Generate x5c certificate chain from JWK

Question

I am using nimbus-jose-jwt 5.14 and I generated RSA key pair with the following code

    KeyPairGenerator gen = KeyPairGenerator.getInstance("RSA");
    gen.initialize(2048);
    KeyPair keyPair = gen.generateKeyPair();
    JWK jwk = new RSAKey.Builder((RSAPublicKey)keyPair.getPublic())
        .privateKey((RSAPrivateKey)keyPair.getPrivate())
        .keyUse(KeyUse.SIGNATURE)
        .keyID(UUID.randomUUID().toString())
        .build();

Now I need to expone some "metadata" about the public key:

e
kid
kty
n
use
x5c

How can I obtain x5c ? Is it possible to generate X509 certificate with this library? This field is null:

if (jwk.getX509CertChain() == null)

Related https://stackoverflow.com/questions/74537270/how-to-include-x5t-and-x5c-in-jwk-output — dr0pdb, Jul 13 '23 at 18:41

pedrofb · Answer 1 · 2019-06-06T14:57:12.910

3

You have generated a key pair, not a certificate. A certificate contains a public key but it is not derived from it, so you can't get a certificate directly from the public key.

To verify a JWT the recipient only needs the public key, so publishing the x5c is in fact unnecesary for this purpose

If you really want to publish a certificate, I suggest to generate it with OpenSSL and import the public key in your code to get the JWK parameters

openssl req -x509 -newkey rsa:2048 -keyout key.pem  -days 365 -out certificate.pem

edited Jun 06 '19 at 14:57

answered Jun 06 '19 at 14:38

pedrofb

37,271
5
94
142

How can I generate a certificate with other tools? – pacionet Jun 06 '19 at 14:51

Generate x5c certificate chain from JWK

1 Answers1

Linked