Determine X5T header

The X5T header is required for Microsoft Entra ID configuration of Private Key JWT authentication.

Use one of the following methods to find the fingerprint of the server's certificate using the X5T header value.

Using the xxd and openssl commands

The hexadecimal representation of a thumbprint or hash is converted into a Base64-encoded format using the xxd and openssl command.

echo <thumbprint> | xxd -r -p | openssl enc -a

Here,

  • echo <thumbprint>: This command prints the thumbprint. Replace <thumbprint> with the actual thumbprint string.
  • xxd -r -p: The xxd command with -r -p options reverse the hex dump, converting the thumbprint from hexadecimal to binary.
  • openssl enc -a: The openssl enc -a command encodes the binary data to base64.

A sample output of the above command:

$ echo "09B3D84C6B5684B8A33599C88C5AAA411F5969C6" | xxd -r -p | openssl enc -a
CbPYTGtWhLijNZnIjFqqQR9ZacY=

Using the Certutil and PowerShell on Windows

This command uses certutil , but with the -encode option, to encode the binary data in thumbprintbinary into Base64 format.

echo <thumbprint> > thumbprinthex;
certutil -f -decodehex thumbprinthex thumbprintbinary;      
certutil -f -encode thumbprintbinary base64.txt;
get-content base64.txt | Where-Object { -not $_.Contains('-----') } | Out-File x5t.txt

A sample output of the above command:

PS C:\x5ttest> echo 09B3D84C6B5684B8A33599C88C5AAA411F5969C6 > thumbprinthex;
PS C:\x5ttest> certutil -f -decodehex thumbprinthex thumbprintbinary;
Input Length = 86
Output Length = 20
CertUtil: -decodehex command completed successfully.
PS C:\x5ttest> certutil -f -encode thumbprintbinary base64.txt;
Input Length = 20
Output Length = 86
CertUtil: -encode command completed successfully.
PS C:\x5ttest> get-content base64.txt | Where-Object { -not $_.Contains('-----') } | Out-File x5t.txt
PS C:\x5ttest> cat .\x5t.txt
CbPYTGtWhLijNZnIjFqqQR9ZacY=