> I would like to use private and public certificate instead or directly using private and public keys for signing and verifying JSON payload using apigee JWS policies.

I will help you. First I want to clarify your situation. My understanding is:

• an X509 certificate is a way for an entity to encode a public key, and other data (domain name, owner, expiry, etc) in a signed payload. For the purposes of public key crypto, a certificate is a vehicle for carrying the public key, and allowing any viewer to determine whether to trust that key, based on the signer of the certificate. For example, I can register a website at www.mywebsite.com and ask a certificate authority (let's say, GoDaddy, or Verisign) to sign my public key, and assert that the public key belongs to www.mywebsite.com.
• I have never heard of a private certificate.

Given that, can you clarify this statement?

> I would like to use private and public certificate

I think you are referring to public/private key cryptography, because you are saying "private and public", even though I have some confusion about your use of the word "certificate in there. And you said JWS, so that means Signing (not encrypting). Public/private key crypto , and signing, means you will use one of the algorithms in the RS*, PS*, or ES* sets.

For those algorithms, the documentation for the GenerateJWS policy states that you must supply the private key as a PEM-encoded key.

For later verifying that JWS, with VerifyJWS, you must supply the corresponding public key. You have options for the format in which you supply the public key. The documentation states that you must specify either a JWKS, or an encoded public key. 

There is one more option that is not mentioned in the documentation: you could supply an encoded certificate there, under the Value element. It works the same as the public key option, but it will look like "----- BEGIN CERTIFICATE-----" 

If you choose to use the JWKS option, there are a number of sub-options:

• specify the JWKS payload directly, in the policy configuration
• specify a context variable which Apigee will dereference, to obtain the JWKS payload
• specify the URL at which Apigee will retrieve the JWKS
• specify a context variable which Apigee will dereference, to find the URL at which Apigee will retrieve the JWKS 

OK does that clarify things further for you? 

> Can I use JWKS for signing JSON payload as well using apigee policy ?

No, you must have a PEM-encoded private key, as per the documentation.

> Can we use keystore present in apigee for saving JWKS ?

No, you must use one of the options I described above; the same options are also described in the documentation for the policy.