Format of JWS when doing ACME

Format of things...

Trying to get my home brew client to work...
so if we read the JWS examples in RFC7515

and I have :
base 64 url of the protected header pb64
base 64 of the payload pl64
base 64 of the signature s64...

The JWS spcc (RFC7515) represents this as pb64.p64.s64
The RFC8555
shows it as
{ "protected":"pb64","payload":"p64","signature":"s64" }

Looking at code for example ACME clients it seems the latter is correct.
Did I not read RFC7515 right or is the acme not really compliant?

Also I believe that the signature should be:
against [pb64.p64]

Is this correct?

Trying to do step one account creation and I'm getting the completely expected error:
"Parse Error Reading JWS"

So something is wrong with my post, alas I have no clue what it is?
Any suggestions?

Also making it harder to find example I'm trying to do this with ECDSA for performance and memory reasons, and most examples are RSA.


The JWS standard* has two different representation ("serialization") formats:

  • The Compact Serialization, which uses base64 encoding with dot concatenation of header, body and signature ("eyX.Y.Z"). See RFC 7515 section 3.1.
  • The JSON Serialization, which uses JSON encoding of the base64 encoding of header, body, and signature ("{"protected": "eyX", "payload": "Y", signature: "Z"}"). See RFC 7515 section 3.2

Which of these two serialization formats is used varies in different protocols. RFC 8555 Section 6.2 requires JSON serialization, so the latter of the two.

*In a broader context, the two serialization schemes exist for most JSON Web Algorithms (JWA) formats, not only JWS.


This is what I'm posting... (Strip line breaks)

I was able to send that JWS to the Let's Encrypt staging server using curl, verbatim, and it created an account for me:

$ curl -k --data '{"protected":"eyJhbGciOiJFUzI1NiIsImp3ayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2IiwieCI6ImdTbWU5cmMweUFGN18wX2lDY0V1cENNYUt2bkdRU0JFZHZQbkRQUTFlXzAiLCJ5IjoiRXByQ21vYlZfRG1hZWdVOTNSWWp1d1VjTExwTjNBd0xpUlJvQlFBSWJZUSJ9LCJub25jZSI6IjJRb1pjWUdYZUtuZ2VHaHBNMUJ1Q25jS0pqZEZGb1l0U3hQRDdPY1ZoTk5ZeFZsMGYwOCIsInVybCI6Imh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LWFjY3QifQ","payload":"eyJ0ZXJtc09mU2VydmljZUFncmVlZCI6dHJ1ZX0","signature":"a0hZQs92IHtKNWHuhujCfsFZ_LlrEQmD6cZ_3cWcteICnrZyYCviHMqKgzat8L7KsIQfu-w9on7jyaZYavRImQ"}' -H 'Content-Type: application/jose+json'
  "key": {
    "kty": "EC",
    "crv": "P-256",
    "x": "gSme9rc0yAF7_0_iCcEupCMaKvnGQSBEdvPnDPQ1e_0",
    "y": "EprCmobV_DmaegU93RYjuwUcLLpN3AwLiRRoBQAIbYQ"
  "initialIp": "redacted",
  "createdAt": "2023-06-25T04:44:00.683273208Z",
  "status": "valid"

I was so sure that it was a crypto problem I did not notice I'd typoed the Content Type.....
Arghhh..... thanks!
On to the next step...


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.