--- title: Configuring static signing keys description: Determine when to use static keys to sign tokens as needed. component: pingfederate version: 13.0 page_id: pingfederate:administrators_reference_guide:pf_config_static_signing_keys canonical_url: https://docs.pingidentity.com/pingfederate/13.0/administrators_reference_guide/pf_config_static_signing_keys.html revdate: June 10, 2025 section_ids: about-this-task: About this task steps: Steps result: Result: result-2: Result: result-3: Result: result-4: Result related-links: Related links --- # Configuring static signing keys Determine when to use static keys to sign tokens as needed. ## About this task PingFederate can use static keys to sign self-contained access tokens, ID tokens, JSON web tokens (JWTs) for client authentication, and JWTs for OpenID Connect request objects. ## Steps 1. Go to **Security > Certificate & Key Management > OAuth & OpenID Connect Keys**. 2. Select the **Enable Static Keys** checkbox to use static keys for OAuth and OpenID Connect. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Clear this checkbox to let PingFederate generate and rotate keys automatically for OAuth and OpenID Connect.The **Enable Static Keys** checkbox is not selected by default. | ### Result: Once selected, the administrative console displays the following fields under the **Signing Keys** heading. | Key Type | Active | Previous | Publish Certificate | | ------------------- | -------- | -------- | ------------------- | | EC with P-256 curve | Optional | Optional | Optional | | EC with P-384 curve | Optional | Optional | Optional | | EC with P-521 curve | Optional | Optional | Optional | | RSA | Required | Optional | Optional | 3. Follow these steps to complete the configuration under Signing Keys. 1. For the RSA key type, select an active signing key and optionally a previous signing key. | | | | - | -------------------------------------------------------------------------------------------------------------------- | | | If you don't find the desired signing key, click **Manage Certificates** to create it.There is no default selection. | ### Result: The active signing key and the previous signing key (if configured) are published at the PingFederate JSON Web Key (JWK) Set endpoint `/pf/JWKS`. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The `alg` parameter value is only included for the RSA key that handles *RS256*. All EC keys have a corresponding `alg` param. For example: `"crv": "P-256","alg": "ES256"`. | 2. For each applicable EC (elliptic curve) key type, select an active signing key and optionally a previous signing key. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you don't find the desired signing key, click **Manage Certificates** to create it. Alternatively, complete the configuration, create the desired signing keys later, and then update the configuration afterward.There is no default selection. | ### Result: The active signing key and the previous signing key (if configured) are published at the PingFederate JWKS endpoint `/pf/JWKS`. 3. (Optional) For any key type for which you have selected an active signing key (with or without a previous signing key), select the **Publish Certificate** checkbox to publish the certificates associated with the active signing key and the previous signing key (if configured) at the PingFederate JWKS endpoint `/pf/JWKS`. | | | | - | ---------------------------------------------------------------------------------------------------------------- | | | For each applicable signing key, its associated chain of certificates is published as the `x5c` parameter value. | The **Publish Certificate** checkboxes are not selected by default. 1. (Optional) After selecting a key, enter a unique KeyID in the text field under the **Active Key** list. 4. Click **Save**. ## Result | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | When static keys are enabled, PingFederate uses only static signing keys to sign ID tokens for OAuth clients or to sign JWTs for authentication or request objects (or both) for authorization servers. Dynamic keys aren't used and aren't returned by the PingFederate JWKS endpoint `/pf/JWKS`. Signing algorithms associated with EC key types not configured with an active static signing key are hidden. Learn more about dynamic signing keys in [Configuring dynamic signing keys](pf_config_dynamic_signing_keys.html). | For existing clients and identity provider (IdP) connections, if you have previously selected a certain signing algorithm associated with an EC key type (for example, **ECDSA using P256 Curve and SHA-256**) without enabling static keys and then subsequently decide to enable static keys without selecting an active signing key for such EC key type (**EC with P-256 curve** in this example), transactions that involve that signing algorithm will fail. When you revisit the configuration, the administrative console displays an error message. Your options are as follows: * OAuth clients * Click **Save** to update the value of the **ID Token Signing Algorithm** setting to **Default**, which is the equivalent of selecting **RSA using SHA-256** from the list. * Select a different value from the **ID Token Signing Algorithm** list and save the configuration. * Ignore the error and click **Cancel** without updating the configuration. Note that runtime errors persist until the configuration issue is resolved. These options are applicable to individual clients on the **Client** window and the default setting configured for all clients created via the Dynamic Client Registration protocol on the **Client Configuration Defaults** window. * OpenID Connect IdP connections * Select a different value from the **Authentication Signing Algorithm** list or the **Request Signing Algorithm** list (or both) and save the configuration. * Ignore the error and click **Cancel** without updating the configuration. Runtime errors persist until the configuration issue is resolved. These options are applicable to individual OpenID Connect IdP connections on the **OpenID Provider Info** window. ## Related links * [Configuring OAuth clients](pf_configuring_oauth_clients.html) * [Configuring dynamic signing keys](pf_config_dynamic_signing_keys.html) * [Managing client configuration defaults](help_clientsettingstasklet_oauthdynamicclientregistrationdefaultsstate.html) * [OpenID Connect Relying Party support](pf_oidc_relying_party_support.html) * [OpenID Provider configuration endpoint](../developers_reference_guide/pf_openid_provider_config_endpoint.html) * [The JSON Web Algorithms (JWA) specification](https://datatracker.ietf.org/doc/html/rfc7518) * [The JSON Web Key (JWK) specification](https://datatracker.ietf.org/doc/html/rfc7517)