--- title: Configuring static decryption keys description: You can specify whether PingFederate should use static or dynamically rotating keys to decrypt asymmetrically-encrypted ID tokens. component: pingfederate version: 13.0 page_id: pingfederate:administrators_reference_guide:pf_config_static_decryption_keys canonical_url: https://docs.pingidentity.com/pingfederate/13.0/administrators_reference_guide/pf_config_static_decryption_keys.html revdate: June 6, 2024 section_ids: about-this-task: About this task steps: Steps result: Result: result-2: Result: result-3: Result: result-4: Result related-links: Related links --- # Configuring static decryption keys You can specify whether PingFederate should use static or dynamically rotating keys to decrypt asymmetrically-encrypted ID tokens. ## About this task | | | | - | ---------------------------------------------------------------------------------------------- | | | When static keys are enabled, you must also select an active signing key for the RSA key type. | ## Steps 1. Go to **Security > Certificate & Key Management > OAuth & OpenID Connect Keys**. 2. Select the **Enable Static Keys** checkbox to use static keys for OAuth and OpenID Connect. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Clear this checkbox to let PingFederate generate and rotate keys automatically for OAuth and OpenID Connect. The **Enable Static Keys** checkbox is not selected by default. | ### Result: Once selected, the administrative console displays the following fields under "Decryption Keys". | Key Type | Active | Previous | Publish Certificate | | ------------------- | -------- | -------- | ------------------- | | EC with P-256 curve | Optional | Optional | Optional | | EC with P-384 curve | Optional | Optional | Optional | | EC with P-521 curve | Optional | Optional | Optional | | RSA | Optional | Optional | Optional | 3. Follow these steps to configure "Decryption Keys". 1. For each applicable key type, select an active decryption key and optionally a previous decryption key. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If the desired decryption key is not found, click **Manage Certificates** to create it. Alternatively, complete the configuration, create the desired decryption keys later, and then update the configuration afterward. There is no default selection. | ### Result: The active decryption key is published at the PingFederate JSON Web Key Set (JWKS) endpoint `/pf/JWKS`. 2. (Optional) For any key type for which you have selected an active decryption key (with or without a previous decryption key), select the **Publish Certificate** checkbox to publish the certificates associated with the active decryption key at the PingFederate JWKS endpoint `/pf/JWKS`. | | | | - | ------------------------------------------------------------------------------------------------------------ | | | Each applicable decryption key's associated chain of certificates is published as the `x5c` parameter value. | The **Publish Certificate** checkboxes are not selected by default. 4. Under "Signing Keys", select an active key for the RSA key type. | | | | - | ----------------------------------------------------------------------------------------------------------- | | | If the desired key is not found, click **Manage Certificates** to create it. There is no default selection. | ### Result: The active signing key is published at the PingFederate JWKS endpoint `/pf/JWKS`. 5. Click **Save**. ## Result | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | When static keys are enabled, PingFederate uses only static decryption keys to decrypt asymmetrically-encrypted ID tokens it receives from OpenID providers. Dynamic keys are not used and are not returned by the PingFederate JWKS endpoint `/pf/JWKS`. | The following snippet illustrates a sample response returned by the PingFederate JWKS endpoint when dynamic keys are used. ```shell $ curl -s https://localhost:8031/pf/JWKS |python -m json.tool { "keys": [ ... { "kty": "EC", "kid": "I-ZbqeLPG2O5qxSf3n8yKmcGbWI", "use": "enc", "x": "AUSx-2vdfCjU90KohVs1peISnNUeDmGo3m0_x42PucBr-Gd-mHKXQ8EjTeYgLhFB5SYMV5tntKiezayWkUt9Dodc", "y": "AIE6vQYcKdOfyQYzENYQ86MIAwSUo4GR_-dn7m2MvRReXkotWOsFT1WKXi_KjamqJIV2AwAUZL-IQj5mew45lSTM", "crv": "P-521" }, { "kty": "EC", "kid": "S2BbNNK9PtG0nA-EhU5BGpZ-OG8", "use": "enc", "x": "IKXASh9aDPJ1YaeXUww1YZnZ3kum_WLKvZe8xiNW6W8", "y": "7_zp2AuY8MY4WEuneHEzV0cqW0buqcmMGVzRANQ0r2I", "crv": "P-256" }, { "kty": "EC", "kid": "t4-jKfmhEHn3mRc-08Oh3WKA2zE", "use": "enc", "x": "RiQkv_ArGS7Zc8XsXp0VQpEWz9ZUlbLUWA0VbTcUjWIbOByceGhg-tAj6dlFiorq", "y": "aHPQlrJPscdcuHtHokyr-70yBo4nUK-BjWrJgisDxnKJQFLP6YK_dfuOpuVYhFJ5", "crv": "P-384" }, { "kty": "RSA", "kid": "tVP7otNKgIWYep8LPBR3wD3tPNE", "use": "enc", "n": "hvHfiamhV4wGC9JHppJZjdKG5K3MvhWwo6PBsSQowGOTeILAbzO8Jfmp7nRxuujTE6k83RXNeWUvTwamGqShXvHzGYJlE2gsc0Az_w5xm-vjoNZD8Cv0Y9C3R4Ckj6dBL70Osk_NfBR7MYmRA6dV0PJ5k4Lt_vQveXMkylD9XuLFP-gqooMXkB6FCCLqZZAi0voi3WQ7ECzSta3ke9F5VFl7-4zVjRtJHjM9gGEhd5OkaZioqs9xBHeOrwhPbiPTsIA7ve3No5AlGCgZw654s17zr2Ly4q8QZE7LmM30kRJnu-dpl_dKixFTdQYIBMmIWGUyuB43XYq106z9CWoOcw", "e": "AQAB" }, ... ] } ``` When static keys are used, the PingFederate JWKS endpoint `/pf/JWKS` returns only the configured active keys. The following snippet illustrates a sample response returned by the PingFederate JWKS endpoint when an active key was selected for the **EC with P-384 curve** and **EC with P-521** curve key types. ```shell $ curl -s https://localhost:8031/pf/JWKS |python -m json.tool { "keys": [ ... { "kty": "EC", "kid": "7xKkiMb-YpcK2PcrTUoTrYF8EOI", "use": "enc", "x": "4p_fZluiHS9qLXQi-cqol1LP5nBrFPcXRKQN5yR3Tz51E0xfY9tmOzLqMQwKfDIh", "y": "kWh3up-U2mMYOuhzx4Ba7UX0P03EPLr82PdCUG6E3V53Pgnd2QU6ShWu9lH4-ugw", "crv": "P-384" }, { "kty": "EC", "kid": "pE1XwX8Z6QYhAC7mjZ0OCn4DXAk", "use": "enc", "x": "ATCOsxg6ce437qMVlrqCyHPDE76hC0wP7Wwb7V8heai60LIDDvIJt-evxTOGn7Iolo9PYET8-Bjhu5Zg5MNxOkF-", "y": "AdvUA2YD2kn7COLkFIG2vL2k34CMv7VPxsvbgOJBL2exSziMGPw6YJp2eafuHlBom7bkjv3iFy5dTuGB7B28Zc7A", "crv": "P-521" }, ... ] } ``` ## Related links * [OpenID Connect Relying Party support](pf_oidc_relying_party_support.html) * [The JSON Web Algorithms (JWA) specification](https://datatracker.ietf.org/doc/html/rfc7518) * [The JSON Web Key (JWK) specification](https://tools.ietf.org/html/rfc7517)