JWT signature validation using certificate authority's public key

Question

I am trying this:

On client side: 1. Generate a JSON Web Token (JWT) using a header, payload. 2. Sign this JWT using my private key. I also have a certificate which is signed by a root CA. 3. Send the JWT to server.

On server side: 1. Verify the received JWT. 2. I only have access to the public key/certificate of the root CA who has signed my certificate.

Is is possible to verify the signature of the JWT using the public key or certificate of the root CA. Please note that I do not want to verify the JWT using my public key as there are many clients which have their private-public ket pairs and it would not be possible for the server to obtain all the public keys from the clients. My goal is to make the server-side validation use the public key/certificate of the root CA to validate the JWT.

Is this possible?

Answer 1

No that is not possible in the way that you describe: you'll need the actual certificate to:

1. verify the signature on the JWT with the public key in it
2. verify that the certificate was signed by the root CA

but then again because of 2. you don't need to exchange the certificate out-of-band but the sender can send the certificate along with the JWT. So you can satisfy your goal anyway since you don't have to obtain all public keys from the clients separately.