AWS cognito public key certificate

Question

I need the public key certificate that Amazon cognito uses so my web app can verify the cognito JWT. Is there anyway to get the public key certificate or do you have to use the cognito SDK to achieve this?

Answer 1

There is no certificate chain on a Cognito JWK. The public JWK for your Cognito can be found here:

https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json

You can decode the JWK into a PEM Public Key format using a library such as https://www.npmjs.com/package/jwk-to-pem

var jwkToPem = require('jwk-to-pem');

var jwk = JWK_FROM_URL,
    pem = jwkToPem(jwk);

Or you could do the complete verification using something like https://github.com/cisco/node-jose

jose.JWK.asKey(keys[key_index])
  .then(result => jose.JWS.createVerify(result).verify)
  .then(result => JSON.parse(result.payload))

There's a detailed guide to decoding Cognito JWT here https://aws.amazon.com/premiumsupport/knowledge-center/decode-verify-cognito-json-token/ , with an sample of using jose on Cognito JWT's here: https://github.com/awslabs/aws-support-tools/blob/master/Cognito/decode-verify-jwt/decode-verify-jwt.js

Answer 2

There is no direct option available but you can do a workaround in openSSL,

Generate a private key and generate a Certificate signing request(CSR) using the available private key. Both can be done in a single line

openssl req -new -newkey rsa:2048 -nodes -keyout PrivateKey_FileName.key -out CSR_FileName.csr

Save the PublicKey from cognito in .pem format. You can convert from jwk to .pem using the online tool https://8gwifi.org/jwkconvertfunctions.jsp .
Self sign the CSR using the generated private key and force the CA to include your custom Public key saved in .pem format to create a certificate replacing whatever public key available when you have generated your CSR request, using the following command.

openssl x509 -req -days 1200 -in CSR_FileName.csr -force_pubkey cognito_publicKeyFileName.pem -signkey PrivateKey_FileName.key -out export_certificate_FileName.crt

Boom..you have created your x509 certificate with the public key from cognito

Answer 3

Use the AWS CLI to get the contents of the public x509 certificate for Cognito using the CLI call documented here: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-idp/get-signing-certificate.html . A sample output is printed below.

MIICdzCCAeCgAwIBAgIGANc+Ha2wMA0GCSqGSIb3DQEBBQUAMFMxCzAJBgNVBAYT
AlVTMRMwEQYDVQQKEwpBbWF6b24uY29tMQwwCgYDVQQLEwNBV1MxITAfBgNVBAMT
GEFXUyBMaW1pdGVkLUFzc3VyYW5jZSBDQTAeFw0wOTAyMDQxNzE5MjdaFw0xMDAy
MDQxNzE5MjdaMFIxCzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpBbWF6b24uY29tMRcw
FQYDVQQLEw5BV1MtRGV2ZWxvcGVyczEVMBMGA1UEAxMMNTdxNDl0c3ZwYjRtMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpB/vsOwmT/O0td1RqzKjttSBaPjbr
dqwNe9BrOyB08fw2+Ch5oonZYXfGUrT6mkYXH5fQot9HvASrzAKHO596FdJA6DmL
ywdWe1Oggk7zFSXO1Xv+3vPrJtaYxYo3eRIp7w80PMkiOv6M0XK8ubcTouODeJbf
suDqcLnLDxwsvwIDAQABo1cwVTAOBgNVHQ8BAf8EBAMCBaAwFgYDVR0lAQH/BAww
CgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQULGNaBphBumaKbDRK
CAi0mH8B3mowDQYJKoZIhvcNAQEFBQADgYEAuKxhkXaCLGcqDuweKtO/AEw9ZePH
wr0XqsaIK2HZboqruebXEGsojK4Ks0WzwgrEynuHJwTn760xe39rSqXWIOGrOBaX
wFpWHVjTFMKk+tSDG1lssLHyYWWdFFU4AnejRGORJYNaRHgVTKjHphc5jEhHm0BX
AEaHzTpmEXAMPLE=

Prepend these contents with -----BEGIN CERTIFICATE----- and append them with -----END CERTIFICATE-----. The end result will look like this:

Save these contents to a file: Cognito.crt . This file contains the signed x509 public certificate for Cognito.

AWS cognito public key certificate

Question

3 answers

solution1
1 2018-10-13 17:21:02

solution2
1 2020-06-22 12:35:44

solution3
-1 2021-02-05 04:33:14

AWS cognito public key certificate

Question

3 answers

solution1 1 2018-10-13 17:21:02

solution2 1 2020-06-22 12:35:44

solution3 -1 2021-02-05 04:33:14

solution1
1 2018-10-13 17:21:02

solution2
1 2020-06-22 12:35:44

solution3
-1 2021-02-05 04:33:14