Invalid JWKS certificate

Newer versions of OpenSSL reject the certificate returned from https://newhippo.auth0.com/.well-known/jwks.json.

curl -s https://newhippo.auth0.com/.well-known/jwks.json | jq -r .keys[0].x5c[0] | base64 --decode | openssl x509 -inform der -noout -text -in /dev/stdin
unable to load certificate
140174787252288:error:0D0E20DD:asn1 encoding routines:c2i_ibuf:illegal padding:../crypto/asn1/a_int.c:187:
140174787252288:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:626:Field=serialNumber, Type=X509_CINF
140174787252288:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:626:Field=cert_info, Type=X509

Older versions of OpenSSL correct show the certificate information:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 9096867982294606615 (0x7e3e913b8d4b6317)

It looks like the serial number has the high bit set, as in these other reports:

Could a new certificate be added to our tenant?

1 Like

Hey there @neil.gentleman, I wanted to let you know I am looking into this and will relay what I find. Thank you.

After talking with the team it sounds like you worked with Tim on this and had a ticket open in regards to getting this resolved. As not to duplicate effort I will let our support team handle this but will share the resolution here for historical sake. Thanks!

To follow up on this front, it appears the support case was resolved after the tenant signing key had now been rotated.

Please let us know if we can be of any help in the future!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.