--- title: Change default key aliases description: For demo and test purposes, AM includes demo key aliases for several features. component: pingam version: 8.1 page_id: pingam:security:change-signing-key canonical_url: https://docs.pingidentity.com/pingam/8.1/security/change-signing-key.html keywords: ["Security", "Setup & Configuration"] page_aliases: ["security-guide:change-signing-key.adoc"] --- # Change default key aliases For demo and test purposes, AM includes [demo key aliases](secrets-certs-keys.html#about-default-keystores) for several features. | | | | - | ------------------------------------------------------------------------------------------------ | | | Don't use the default key aliases, keys, keystores, or secret stores in production environments. | When possible, the following list includes the Global Services or Server Default paths where the demo key aliases are configured. If you have already configured any of the features in a realm, ensure that the key alias is replaced in the realm configuration as well. To replace the default key aliases: 1. Create the required key aliases following the tasks in [Key aliases and passwords](configuring-keys.html). 2. Change the default key aliases: * Web agents and Java agents Agents use the secret labels specified in the [Web Agents Installation Guide](https://docs.pingidentity.com/web-agents/2025.3/installation-guide/post-installation.html#configuring-agent-communication) and the [Java Agents Installation Guide](https://docs.pingidentity.com/java-agents/2025.3/installation-guide/pre-installation.html#configuring-agent-communication). * Persistent Cookie node To change the default mapping for the Persistent Cookie node, go to Realms > *realm name* > Authentication > Settings > Security. Replace the `test` key alias in the Persistent Cookie Encryption Certificate Alias field with the alias you created for persistent cookies in your secret stores. You can find more information about the secret labels used by this feature in [Secret label mappings for persistent cookies](secret-mapping.html#secrets-persistent-cookie). * OAuth 2.0 and OpenID Connect providers Review the list of secret labels and their defaults [here](secret-mapping.html#oauth2-default-secret-IDs) and [here](secret-mapping.html#oidc-social-registration-secret-IDs). * SAML 2.0 hosted providers Review the list of secret labels and their defaults [here](secret-mapping.html#saml2-default-secret-IDs). * Client-side sessions Review the list of secret labels and their defaults [here](secret-mapping.html#secrets-client-based-sessions-encryption) and [here](secret-mapping.html#secrets-client-based-sessions-signing). * User self-service Go to Realms > *realm name* > Services > User Self-Service and do one of the following: * Enable the Use Secret Store property and configure the following secret IDs in the secret store: * `am.services.selfservice.token.encryption` * `am.services.selfservice.token.signing` * Populate the values of the Encryption Key Pair Alias and the Signing Secret Key Alias properties. | | | | - | --------------------------------------------------------------------------------------- | | | The name of the demo keys displays in grey. This doesn't mean the fields are filled in. | * Authentication trees Authentication trees use the secret label specified in [Secret label mappings for encrypting authentication trees' secure state data](secret-mapping.html#secrets-authn-trees-transient-encryption). | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------ | | | You must map this secret label to an existing, resolvable secret or key alias. Otherwise, authentication trees might not work as expected. | * IoT The IoT Service uses the secret labels specified in [Secret label mappings for the IoT trusted JWT issuer](secret-mapping.html#secrets-am-services-iot-jwt-issuer-signing).