I have the need to generate a JWK with the following parameters:
“kty”: Key Type
“kid”: Key ID
“use”: “sig” Public Key Use
“n”: the modulus
“e”: “AQAB” the public exponent
“x5c”: X. 509 Certificate Chain
“x5t”: X.509 Certificate SHA-1 Thumbprint
Note:
JWKs should contain a public key using RSA algorithm. RSA provides a key ID for key matching purposes.
Should contain X.509 certificate using both “x5t” (X.509 SHA-1 Thumbprint) and “x5c” (X.509 certificate Chain) parameters
The first 5 parameters ("kty", "kid", "use", "n", "e") are fairly straight forward and not an issue. However, for the "x5c" and "x5t" components, I am not sure how to generate these. It seems as I can create an x509 cert using tools such as the one found at https://www.samltool.com/self_signed_certs.php and I suppose the x509 cert generated there would be the x5c parameter. Is this correct and how would I generate a x5t (cert thumbprint) from this?
All help is appreciated.
Since you have neither a tool nor a language tagged, I assume that it is rather a general explanation of both parameters.
In x5c a certificate or certificate chain is stored, in x5t the associated thumbprint. A certificate or certificate chain is used to prove ownership of a public key, the thumbprint is a hash of a certificate used to identify/compare certificates.
The exact definition of both parameters is described in RFC 7517, JSON Web Key (JWK), chapters 4.7 x5c and 4.8 x5t:
The "x5c" (X.509 certificate chain) parameter contains a chain of one or more PKIX certificates [RFC5280]. The certificate chain is represented as a JSON array of certificate value strings. Each string in the array is a base64-encoded (Section 4 of [RFC4648] -- not base64url-encoded) DER [ITU.X690.1994] PKIX certificate value. The PKIX certificate containing the key value MUST be the first certificate. This MAY be followed by additional certificates, with each subsequent certificate being the one used to certify the previous one. The key in the first certificate MUST match the public key represented by other members of the JWK. Use of this member is OPTIONAL...
The "x5t" (X.509 certificate SHA-1 thumbprint) parameter is a base64url-encoded SHA-1 thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate [RFC5280]. Note that certificate thumbprints are also sometimes known as certificate fingerprints. The key in the certificate MUST match the public key represented by other members of the JWK. Use of this member is OPTIONAL.
Creation of a certificate:
A self signed certificate can (apart from the online tool you use) also be generated e.g. with OpenSSL. The following OpenSSL statement
openssl req -x509 -newkey rsa:4096 -nodes -keyout key.pem -out cert.crt -days 365
generates a private (unencrypted) PEM encoded 4096 bit key in PKCS#8 format (key.pem):
-----BEGIN PRIVATE KEY-----
MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDkWIfV9uL3XMay
...
OPAsywknGU1A/xTa3fFKO9KV6t/T9z3G
-----END PRIVATE KEY-----
and a PEM encoded certificate (cert.crt):
-----BEGIN CERTIFICATE-----
MIIF4zCCA8ugAwIBAgIJAKSZ5oC4tblkMA0GCSqGSIb3DQEBCwUAMIGHMQswCQYD
...
6aBMYeKy0dqjtZIlO8rm2Rialc7Qt+0=
-----END CERTIFICATE-----
For more options and details, see openssl req and the post How to generate a self-signed SSL certificate using OpenSSL?.
Note that a self-signed certificate is signed by the owner. Self-signed certificates are used on internal pages or in test environments. A CA-signed certificate, in contrast, is signed by a third-party, publicly trusted certificate authority (CA) like DigiCert or Thawte etc. used e.g. for public-facing websites, s. also here. A signed certificate is requested with a CSR.
Certificates, certificate chains, certificate authorities, etc. are part of a public key infrastructure.
Example use of x5c:
In Appendix B of RFC 7517, an example of the use of the x5c parameter is given. The DER encoded certificate is Base64 encoded and is contained in a JSON array:
{
"kty":"RSA",
"use":"sig",
"kid":"1b94c",
"n":"vrjOfz9Ccdgx5nQudyhdoR17V-IubWMeOZCwX_jj0hgAsz2J_pqYW08
PLbK_PdiVGKPrqzmDIsLI7sA25VEnHU1uCLNwBuUiCO11_-7dYbsr4iJmG0Q
u2j8DsVyT1azpJC_NG84Ty5KKthuCaPod7iI7w0LK9orSMhBEwwZDCxTWq4a
YWAchc8t-emd9qOvWtVMDC2BXksRngh6X5bUYLy6AyHKvj-nUy1wgzjYQDwH
MTplCoLtU-o-8SNnZ1tmRoGE9uJkBLdh5gFENabWnU5m1ZqZPdwS-qo-meMv
VfJb6jJVWRpl2SUtCnYG2C32qvbWbjZ_jBPD5eunqsIo1vQ",
"e":"AQAB",
"x5c":
["MIIDQjCCAiqgAwIBAgIGATz/FuLiMA0GCSqGSIb3DQEBBQUAMGIxCzAJB
gNVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMRwwGgYD
VQQKExNQaW5nIElkZW50aXR5IENvcnAuMRcwFQYDVQQDEw5CcmlhbiBDYW1
wYmVsbDAeFw0xMzAyMjEyMzI5MTVaFw0xODA4MTQyMjI5MTVaMGIxCzAJBg
NVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMRwwGgYDV
QQKExNQaW5nIElkZW50aXR5IENvcnAuMRcwFQYDVQQDEw5CcmlhbiBDYW1w
YmVsbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL64zn8/QnH
YMeZ0LncoXaEde1fiLm1jHjmQsF/449IYALM9if6amFtPDy2yvz3YlRij66
s5gyLCyO7ANuVRJx1NbgizcAblIgjtdf/u3WG7K+IiZhtELto/A7Fck9Ws6
SQvzRvOE8uSirYbgmj6He4iO8NCyvaK0jIQRMMGQwsU1quGmFgHIXPLfnpn
fajr1rVTAwtgV5LEZ4Iel+W1GC8ugMhyr4/p1MtcIM42EA8BzE6ZQqC7VPq
PvEjZ2dbZkaBhPbiZAS3YeYBRDWm1p1OZtWamT3cEvqqPpnjL1XyW+oyVVk
aZdklLQp2Btgt9qr21m42f4wTw+Xrp6rCKNb0CAwEAATANBgkqhkiG9w0BA
QUFAAOCAQEAh8zGlfSlcI0o3rYDPBB07aXNswb4ECNIKG0CETTUxmXl9KUL
+9gGlqCz5iWLOgWsnrcKcY0vXPG9J1r9AqBNTqNgHq2G03X09266X5CpOe1
zFo+Owb1zxtp3PehFdfQJ610CDLEaS9V9Rqp17hCyybEpOGVwe8fnk+fbEL
2Bo3UPGrpsHzUoaGpDftmWssZkhpBJKVMJyf/RuP2SmmaIzmnw9JiSlYhzo
4tpzd5rFXhjRbg4zW9C+2qok+2+qDM1iJ684gPHMIY8aLWrdgQTxkumGmTq
gawR+N5MDtdPTEQ0XfIBc2cJEUyMTY5MPvACWpkA6SdS4xSvdXK3IVfOWA=="]
}
Note that the line breaks within values are for display purposes only. The DER encoding results from the PEM encoding by removing header, footer and line breaks and Base64 decoding the rest, i.e. the Base64 decoded DER encoded certificate is the body of the PEM encoded certificate without line breaks.
For a certificate chain, the certificates are separated by commas, see e.g. RFC 7515, Appendix B, x5c.
Thumbprint/Fingerprint:
The thumbprint of a certificate is the SHA-1 hash of the DER encoded certificate and can be generated with OpenSSL as follows, s. also here:
openssl x509 -in cert.crt -noout -fingerprint
Here cert.crt is the PEM encoded certificate. For more details, see openssl x509.
Example: If the certificate from RFC 7517, Appendix B is used, the OpenSSL statement returns the following output:
SHA1 Fingerprint=E2:93:5E:9C:40:4B:BF:42:69:2C:87:6E:81:6C:50:90:EB:19:70:AD
i.e. the hex encoded thumbprint is: E2935E9C404BBF42692C876E816C5090EB1970AD or Base64url encoded: 4pNenEBLv0JpLIdugWxQkOsZcK0. The latter is the value of x5t:
"x5t":"4pNenEBLv0JpLIdugWxQkOsZcK0"