--- title: Configuring dynamic signing keys description: Determine when to use dynamically rotating keys to sign tokens as needed. component: pingfederate version: 13.0 page_id: pingfederate:administrators_reference_guide:pf_config_dynamic_signing_keys canonical_url: https://docs.pingidentity.com/pingfederate/13.0/administrators_reference_guide/pf_config_dynamic_signing_keys.html revdate: June 10, 2025 section_ids: about-this-task: About this task steps: Steps result: Result: related-links: Related links --- # Configuring dynamic signing keys Determine when to use dynamically rotating keys to sign tokens as needed. ## About this task PingFederate can use and publish certificates for dynamic keys to sign self-contained access tokens, ID tokens, JSON web tokens (JWTs) for client authentication, and JWTs for OpenID Connect request objects. ## Steps 1. Go to **Security > Certificate & Key Management > OAuth & OpenID Connect Keys**. 2. Select the **Publish Dynamic Key Certificates** checkbox to use dynamic keys for OAuth and OpenID Connect. 3. Enter the key information in the following **Publish Dynamic Key Certificates** fields. | Property | Definition | | ----------------------- | ------------------------------------------------------------------------- | | **Organization** | The organization or company name creating the certificate. | | **Organizational Unit** | (Optional) The specific unit within the organization. | | **City** | (Optional) The city or other primary location where the company operates. | | **State** | (Optional) The state or province encompassing the location. | | **Country** | The country where the company is based. | 4. Enter your configuration information. Click **Save**. ## Result: The active signing key is published at the PingFederate JSON Web Key (JWK) Set endpoint `/pf/JWKS` and the certificate's Common Name (CN) is generated. | | | | - | ---------------------------------------------------------------------------------------------------------------- | | | For each applicable signing key, its associated chain of certificates is published as the `x5c` parameter value. | | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can only use either static or dynamic keys. When static keys are enabled, PingFederate uses only static signing keys to sign ID tokens for OAuth clients or to sign JWTs for authentication or request objects (or both) for authorization servers. Dynamic keys aren't used and aren't returned by the PingFederate JWKS endpoint `/pf/JWKS`. Signing algorithms associated with EC key types not configured with an active static signing key are hidden. Learn more about static keys in [Configuring static signing keys](pf_config_static_signing_keys.html). | ## Related links * [Configuring OAuth clients](pf_configuring_oauth_clients.html) * [Configuring static signing keys](pf_config_static_signing_keys.html) * [Managing client configuration defaults](help_clientsettingstasklet_oauthdynamicclientregistrationdefaultsstate.html) * [OpenID Connect Relying Party support](pf_oidc_relying_party_support.html) * [OpenID Provider configuration endpoint](../developers_reference_guide/pf_openid_provider_config_endpoint.html) * [The JSON Web Algorithms (JWA) specification](https://tools.ietf.org/html/rfc7518) * [The JSON Web Key (JWK) specification](https://tools.ietf.org/html/rfc7517)