0JQjF6Y62yGmG7GF8DggEFAAKCAQBpN+w0N0b5IIAspXnlJ9yu
+B6ORk3j/5rZ+DUtTzW1YAJI6xjTcFQvN7FpVLkmLtXKUXF04R+sdGJ7VFwOb0rba
+L5vQzrqNkBrbgSzuzeloiG+7OLA6VeQtNbQh6OurrZFi9gY+qA5ciT9kQXyrHudV
+Xu956NDrooRxmv6JIVFvToaNiwe2vcgdkALw8HUbLFYof4SAE9jgU8EpxTp02e8H
+zvVSVa6yj1nnGhpzLPlEqF8TZvs9pTg2kIk3/zvWojMJoPyTALfbTjbAeiFMMeKN
+K/CKOOJj23AVAZxpMSR6cUbrIcRdKDnhCTVkkxXUecAIUs6Mk10kSfkuiGl9LjKj
+o1MwUTAdBgNVHQ4EFgQUE+xZdvgiDIFWKQskMYnNaZ3iPHAwHwYDVR0jBBgwFoAU
+E+xZdvgiDIFWKQskMYnNaZ3iPHAwDwYDVR0TAQH/BAUwAwEB/zALBglghkgBZQME
+AwIDPwAwPAIcZbtf4+bjXEGQqNs6IglLrOgIjYF46q7qCNfXmQIcMKUtH3S6sDJE
+3ds9eL+oC+HPFlfUNfUiU30aDA==
+-----END CERTIFICATE-----`;
+
+const DSA_PUBKEY = `-----BEGIN PUBLIC KEY-----
+MIIDQjCCAjUGByqGSM44BAEwggIoAoIBAQC6C1frs+7zGGQiLsFzZIGWsLw4GQBt
+U+yIhtN9FoKnrETZ3LqFEDpgCQorjc5I1TUmNPK2m3sf0SJFiC78T/dUpc4QPbff
+nafO6dt/HnMRmtbA9q3vst+UT+yMTU99+t9zbcBiLWdwaqgIaDJrsMMMWrtBPM8G
+KHU05cE0aeEFT6TB9XiQlAXhM3Fj+WWdZUTYUeTNk6s0lN8muf+HN2vayPOofVSF
+YMPMlb8N8usnJc4wC5tp7Q+a4rJHTGepjJH2EMBGyBkUxC1+gOy2dJV9QorJXpxf
+QEm9hOINpxnDENLkhswOFvZn+sMJj0uosF+fkLv4uowpuYt+30NR+Rx1Ah0AwPlJ
+zxzOj2RIHxXp/HY2aZf3JdOTKVpPnZ4pBQKCAQA1zk6QcNFgPlIocQxvuqqjNOZM
+VTGJs+iEWf9On32UhlRTegcdYtLN75MzOVfBrCqZCpEpO1fH00JwCCJTJrdWO33/
+p4O/k32KLTK77xGJaJWCtOidllqFAPIiqfPp+fL3aJMvsWZrhpnLwgKI1Q2xHlNs
+BKmBNT86xwkjqDoigdj+HzocrhfqsRPJ5M1ESINkZkkpKljpF4lsisn6VGgfuHBI
+rKeE4RDRD5nZ7RNby4dq+xDiMaROQ9DQMtsBSqnt5Y34BOl7D2SoFQILkQ1ac3Zi
++lg2OwzPwXEu9ur8fpF+eUA5LM73nK2jYq54q9kKwf2tCUIxemOtshphuxhfA4IB
+BQACggEAaTfsNDdG+SCALKV55SfcrgejkZN4/+a2fg1LU81tWACSOsY03BULzexa
+VS5Ji7VylFxdOEfrHRie1RcDm9K22i+b0M66jZAa24Es7s3paIhvuziwOlXkLTW0
+Iejrq62RYvYGPqgOXIk/ZEF8qx7nVV7veejQ66KEcZr+iSFRb06GjYsHtr3IHZAC
+8PB1GyxWKH+EgBPY4FPBKcU6dNnvB871UlWuso9Z5xoacyz5RKhfE2b7PaU4NpCJ
+N/871qIzCaD8kwC32042wHohTDHijSvwijjiY9twFQGcaTEkenFG6yHEXSg54Qk1
+ZJMV1HnACFLOjJNdJEn5LohpfS4yow==
+-----END PUBLIC KEY-----`;
+
+const ED25519_CERT = `-----BEGIN CERTIFICATE-----
+MIIBQjCB9aADAgECAhRjPJhrdNco5LzpsIs0vSLLaZaZ0DAFBgMrZXAwFzEVMBMG
+A1UEAwwMRWQyNTUxOSBUZXN0MB4XDTIzMTAxNTAwMjMwOFoXDTMzMTAxMjAwMjMw
+OFowFzEVMBMGA1UEAwwMRWQyNTUxOSBUZXN0MCowBQYDK2VwAyEAELP6AflXwsuZ
+5q4NDIO0LP2iCdKRvds4nwsUmRhOw3ijUzBRMB0GA1UdDgQWBBRfxS9q0IemWxkH
+4mwAwzr9dQx2xzAfBgNVHSMEGDAWgBRfxS9q0IemWxkH4mwAwzr9dQx2xzAPBgNV
+HRMBAf8EBTADAQH/MAUGAytlcANBAI/+03iVq4yJ+DaLVs61w41cVX2UxKvquSzv
+lllkpkclM9LH5dLrw4ArdTjS9zAjzY/02WkphHhICHXt3KqZTwI=
+-----END CERTIFICATE-----`;
+
+/*
+const ED25519_PUBKEY = `-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEAELP6AflXwsuZ5q4NDIO0LP2iCdKRvds4nwsUmRhOw3g=
+-----END PUBLIC KEY-----`;
+*/
+
+const ED448_CERT = `-----BEGIN CERTIFICATE-----
+MIIBijCCAQqgAwIBAgIUZaCS7zEjOnQ7O4KUFym6fJF5vl8wBQYDK2VxMBUxEzAR
+BgNVBAMMCkVkNDQ4IFRlc3QwHhcNMjMxMDE1MDAyMzI1WhcNMzMxMDEyMDAyMzI1
+WjAVMRMwEQYDVQQDDApFZDQ0OCBUZXN0MEMwBQYDK2VxAzoAVN8kG0TMVyGOu/Ov
+BTe8H0Wi4HJrQAlSv4XLwJbkuoi4EeRlEHQwXsNYLZTtY2Jra6AWhbVYYaEAo1Mw
+UTAdBgNVHQ4EFgQUJFrepAf9YXrmDMSAzrMeYQmosd0wHwYDVR0jBBgwFoAUJFre
+pAf9YXrmDMSAzrMeYQmosd0wDwYDVR0TAQH/BAUwAwEB/zAFBgMrZXEDcwA+YiZj
+puFr2aogfV1qg/ixk7qLi25BbKVNR6+7PEUjo7+4yBn9qnLbAHUGnHn7E96pSey9
+VkLqpoDNMRcM3Eb6h3AJpQM0oxGj8q9arjDXqJkXgaO2e0tVn8KKVfy7S8qO72Kd
+rWzZowcOjnWKhXm7JgA=
+-----END CERTIFICATE-----`;
+
+/*
+const ED448_PUBKEY = `-----BEGIN PUBLIC KEY-----
+MEMwBQYDK2VxAzoAVN8kG0TMVyGOu/OvBTe8H0Wi4HJrQAlSv4XLwJbkuoi4EeRl
+EHQwXsNYLZTtY2Jra6AWhbVYYaEA
+-----END PUBLIC KEY-----`
+*/
+
+TestRegister.addTests([
+    {
+        name: "Public Key from Certificate: Missing footer",
+        input: RSA_CERT.substring(0, RSA_CERT.length / 2),
+        expectedOutput: "PEM footer '-----END CERTIFICATE-----' not found",
+        recipeConfig: [
+            {
+                op: "Public Key from Certificate",
+                args: [],
+            }
+        ],
+    },
+
+    // test RSA certificate
+    {
+        name: "Public Key from Certificate: RSA",
+        input: RSA_CERT,
+        expectedOutput: (RSA_PUBKEY + "\n").replace(/\r/g, "").replace(/\n/g, "\r\n"),
+        recipeConfig: [
+            {
+                op: "Public Key from Certificate",
+                args: [],
+            }
+        ],
+    },
+
+    // test EC certificate
+    {
+        name: "Public Key from Certificate: EC",
+        input: EC_P256_CERT,
+        expectedOutput: (EC_P256_PUBKEY + "\n").replace(/\r/g, "").replace(/\n/g, "\r\n"),
+        recipeConfig: [
+            {
+                op: "Public Key from Certificate",
+                args: [],
+            }
+        ],
+    },
+
+    // test DSA certificate
+    {
+        name: "Public Key from Certificate: DSA",
+        input: DSA_CERT,
+        expectedOutput: (DSA_PUBKEY + "\n").replace(/\r/g, "").replace(/\n/g, "\r\n"),
+        recipeConfig: [
+            {
+                op: "Public Key from Certificate",
+                args: [],
+            }
+        ],
+    },
+
+    // test EdDSA certificates
+    {
+        name: "Public Key from Certificate: Ed25519",
+        input: ED25519_CERT,
+        expectedOutput: "Unsupported public key type",
+        recipeConfig: [
+            {
+                op: "Public Key from Certificate",
+                args: [],
+            }
+        ],
+    },
+    {
+        name: "Public Key from Certificate: Ed448",
+        input: ED448_CERT,
+        expectedOutput: "Unsupported public key type",
+        recipeConfig: [
+            {
+                op: "Public Key from Certificate",
+                args: [],
+            }
+        ],
+    },
+
+    // test multi-input
+    {
+        name: "Public Key from Certificate: Multiple certificates",
+        input: RSA_CERT + "\n" + EC_P256_CERT,
+        expectedOutput: (RSA_PUBKEY + "\n" + EC_P256_PUBKEY + "\n").replace(/\r/g, "").replace(/\n/g, "\r\n"),
+        recipeConfig: [
+            {
+                op: "Public Key from Certificate",
+                args: [],
+            }
+        ],
+    }
+]);
diff --git a/tests/operations/tests/PubKeyFromPrivKey.mjs b/tests/operations/tests/PubKeyFromPrivKey.mjs
new file mode 100644
index 00000000..25f14a69
--- /dev/null
+++ b/tests/operations/tests/PubKeyFromPrivKey.mjs
@@ -0,0 +1,254 @@
+/**
+ * Public Key from Private Key
+ *
+ * @author cplussharp
+ * @copyright Crown Copyright 2023
+ * @license Apache-2.0
+ */
+import TestRegister from "../../lib/TestRegister.mjs";
+
+const RSA_PRIVKEY_PKCS1 = `-----BEGIN RSA PRIVATE KEY-----
+MIIBOQIBAAJBAPKr0Dp6YdItzOfk6a7ma7L4BF4LnelMYKtboGLrk6ihtqFPZFRL
+NcJi68Hvnt8stMrP50t6jqwWQ2EjMdkj6fsCAwEAAQJAOJUpM0lv36MAQR3WAwsF
+F7DOy+LnigteCvaNWiNVxZ6jByB5Qb7sall/Qlu9sFI0ZwrlVcKS0kldee7JTYlL
+WQIhAP3UKEfOtpTgT1tYmdhaqjxqMfxBom0Ri+rt9ajlzs6vAiEA9L85B8/Gnb7p
+6Af7/wpmafL277OV4X4xBfzMR+TUzHUCIBq+VLQkInaTH6lXL3ZtLwyIf9W9MJjf
+RWeuRLjT5bM/AiBF7Kw6kx5Hy1fAtydEApCoDIaIjWJw/kC7WTJ0B+jUUQIgV6dw
+NSyj0feakeD890gmId+lvl/w/3oUXiczqvl/N9o=
+-----END RSA PRIVATE KEY-----`;
+
+const RSA_PRIVKEY_PKCS8 = `-----BEGIN PRIVATE KEY-----
+MIIBUwIBADANBgkqhkiG9w0BAQEFAASCAT0wggE5AgEAAkEA8qvQOnph0i3M5+Tp
+ruZrsvgEXgud6Uxgq1ugYuuTqKG2oU9kVEs1wmLrwe+e3yy0ys/nS3qOrBZDYSMx
+2SPp+wIDAQABAkA4lSkzSW/fowBBHdYDCwUXsM7L4ueKC14K9o1aI1XFnqMHIHlB
+vuxqWX9CW72wUjRnCuVVwpLSSV157slNiUtZAiEA/dQoR862lOBPW1iZ2FqqPGox
+/EGibRGL6u31qOXOzq8CIQD0vzkHz8advunoB/v/CmZp8vbvs5XhfjEF/MxH5NTM
+dQIgGr5UtCQidpMfqVcvdm0vDIh/1b0wmN9FZ65EuNPlsz8CIEXsrDqTHkfLV8C3
+J0QCkKgMhoiNYnD+QLtZMnQH6NRRAiBXp3A1LKPR95qR4Pz3SCYh36W+X/D/ehRe
+JzOq+X832g==
+-----END PRIVATE KEY-----`;
+
+const RSA_PUBKEY = `-----BEGIN PUBLIC KEY-----
+MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAPKr0Dp6YdItzOfk6a7ma7L4BF4LnelM
+YKtboGLrk6ihtqFPZFRLNcJi68Hvnt8stMrP50t6jqwWQ2EjMdkj6fsCAwEAAQ==
+-----END PUBLIC KEY-----`;
+
+const EC_P256_PRIVKEY_SEC1 = `-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEINtTjwUkgfAiSwqgcGAXWyE0ueIW6n2k395dmQZ3vGr4oAoGCCqGSM49
+AwEHoUQDQgAEDUc8A0EDNKoCYIPWMHz1yUzqE5mJgusgcAE8H6810fkJ8ZmTNiCC
+a6sLgR2vD1VNh2diirWgKPH4PVMKav5e6Q==
+-----END EC PRIVATE KEY-----`;
+
+const EC_P256_PRIVKEY_PKCS8 = `-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg21OPBSSB8CJLCqBw
+YBdbITS54hbqfaTf3l2ZBne8avihRANCAAQNRzwDQQM0qgJgg9YwfPXJTOoTmYmC
+6yBwATwfrzXR+QnxmZM2IIJrqwuBHa8PVU2HZ2KKtaAo8fg9Uwpq/l7p
+-----END PRIVATE KEY-----`;
+
+const EC_P256_PUBKEY = `-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEDUc8A0EDNKoCYIPWMHz1yUzqE5mJ
+gusgcAE8H6810fkJ8ZmTNiCCa6sLgR2vD1VNh2diirWgKPH4PVMKav5e6Q==
+-----END PUBLIC KEY-----`;
+
+const DSA_PRIVKEY_TRAD = `-----BEGIN DSA PRIVATE KEY-----
+MIIDTQIBAAKCAQEAugtX67Pu8xhkIi7Bc2SBlrC8OBkAbVPsiIbTfRaCp6xE2dy6
+hRA6YAkKK43OSNU1JjTytpt7H9EiRYgu/E/3VKXOED23352nzunbfx5zEZrWwPat
+77LflE/sjE1Pffrfc23AYi1ncGqoCGgya7DDDFq7QTzPBih1NOXBNGnhBU+kwfV4
+kJQF4TNxY/llnWVE2FHkzZOrNJTfJrn/hzdr2sjzqH1UhWDDzJW/DfLrJyXOMAub
+ae0PmuKyR0xnqYyR9hDARsgZFMQtfoDstnSVfUKKyV6cX0BJvYTiDacZwxDS5IbM
+Dhb2Z/rDCY9LqLBfn5C7+LqMKbmLft9DUfkcdQIdAMD5Sc8czo9kSB8V6fx2NmmX
+9yXTkylaT52eKQUCggEANc5OkHDRYD5SKHEMb7qqozTmTFUxibPohFn/Tp99lIZU
+U3oHHWLSze+TMzlXwawqmQqRKTtXx9NCcAgiUya3Vjt9/6eDv5N9ii0yu+8RiWiV
+grTonZZahQDyIqnz6fny92iTL7Fma4aZy8ICiNUNsR5TbASpgTU/OscJI6g6IoHY
+/h86HK4X6rETyeTNREiDZGZJKSpY6ReJbIrJ+lRoH7hwSKynhOEQ0Q+Z2e0TW8uH
+avsQ4jGkTkPQ0DLbAUqp7eWN+ATpew9kqBUCC5ENWnN2YvpYNjsMz8FxLvbq/H6R
+fnlAOSzO95yto2KueKvZCsH9rQlCMXpjrbIaYbsYXwKCAQBpN+w0N0b5IIAspXnl
+J9yuB6ORk3j/5rZ+DUtTzW1YAJI6xjTcFQvN7FpVLkmLtXKUXF04R+sdGJ7VFwOb
+0rbaL5vQzrqNkBrbgSzuzeloiG+7OLA6VeQtNbQh6OurrZFi9gY+qA5ciT9kQXyr
+HudVXu956NDrooRxmv6JIVFvToaNiwe2vcgdkALw8HUbLFYof4SAE9jgU8EpxTp0
+2e8HzvVSVa6yj1nnGhpzLPlEqF8TZvs9pTg2kIk3/zvWojMJoPyTALfbTjbAeiFM
+MeKNK/CKOOJj23AVAZxpMSR6cUbrIcRdKDnhCTVkkxXUecAIUs6Mk10kSfkuiGl9
+LjKjAhwpK4MOpkKEu+y308fZ+yZXypZW2m9Y/wOT0L4g
+-----END DSA PRIVATE KEY-----`;
+
+const DSA_PRIVKEY_PKCS8 = `-----BEGIN PRIVATE KEY-----
+MIICXAIBADCCAjUGByqGSM44BAEwggIoAoIBAQC6C1frs+7zGGQiLsFzZIGWsLw4
+GQBtU+yIhtN9FoKnrETZ3LqFEDpgCQorjc5I1TUmNPK2m3sf0SJFiC78T/dUpc4Q
+PbffnafO6dt/HnMRmtbA9q3vst+UT+yMTU99+t9zbcBiLWdwaqgIaDJrsMMMWrtB
+PM8GKHU05cE0aeEFT6TB9XiQlAXhM3Fj+WWdZUTYUeTNk6s0lN8muf+HN2vayPOo
+fVSFYMPMlb8N8usnJc4wC5tp7Q+a4rJHTGepjJH2EMBGyBkUxC1+gOy2dJV9QorJ
+XpxfQEm9hOINpxnDENLkhswOFvZn+sMJj0uosF+fkLv4uowpuYt+30NR+Rx1Ah0A
+wPlJzxzOj2RIHxXp/HY2aZf3JdOTKVpPnZ4pBQKCAQA1zk6QcNFgPlIocQxvuqqj
+NOZMVTGJs+iEWf9On32UhlRTegcdYtLN75MzOVfBrCqZCpEpO1fH00JwCCJTJrdW
+O33/p4O/k32KLTK77xGJaJWCtOidllqFAPIiqfPp+fL3aJMvsWZrhpnLwgKI1Q2x
+HlNsBKmBNT86xwkjqDoigdj+HzocrhfqsRPJ5M1ESINkZkkpKljpF4lsisn6VGgf
+uHBIrKeE4RDRD5nZ7RNby4dq+xDiMaROQ9DQMtsBSqnt5Y34BOl7D2SoFQILkQ1a
+c3Zi+lg2OwzPwXEu9ur8fpF+eUA5LM73nK2jYq54q9kKwf2tCUIxemOtshphuxhf
+BB4CHCkrgw6mQoS77LfTx9n7JlfKllbab1j/A5PQviA=
+-----END PRIVATE KEY-----`;
+
+const DSA_PUBKEY = `-----BEGIN PUBLIC KEY-----
+MIIDQjCCAjUGByqGSM44BAEwggIoAoIBAQC6C1frs+7zGGQiLsFzZIGWsLw4GQBt
+U+yIhtN9FoKnrETZ3LqFEDpgCQorjc5I1TUmNPK2m3sf0SJFiC78T/dUpc4QPbff
+nafO6dt/HnMRmtbA9q3vst+UT+yMTU99+t9zbcBiLWdwaqgIaDJrsMMMWrtBPM8G
+KHU05cE0aeEFT6TB9XiQlAXhM3Fj+WWdZUTYUeTNk6s0lN8muf+HN2vayPOofVSF
+YMPMlb8N8usnJc4wC5tp7Q+a4rJHTGepjJH2EMBGyBkUxC1+gOy2dJV9QorJXpxf
+QEm9hOINpxnDENLkhswOFvZn+sMJj0uosF+fkLv4uowpuYt+30NR+Rx1Ah0AwPlJ
+zxzOj2RIHxXp/HY2aZf3JdOTKVpPnZ4pBQKCAQA1zk6QcNFgPlIocQxvuqqjNOZM
+VTGJs+iEWf9On32UhlRTegcdYtLN75MzOVfBrCqZCpEpO1fH00JwCCJTJrdWO33/
+p4O/k32KLTK77xGJaJWCtOidllqFAPIiqfPp+fL3aJMvsWZrhpnLwgKI1Q2xHlNs
+BKmBNT86xwkjqDoigdj+HzocrhfqsRPJ5M1ESINkZkkpKljpF4lsisn6VGgfuHBI
+rKeE4RDRD5nZ7RNby4dq+xDiMaROQ9DQMtsBSqnt5Y34BOl7D2SoFQILkQ1ac3Zi
++lg2OwzPwXEu9ur8fpF+eUA5LM73nK2jYq54q9kKwf2tCUIxemOtshphuxhfA4IB
+BQACggEAaTfsNDdG+SCALKV55SfcrgejkZN4/+a2fg1LU81tWACSOsY03BULzexa
+VS5Ji7VylFxdOEfrHRie1RcDm9K22i+b0M66jZAa24Es7s3paIhvuziwOlXkLTW0
+Iejrq62RYvYGPqgOXIk/ZEF8qx7nVV7veejQ66KEcZr+iSFRb06GjYsHtr3IHZAC
+8PB1GyxWKH+EgBPY4FPBKcU6dNnvB871UlWuso9Z5xoacyz5RKhfE2b7PaU4NpCJ
+N/871qIzCaD8kwC32042wHohTDHijSvwijjiY9twFQGcaTEkenFG6yHEXSg54Qk1
+ZJMV1HnACFLOjJNdJEn5LohpfS4yow==
+-----END PUBLIC KEY-----`;
+
+const ED25519_PRIVKEY = `-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIC18vtoHINC8Mo9dTIqOrBs3J28ZvHrwzRq57g2kpV98
+-----END PRIVATE KEY-----`;
+
+/*
+const ED25519_PUBKEY = `-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEAELP6AflXwsuZ5q4NDIO0LP2iCdKRvds4nwsUmRhOw3g=
+-----END PUBLIC KEY-----`;
+*/
+
+const ED448_PRIVKEY = `-----BEGIN PRIVATE KEY-----
+MEcCAQAwBQYDK2VxBDsEOWdGJ06bDcWznJhBoQqPeTfsCe+AvBv1n7KfIGYzR4tv
+1kcwHnbxlemnCMgqvbrRXaLuFUBysUZThA==
+-----END PRIVATE KEY-----`;
+
+/*
+const ED448_PUBKEY = `-----BEGIN PUBLIC KEY-----
+MEMwBQYDK2VxAzoAVN8kG0TMVyGOu/OvBTe8H0Wi4HJrQAlSv4XLwJbkuoi4EeRl
+EHQwXsNYLZTtY2Jra6AWhbVYYaEA
+-----END PUBLIC KEY-----`;
+*/
+
+TestRegister.addTests([
+    {
+        name: "Public Key from Private Key: Missing footer",
+        input: RSA_PRIVKEY_PKCS1.substring(0, RSA_PRIVKEY_PKCS1.length / 2),
+        expectedOutput: "PEM footer '-----END RSA PRIVATE KEY-----' not found",
+        recipeConfig: [
+            {
+                op: "Public Key from Private Key",
+                args: [],
+            }
+        ],
+    },
+
+    // test RSA
+    {
+        name: "Public Key from Private Key: RSA PKCS#1",
+        input: RSA_PRIVKEY_PKCS1,
+        expectedOutput: (RSA_PUBKEY + "\n").replace(/\r/g, "").replace(/\n/g, "\r\n"),
+        recipeConfig: [
+            {
+                op: "Public Key from Private Key",
+                args: [],
+            }
+        ],
+    },
+    {
+        name: "Public Key from Private Key: RSA PKCS#8",
+        input: RSA_PRIVKEY_PKCS8,
+        expectedOutput: (RSA_PUBKEY + "\n").replace(/\r/g, "").replace(/\n/g, "\r\n"),
+        recipeConfig: [
+            {
+                op: "Public Key from Private Key",
+                args: [],
+            }
+        ],
+    },
+
+    // test EC certificate
+    {
+        name: "Public Key from Private Key: EC SEC1",
+        input: EC_P256_PRIVKEY_SEC1,
+        expectedOutput: (EC_P256_PUBKEY + "\n").replace(/\r/g, "").replace(/\n/g, "\r\n"),
+        recipeConfig: [
+            {
+                op: "Public Key from Private Key",
+                args: [],
+            }
+        ],
+    },
+    {
+        name: "Public Key from Private Key: EC PKCS#8",
+        input: EC_P256_PRIVKEY_PKCS8,
+        expectedOutput: (EC_P256_PUBKEY + "\n").replace(/\r/g, "").replace(/\n/g, "\r\n"),
+        recipeConfig: [
+            {
+                op: "Public Key from Private Key",
+                args: [],
+            }
+        ],
+    },
+
+    // test DSA
+    {
+        name: "Public Key from Private Key: DSA Traditional",
+        input: DSA_PRIVKEY_TRAD,
+        expectedOutput: (DSA_PUBKEY + "\n").replace(/\r/g, "").replace(/\n/g, "\r\n"),
+        recipeConfig: [
+            {
+                op: "Public Key from Private Key",
+                args: [],
+            }
+        ],
+    },
+    {
+        name: "Public Key from Private Key: DSA PKCS#8",
+        input: DSA_PRIVKEY_PKCS8,
+        expectedOutput: "DSA Private Key in PKCS#8 is not supported",
+        recipeConfig: [
+            {
+                op: "Public Key from Private Key",
+                args: [],
+            }
+        ],
+    },
+
+    // test EdDSA
+    {
+        name: "Public Key from Private Key: Ed25519",
+        input: ED25519_PRIVKEY,
+        expectedOutput: "Unsupported key type: Error: malformed PKCS8 private key(code:004)",
+        recipeConfig: [
+            {
+                op: "Public Key from Private Key",
+                args: [],
+            }
+        ],
+    },
+    {
+        name: "Public Key from Private Key: Ed448",
+        input: ED448_PRIVKEY,
+        expectedOutput: "Unsupported key type: Error: malformed PKCS8 private key(code:004)",
+        recipeConfig: [
+            {
+                op: "Public Key from Private Key",
+                args: [],
+            }
+        ],
+    },
+
+    // test multi-input
+    {
+        name: "Public Key from Private Key: Multiple keys",
+        input: RSA_PRIVKEY_PKCS8 + "\n" + EC_P256_PRIVKEY_PKCS8,
+        expectedOutput: (RSA_PUBKEY + "\n" + EC_P256_PUBKEY + "\n").replace(/\r/g, "").replace(/\n/g, "\r\n"),
+        recipeConfig: [
+            {
+                op: "Public Key from Private Key",
+                args: [],
+            }
+        ],
+    }
+]);