How to get PUBLIC KEY PEM from jwks.json

Our backend application requires the public cert of the signing key, in PEM format.

The jwks.json url at https://domainauth0.com/.well-known/jwks.json spits back:

{
  "keys": [
    {
      "alg": "RS256",
      "kty": "RSA",
      "use": "sig",
      "n": "...",
      "e": "....",
      "kid": "...",
      "x5t": "...",
      "x5c": ["...="
      ]
    },
...

The x5c array looks almost right, but it’s clearly not the right format for our application, which expects:

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQE...
BAQUAA4GNADCBiQKBg...
QDdlatRjRjogo3WojgGH....
-----END PUBLIC KEY-----

What’s the simplest way to get this public cert? Is it related to the Signing Certificate available in the advanced section of the auth0 tenant application?

Hi @dch,

Welcome to the Community!

You can quickly get the PEM formatted public key cert from the /pem endpoint.

For example:

https://my-auth0-domain.com/pem

I tried this earlier, and it’s not sufficient. It returns this format:

-----BEGIN CERTIFICATE-----
MIIDDTCCAfWgAwIBAgIJIuh42TrceKqdMA0GCSqGSIb3DQEBCwUAMCQxI...

Which looks like CRT to me, not PEM, I’m no expert here.

However this worked:

$ curl -s https://:domain.auth0.com/pem | openssl x509 -pubkey -noout

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsIhk...

Can you shed any light on why these 2 formats are different?

thanks Dan!

1 Like

It looks like the cert you get from the /pem endpoint is a public certificate that contains other information in addition to the public key. If you decode it, you can see other information.

The result from your openSSL command extracts the public key from the original cert.

My original response said you could get the PEM formatted public key from the /pem endpoint, which is not exactly correct. It looks like you get a PEM formatted cert that contains the public key. I’ll edit it.

thanks Dan! It would be excellent to have an easily fetchable endpoint that provides the cert. This way https://:domain.auth0.com/.well-known/jwks.json or similar would allow us to always have the up to date keys even in the event of key rotation. Great for automated devops.

You should be using the JWKS endpoint to do that.

It was in fact the first thing I tried. How does one go from seeing this and being largely confused:

{
  "keys": [
    {
      "alg": "RS256",
      "kty": "RSA",
      "use": "sig",
      "n": "...",
      "e": "...,
      "kid": "...",
      "x5t": "...",
      "x5c": [
        "MIIDDTCCA...

To knowing aah yeah MIIDDTCCA I recognise that. Clear as mud, that’s obviously the contents of a CRT encoded cert and I’ll just whip out openssl to translate that into the public key I actually need?

And is it, in fact, that pub-key I need? I’m still not clear on that?

What framework/language are you using? There are libraries that handle all of this for you, you shouldn’t have to manually set anything unless you are wanting to or have a very specific use-case. Most of our SDKs allow you to set a domain and will retrieve your public key automatically.

Thanks. So you want to verify JWTs directly in your CouchDB? That is where you need the PEM formatted public key?

Yep. I have this working, but only with the ---- BEGIN PUBLIC KEY ---- style format.