I'm looking for a way to generate the x5t thumbprint that is part of the JWT header set.
=> The "x5t" (x.509 certificate thumbprint) header parameter provides a base64url encoded SHA-256 thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate that can be used to match a certificate.
The manual process I'm using is
- Use OpenSSL to convert a PKCS12 key to DER formatted cert.
- Use OpenSSL to generate the fingerprint
- Use a bash script to base64url encode it
Any thoughts on how this could be automated in Policy Manager?
Good afternoon, I would recommend that you upgrade to CR3 for 9.3 or higher as there was an issue in how the x5t value was created before this. I've also attached a policy with an example of JWKS. This is a mirror to the policy included in the documentation: Working with JSON Web Tokens - CA API Gateway - 9.4 - CA Technologies Documentation
Thanks for that. It wasn't clear to me from the docs how to access the x5t value. But I think I got there.
I've modified (attached) the sample policy to extract the x5t value into a context variable so that you can insert it into the headers of the JWT that gets created (in case anyone else is attempting the same)
Do you need any additional assistance?