x5u
Registry Context
The `x5u` JWK parameter is a URI pointing to an X.509 certificate or certificate chain. The resource must provide PEM-encoded, RFC 5280-conformant certificate data. Its first certificate must contain the same public key as the JWK, and retrieval must provide integrity protection.
Technical Summary
RFC 7517 Section 4.6 defines `x5u` as a URI referring to an X.509 public key certificate or certificate chain. The resource representation must conform to RFC 5280 and use PEM encoding with RFC 4945 certificate delimiters. HTTP GET retrieval must use TLS, with server identity validated according to RFC 6125 Section 6. Other JWK members, including `use` and `alg` when present, must be semantically consistent with the first certificate.
When Used
When a JWK identifies certificate material through a URI.
Normative Requirements
Requests
RFC 7517 - Section 4.6
use TLS.
An HTTP GET request to retrieve the certificate MUST use TLS.
Other JWK members present alongside `x5u`
RFC 7517 - Section 4.6
be semantically consistent with related fields in the first certificate.
Condition: When other members are present
The contents of other present members MUST be semantically consistent with related fields in the first certificate.
The `alg` member
RFC 7517 - Section 4.6
correspond to the algorithm specified in the certificate.
Condition: When `alg` is present
If the "alg" member is present, it MUST correspond to the algorithm specified in the certificate.
The `use` member
RFC 7517 - Section 4.6
correspond to the usage specified in the certificate.
Condition: When `use` is present and the certificate includes usage information
If the "use" member is present, it MUST correspond to the usage specified in the certificate, when included.
The `x5u` member
RFC 7517 - Section 4.6
be used.
Use of this member is OPTIONAL.
The identified resource
RFC 7517 - Section 4.6
provide an RFC 5280-conformant representation of the certificate or certificate chain in PEM-encoded form, with each certificate delimited as specified in RFC 4945 Section 6.1.
Condition: When identified by the `x5u` parameter
The identified resource MUST provide an RFC 5280-conformant certificate or certificate-chain representation in PEM-encoded form.
The key in the first certificate
RFC 7517 - Section 4.6
match the public key represented by other members of the JWK.
The key in the first certificate MUST match the public key represented by other members of the JWK.
The protocol used to acquire the resource
RFC 7517 - Section 4.6
provide integrity protection.
The protocol used to acquire the resource MUST provide integrity protection.
The resource-retrieving implementation
RFC 7517 - Section 4.6
validate the identity of the server according to RFC 6125 Section 6.
Condition: When retrieving the certificate using TLS
The identity of the server MUST be validated, as per Section 6 of RFC 6125.
Validation Guidance
Verify that `x5u` is a URI referring to an X.509 public key certificate or certificate chain.
Verify that the retrieved resource is an RFC 5280-conformant certificate or certificate chain in PEM-encoded form using the required certificate delimiters.
Verify that the public key in the first certificate matches the public key represented by the JWK.
Require an integrity-protected retrieval protocol. For HTTP GET retrieval, require TLS and validate the server identity according to RFC 6125 Section 6.
Verify that all other present JWK members are semantically consistent with related fields in the first certificate.
If `use` is present and the certificate contains usage information, verify that the values correspond.
If `alg` is present, verify that it corresponds to the algorithm specified in the certificate.
Security Notes
RFC 7517 - Section 4.6
The acquisition protocol must provide integrity protection. HTTP GET retrieval must use TLS, and the server identity must be validated according to RFC 6125 Section 6.
RFC 7517 - Section 4.6
The public key in the first certificate must match the public key represented by the other JWK members.
Reference
Details
- Entry Id
x5u- Parameter Name
x5u- Parameter Description
X.509 URL- Used With Kty Value
*- Parameter Information Class
Public- Change Controller
IESG- Reference
RFC7517 - Section 4.6