...
By including the x5t#S256 claim with the correct certificate thumbprint, encoded in base64url format, you establish a secure link between the JWS and the certificate used for signing, enhancing trust and authenticity in the metadata exchange process. This validation mechanism helps confirm that the metadata hasn't been tampered with and comes from the expected source.
Here are the commands to create a x5t#S256 claim using OpenSSL:
| Code Block | ||
|---|---|---|
| ||
openssl x509 -in ec-cert.pem -outform der | \
openssl dgst -sha256 -binary| openssl enc -base64 -A | \
tr '+/' '-_' | tr -d '=' |
Here's an example JWS header:
...