x5t
Registry Context
Carries the SHA-1 thumbprint of the X.509 certificate associated with a JWK.
Technical Summary
The `x5t` JWK parameter contains the base64url-encoded SHA-1 digest of the DER encoding of an X.509 certificate. The certificate's key must match the public key represented by the JWK, and any other JWK members must be semantically consistent with related certificate fields.
When Used
When a JWK includes the SHA-1 thumbprint of an associated X.509 certificate.
Normative Requirements
Optional JWK members providing key usage, algorithm, or other information
RFC 7517 - Section 4.8
also be present..
Condition: When the `x5t` member is used.
optional JWK members providing key usage, algorithm, or other information MAY also be present
The contents of other JWK members
RFC 7517 - Section 4.8
be semantically consistent with related fields in the referenced certificate..
Condition: If other JWK members are present with `x5t`.
the contents of those members MUST be semantically consistent with the related fields in the referenced certificate.
The key in the certificate
RFC 7517 - Section 4.8
match the public key represented by other members of the JWK..
Condition: When the `x5t` member is used.
The key in the certificate MUST match the public key represented by other members of the JWK.
Use of the `x5t` member
RFC 7517 - Section 4.8
be optional..
Use of this member is OPTIONAL.
Validation Guidance
Validate that `x5t` is a base64url-encoded SHA-1 digest of the DER encoding of the associated X.509 certificate.
When the associated certificate is available, verify that its key matches the public key represented by the JWK.
Do not require `x5t` for a JWK to be valid.
If other JWK members are present with `x5t`, verify that their contents are semantically consistent with related fields in the associated certificate.
Reference
Details
- Entry Id
x5t- Parameter Name
x5t- Parameter Description
X.509 Certificate SHA-1 Thumbprint- Used With Kty Value
*- Parameter Information Class
Public- Change Controller
IESG- Reference
RFC7517 - Section 4.8