JWK Key Creation With X5c And X5t Parameters - Stack Overflow

Trang chủ » Jwt X5t X5c » JWK Key Creation With X5c And X5t Parameters - Stack Overflow

Có thể bạn quan tâm

Sorry, we no longer support your browser Please upgrade to Microsoft Edge, Google Chrome, or Firefox. Learn more about our browser support.
    1. Home
    2. Questions
    3. Tags
    4. Users
    5. Companies
    6. Labs
    7. Jobs
    8. Discussions
    9. Collectives

    10. Communities for your favorite technologies. Explore all Collectives

  2. Teams

    Ask questions, find answers and collaborate at work with Stack Overflow for Teams.

    Try Teams for free Explore Teams
  3. Teams

  4. Ask questions, find answers and collaborate at work with Stack Overflow for Teams. Explore Teams

Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Learn more about Collectives

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Learn more about Teams

Get early access and see previews of new features.

Learn more about Labs JWK Key Creation with x5c and x5t parameters Ask Question Asked 3 years, 2 months ago Modified 1 year, 10 months ago Viewed 27k times 16

I have the need to generate a JWK with the following parameters:

  • “kty”: Key Type

  • “kid”: Key ID

  • “use”: “sig” Public Key Use

  • “n”: the modulus

  • “e”: “AQAB” the public exponent

  • “x5c”: X. 509 Certificate Chain

  • “x5t”: X.509 Certificate SHA-1 Thumbprint

Note:

  • JWKs should contain a public key using RSA algorithm. RSA provides a key ID for key matching purposes.

  • Should contain X.509 certificate using both “x5t” (X.509 SHA-1 Thumbprint) and “x5c” (X.509 certificate Chain) parameters

The first 5 parameters ("kty", "kid", "use", "n", "e") are fairly straight forward and not an issue. However, for the "x5c" and "x5t" components, I am not sure how to generate these. It seems as I can create an x509 cert using tools such as the one found at https://www.samltool.com/self_signed_certs.php and I suppose the x509 cert generated there would be the x5c parameter. Is this correct and how would I generate a x5t (cert thumbprint) from this?

All help is appreciated.

  • encryption
  • jwt
  • x509certificate
  • x509
  • jwk
Share Improve this question Follow edited Sep 17, 2021 at 16:44 GregH asked Sep 14, 2021 at 14:39 GregH's user avatar GregHGregH 5,4279 gold badges59 silver badges112 bronze badges Add a comment |

2 Answers 2

Sorted by: Reset to default Highest score (default) Trending (recent votes count more) Date modified (newest first) Date created (oldest first) 32 +500

Since you have neither a tool nor a language tagged, I assume that it is rather a general explanation of both parameters.

In x5c a certificate or certificate chain is stored, in x5t the associated thumbprint. A certificate or certificate chain is used to prove ownership of a public key, the thumbprint is a hash of a certificate used to identify/compare certificates.

The exact definition of both parameters is described in RFC 7517, JSON Web Key (JWK), chapters 4.7 x5c and 4.8 x5t:

  • x5c:

The "x5c" (X.509 certificate chain) parameter contains a chain of one or more PKIX certificates [RFC5280]. The certificate chain is represented as a JSON array of certificate value strings. Each string in the array is a base64-encoded (Section 4 of [RFC4648] -- not base64url-encoded) DER [ITU.X690.1994] PKIX certificate value. The PKIX certificate containing the key value MUST be the first certificate. This MAY be followed by additional certificates, with each subsequent certificate being the one used to certify the previous one. The key in the first certificate MUST match the public key represented by other members of the JWK. Use of this member is OPTIONAL...

  • x5t:

The "x5t" (X.509 certificate SHA-1 thumbprint) parameter is a base64url-encoded SHA-1 thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate [RFC5280]. Note that certificate thumbprints are also sometimes known as certificate fingerprints. The key in the certificate MUST match the public key represented by other members of the JWK. Use of this member is OPTIONAL.

Creation of a certificate:

A self signed certificate can (apart from the online tool you use) also be generated e.g. with OpenSSL. The following OpenSSL statement

openssl req -x509 -newkey rsa:4096 -nodes -keyout key.pem -out cert.crt -days 365

generates a private (unencrypted) PEM encoded 4096 bit key in PKCS#8 format (key.pem):

-----BEGIN PRIVATE KEY----- MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDkWIfV9uL3XMay ... OPAsywknGU1A/xTa3fFKO9KV6t/T9z3G -----END PRIVATE KEY-----

and a PEM encoded certificate (cert.crt):

-----BEGIN CERTIFICATE----- MIIF4zCCA8ugAwIBAgIJAKSZ5oC4tblkMA0GCSqGSIb3DQEBCwUAMIGHMQswCQYD ... 6aBMYeKy0dqjtZIlO8rm2Rialc7Qt+0= -----END CERTIFICATE-----

For more options and details, see openssl req and the post How to generate a self-signed SSL certificate using OpenSSL?.

Note that a self-signed certificate is signed by the owner. Self-signed certificates are used on internal pages or in test environments. A CA-signed certificate, in contrast, is signed by a third-party, publicly trusted certificate authority (CA) like DigiCert or Thawte etc. used e.g. for public-facing websites, s. also here. A signed certificate is requested with a CSR.

Certificates, certificate chains, certificate authorities, etc. are part of a public key infrastructure.

Example use of x5c:

In Appendix B of RFC 7517, an example of the use of the x5c parameter is given. The DER encoded certificate is Base64 encoded and is contained in a JSON array:

{ "kty":"RSA", "use":"sig", "kid":"1b94c", "n":"vrjOfz9Ccdgx5nQudyhdoR17V-IubWMeOZCwX_jj0hgAsz2J_pqYW08 PLbK_PdiVGKPrqzmDIsLI7sA25VEnHU1uCLNwBuUiCO11_-7dYbsr4iJmG0Q u2j8DsVyT1azpJC_NG84Ty5KKthuCaPod7iI7w0LK9orSMhBEwwZDCxTWq4a YWAchc8t-emd9qOvWtVMDC2BXksRngh6X5bUYLy6AyHKvj-nUy1wgzjYQDwH MTplCoLtU-o-8SNnZ1tmRoGE9uJkBLdh5gFENabWnU5m1ZqZPdwS-qo-meMv VfJb6jJVWRpl2SUtCnYG2C32qvbWbjZ_jBPD5eunqsIo1vQ", "e":"AQAB", "x5c": ["MIIDQjCCAiqgAwIBAgIGATz/FuLiMA0GCSqGSIb3DQEBBQUAMGIxCzAJB gNVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMRwwGgYD VQQKExNQaW5nIElkZW50aXR5IENvcnAuMRcwFQYDVQQDEw5CcmlhbiBDYW1 wYmVsbDAeFw0xMzAyMjEyMzI5MTVaFw0xODA4MTQyMjI5MTVaMGIxCzAJBg NVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMRwwGgYDV QQKExNQaW5nIElkZW50aXR5IENvcnAuMRcwFQYDVQQDEw5CcmlhbiBDYW1w YmVsbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL64zn8/QnH YMeZ0LncoXaEde1fiLm1jHjmQsF/449IYALM9if6amFtPDy2yvz3YlRij66 s5gyLCyO7ANuVRJx1NbgizcAblIgjtdf/u3WG7K+IiZhtELto/A7Fck9Ws6 SQvzRvOE8uSirYbgmj6He4iO8NCyvaK0jIQRMMGQwsU1quGmFgHIXPLfnpn fajr1rVTAwtgV5LEZ4Iel+W1GC8ugMhyr4/p1MtcIM42EA8BzE6ZQqC7VPq PvEjZ2dbZkaBhPbiZAS3YeYBRDWm1p1OZtWamT3cEvqqPpnjL1XyW+oyVVk aZdklLQp2Btgt9qr21m42f4wTw+Xrp6rCKNb0CAwEAATANBgkqhkiG9w0BA QUFAAOCAQEAh8zGlfSlcI0o3rYDPBB07aXNswb4ECNIKG0CETTUxmXl9KUL +9gGlqCz5iWLOgWsnrcKcY0vXPG9J1r9AqBNTqNgHq2G03X09266X5CpOe1 zFo+Owb1zxtp3PehFdfQJ610CDLEaS9V9Rqp17hCyybEpOGVwe8fnk+fbEL 2Bo3UPGrpsHzUoaGpDftmWssZkhpBJKVMJyf/RuP2SmmaIzmnw9JiSlYhzo 4tpzd5rFXhjRbg4zW9C+2qok+2+qDM1iJ684gPHMIY8aLWrdgQTxkumGmTq gawR+N5MDtdPTEQ0XfIBc2cJEUyMTY5MPvACWpkA6SdS4xSvdXK3IVfOWA=="] }

Note that the line breaks within values are for display purposes only. The DER encoding results from the PEM encoding by removing header, footer and line breaks and Base64 decoding the rest, i.e. the Base64 decoded DER encoded certificate is the body of the PEM encoded certificate without line breaks.

For a certificate chain, the certificates are separated by commas, see e.g. RFC 7515, Appendix B, x5c.

Thumbprint/Fingerprint:

The thumbprint of a certificate is the SHA-1 hash of the DER encoded certificate and can be generated with OpenSSL as follows, s. also here:

openssl x509 -in cert.crt -noout -fingerprint

Here cert.crt is the PEM encoded certificate. For more details, see openssl x509.

Example: If the certificate from RFC 7517, Appendix B is used, the OpenSSL statement returns the following output:

SHA1 Fingerprint=E2:93:5E:9C:40:4B:BF:42:69:2C:87:6E:81:6C:50:90:EB:19:70:AD

i.e. the hex encoded thumbprint is: E2935E9C404BBF42692C876E816C5090EB1970AD or Base64url encoded: 4pNenEBLv0JpLIdugWxQkOsZcK0. The latter is the value of x5t:

"x5t":"4pNenEBLv0JpLIdugWxQkOsZcK0" Share Improve this answer Follow answered Sep 18, 2021 at 6:50 Topaco's user avatar TopacoTopaco 48.4k4 gold badges43 silver badges76 bronze badges 5
  • I have a cert (.cer file) from digicert however I'm not sure how to get the certificate chain from it. How can I get the base64 encoded version of a DER encoded certificate with my .cer file? If I can overcome this, then I think I'll be good to go and will gladly accept – GregH Commented Sep 20, 2021 at 17:11
  • 1 @GregH - The extension .cer is ambiguous and can contain PEM or DER encoded certificates. You can easily identify a PEM encoded certificate by its header and footer: -----BEGIN/END CERTIFICATE-----. In this case you only need to remove the header, footer and line breaks, so that only the Base64 encoded data remains. If the file contains binary data, it is most likely a DER encoded certificate. Then the data must be Base64 encoded. For both cases the Base64 encoded data is to be entered into the x5c field (as JSON array i.e. with square brackets, see the example in my answer). – Topaco Commented Sep 20, 2021 at 19:39
  • @GregH - A possible certificate chain should be made transparent by DigiCert, s. e.g. Certificates and Certificate chain. But there are also tools, e.g. whatsmychaincert.com. Then, in addition to the certificate, also the certificates of the chain must be entered in the x5c field (as JSON array i.e. comma-separated, with square brackets, pay attention to the order of the certificates, see the description and the example in my answer). – Topaco Commented Sep 20, 2021 at 19:51
  • 1 @Topaco I don't understand how you create the x5t. when i urlencode that String, I get a different value: System.out.println( Base64.getEncoder().encodeToString("E2935E9C404BBF42692C876E816C5090EB1970AD".getBytes())); returns RTI5MzVFOUM0MDRCQkY0MjY5MkM4NzZFODE2QzUwOTBFQjE5NzBBRA== – user2820906 Commented Nov 1, 2022 at 14:43
  • 3 @user2820906 - E2935E9C404BBF42692C876E816C5090EB1970AD is the hex encoded value, i.e. you've to hex decode before Base64url encoding: gchq.github.io/CyberChef/… – Topaco Commented Nov 1, 2022 at 15:01
Add a comment | 3

Thank you @Topaco for the last comment on your own answer. For anyone still confused, here's a complete flow with sample code:

In a JS environment with Buffer and crypto:

function generateX5t(certificate) { // Extracts everything between `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` // and remove line-breaks const data = certificate .replaceAll('\n', '') .match(/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/gm) .join(''); const sha1 = crypto.subtle.digest('SHA-1', Buffer.from(data, 'base64')); const hex = sha1.then((r) => Buffer.from(r).toString('hex')); const x5t = hex.then((r) => Buffer.from(r, 'hex').toString('base64url')); return x5t } const certificate = `-----BEGIN CERTIFICATE----- MIIDQjCCAiqgAwIBAgIGATz/FuLiMA0GCSqGSIb3DQEBBQUAMGIxCzAJB gNVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMRwwGgYD VQQKExNQaW5nIElkZW50aXR5IENvcnAuMRcwFQYDVQQDEw5CcmlhbiBDYW1 wYmVsbDAeFw0xMzAyMjEyMzI5MTVaFw0xODA4MTQyMjI5MTVaMGIxCzAJBg NVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMRwwGgYDV QQKExNQaW5nIElkZW50aXR5IENvcnAuMRcwFQYDVQQDEw5CcmlhbiBDYW1w YmVsbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL64zn8/QnH YMeZ0LncoXaEde1fiLm1jHjmQsF/449IYALM9if6amFtPDy2yvz3YlRij66 s5gyLCyO7ANuVRJx1NbgizcAblIgjtdf/u3WG7K+IiZhtELto/A7Fck9Ws6 SQvzRvOE8uSirYbgmj6He4iO8NCyvaK0jIQRMMGQwsU1quGmFgHIXPLfnpn fajr1rVTAwtgV5LEZ4Iel+W1GC8ugMhyr4/p1MtcIM42EA8BzE6ZQqC7VPq PvEjZ2dbZkaBhPbiZAS3YeYBRDWm1p1OZtWamT3cEvqqPpnjL1XyW+oyVVk aZdklLQp2Btgt9qr21m42f4wTw+Xrp6rCKNb0CAwEAATANBgkqhkiG9w0BA QUFAAOCAQEAh8zGlfSlcI0o3rYDPBB07aXNswb4ECNIKG0CETTUxmXl9KUL +9gGlqCz5iWLOgWsnrcKcY0vXPG9J1r9AqBNTqNgHq2G03X09266X5CpOe1 zFo+Owb1zxtp3PehFdfQJ610CDLEaS9V9Rqp17hCyybEpOGVwe8fnk+fbEL 2Bo3UPGrpsHzUoaGpDftmWssZkhpBJKVMJyf/RuP2SmmaIzmnw9JiSlYhzo 4tpzd5rFXhjRbg4zW9C+2qok+2+qDM1iJ684gPHMIY8aLWrdgQTxkumGmTq gawR+N5MDtdPTEQ0XfIBc2cJEUyMTY5MPvACWpkA6SdS4xSvdXK3IVfOWA== -----END CERTIFICATE-----` generateX5t(certificate).then(r => console.log(r))

To summarize:

1. Get certificate content between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----

2. Remove new lines or line breaks

MIIDQjCCAiqgAwIBAgIGATz/FuLiMA0GCSqGSIb3DQEBBQUAMGIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMRwwGgYDVQQKExNQaW5nIElkZW50aXR5IENvcnAuMRcwFQYDVQQDEw5CcmlhbiBDYW1wYmVsbDAeFw0xMzAyMjEyMzI5MTVaFw0xODA4MTQyMjI5MTVaMGIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMRwwGgYDVQQKExNQaW5nIElkZW50aXR5IENvcnAuMRcwFQYDVQQDEw5CcmlhbiBDYW1wYmVsbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL64zn8/QnHYMeZ0LncoXaEde1fiLm1jHjmQsF/449IYALM9if6amFtPDy2yvz3YlRij66s5gyLCyO7ANuVRJx1NbgizcAblIgjtdf/u3WG7K+IiZhtELto/A7Fck9Ws6SQvzRvOE8uSirYbgmj6He4iO8NCyvaK0jIQRMMGQwsU1quGmFgHIXPLfnpnfajr1rVTAwtgV5LEZ4Iel+W1GC8ugMhyr4/p1MtcIM42EA8BzE6ZQqC7VPqPvEjZ2dbZkaBhPbiZAS3YeYBRDWm1p1OZtWamT3cEvqqPpnjL1XyW+oyVVkaZdklLQp2Btgt9qr21m42f4wTw+Xrp6rCKNb0CAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAh8zGlfSlcI0o3rYDPBB07aXNswb4ECNIKG0CETTUxmXl9KUL+9gGlqCz5iWLOgWsnrcKcY0vXPG9J1r9AqBNTqNgHq2G03X09266X5CpOe1zFo+Owb1zxtp3PehFdfQJ610CDLEaS9V9Rqp17hCyybEpOGVwe8fnk+fbEL2Bo3UPGrpsHzUoaGpDftmWssZkhpBJKVMJyf/RuP2SmmaIzmnw9JiSlYhzo4tpzd5rFXhjRbg4zW9C+2qok+2+qDM1iJ684gPHMIY8aLWrdgQTxkumGmTqgawR+N5MDtdPTEQ0XfIBc2cJEUyMTY5MPvACWpkA6SdS4xSvdXK3IVfOWA==

3. Decode the resulting string as Base64 enter image description here

4. SHA1 encode the result enter image description here

5. HEX decode the result enter image description here

6. URL-safe Base64 encode the result, this is the value for x5t enter image description here

Share Improve this answer Follow edited Jan 19, 2023 at 8:44 answered Jan 19, 2023 at 6:23 Ashesh's user avatar AsheshAshesh 3,5691 gold badge29 silver badges45 bronze badges Add a comment |

Your Answer

Reminder: Answers generated by artificial intelligence tools are not allowed on Stack Overflow. Learn more

Thanks for contributing an answer to Stack Overflow!

  • Please be sure to answer the question. Provide details and share your research!

But avoid …

  • Asking for help, clarification, or responding to other answers.
  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

Draft saved Draft discarded

Sign up or log in

Sign up using Google Sign up using Email and Password Submit

Post as a guest

Name Email

Required, but never shown

Post Your Answer Discard

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged
  • encryption
  • jwt
  • x509certificate
  • x509
  • jwk
or ask your own question.

  • The Overflow Blog
  • We'll Be In Touch - A New Podcast From Stack Overflow!
  • The app that fights for your data privacy rights
  • Featured on Meta
  • More network sites to see advertising test
  • We’re (finally!) going to the cloud!
  • Call for testers for an early access release of a Stack Overflow extension...

Linked

2029 How to generate a self-signed SSL certificate using OpenSSL? 1 How to generate a JWT/JWS with JWE 2 How to generate and access key for JWT 1 Cannot Verify JWT Using x5c (x509) public Certificate 4 Generate x5c certificate chain from JWK 21 How to obtain JWKs and use them in JWT signing? 6 How to validate signature of JWT from jwks without x5c 7 Generating Public Key from JWK 1 How to parse a set of JWK with x5c and verify JWT? 3 How to generate JWK from a X.509 PEM certificate in jose4j? 0 Generating JWK with a private key while using jose4j to generate JWS

Hot Network Questions

  • Looking for a letter from H. P. Lovecraft to R. E. Howard
  • FindInstance and Integers option
  • Does the earliest known use of an "average" occur after the invention of calculus?
  • Is partial correctness decidable?
  • What do I do with a package that is delivered to my address but the name is wrong?
  • Superimposed triangles
  • How to utilize zener diode specs
  • Which is larger? 999,999! or 2^(11!)
  • Boy who can see EM waves but loses the ability because of a thunderstorm
  • How can I change the location of `.zsh_sessions` directory
  • What happens to your original form when you lose body parts while under the effect polymorph or alter self?
  • Using a platinum loop to light a gas stove in Oliver Sacks's memoir
  • Sums and Products of Adjacent Numbers 2
  • What are the ethical considerations regarding mandatory class participation?
  • What is it called when you have a hobby where you're good enough at to impress others but you yourself know you're only beginning?
  • Why is the SPD going with Scholz instead of Pistorius?
  • Can we use the simple present tense to express a habit that starts just about 24 hours or less ago?
  • How quickly could a probe reach the heliopause?
  • In what order should I watch the Hunger Games films?
  • How to stop Apple Sports live activities watch notifications?
  • Fixing inconsistent dashes and math glyphs in URW Palladio?
  • Moksha - Who all are eligible to get moksha
  • Lowest processable signal level after FFT with given noise level
  • Accused of violating NDA on thesis
more hot questions Question feed Subscribe to RSS Question feed

To subscribe to this RSS feed, copy and paste this URL into your RSS reader.

Từ khóa » Jwt X5t X5c