Auth0 Home Blog Docs

Invalid JWKS certificate

Newer versions of OpenSSL reject the certificate returned from https://newhippo.auth0.com/.well-known/jwks.json.

curl -s https://newhippo.auth0.com/.well-known/jwks.json | jq -r .keys[0].x5c[0] | base64 --decode | openssl x509 -inform der -noout -text -in /dev/stdin
unable to load certificate
140174787252288:error:0D0E20DD:asn1 encoding routines:c2i_ibuf:illegal padding:../crypto/asn1/a_int.c:187:
140174787252288:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:626:Field=serialNumber, Type=X509_CINF
140174787252288:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:626:Field=cert_info, Type=X509

Older versions of OpenSSL correct show the certificate information:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 9096867982294606615 (0x7e3e913b8d4b6317)

It looks like the serial number has the high bit set, as in these other reports:



Could a new certificate be added to our tenant?

1 Like

Hey there @neil.gentleman, I wanted to let you know I am looking into this and will relay what I find. Thank you.

After talking with the team it sounds like you worked with Tim on this and had a ticket open in regards to getting this resolved. As not to duplicate effort I will let our support team handle this but will share the resolution here for historical sake. Thanks!