--- title: KeyManager (deprecated) description: The configuration of a Java Secure Socket Extension KeyManager to manage private keys for PingGateway. The configuration references the keystore that holds the keys. component: pinggateway version: 2025.11 page_id: pinggateway:reference:KeyManager canonical_url: https://docs.pingidentity.com/pinggateway/2025.11/reference/KeyManager.html revdate: 2025-10-22T14:04:06Z section_ids: KeyManager-usage: Usage KeyManager-properties: Properties KeyManager-example: Example KeyManager-moreinfo: More information --- # KeyManager (deprecated) | | | | - | ----------------------------------------------------------------------------------- | | | This object is deprecated. Use [SecretsKeyManager](SecretsKeyManager.html) instead. | The configuration of a Java Secure Socket Extension [KeyManager](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/javax/net/ssl/KeyManager.html) to manage private keys for PingGateway. The configuration references the keystore that holds the keys. When PingGateway acts as a server, it uses a KeyManager to prove its identity to the client. When PingGateway acts as a client, it uses a KeyManager to prove its identity to the server. ## Usage ```json { "name": string, "type": "KeyManager", "config": { "keystore": KeyStore reference, "passwordSecretId": configuration expression, "alg": configuration expression, "secretsProvider": SecretsProvider reference } } ``` ## Properties * `"keystore"`: *KeyStore [reference](preface.html#definition-reference), required* The [KeyStore (deprecated)](KeyStore.html) object that references the store for key certificates. When `keystore` is used in a KeyManager, it queries for private keys; when `keystore` is used in a TrustManager, it queries for certificates. Provide either the name of the keystore object defined in the heap or an inline keystore configuration object. * `"passwordSecretId"`: *configuration expression<[secret-id](preface.html#definition-secretid)>, required* The secret ID of the password required to read private keys from the keystore. This secret ID must point to a [GenericSecret](../security-guide/keys.html#secret-types). * `"alg"`: *configuration expression<[string](preface.html#definition-string)>, optional* The certificate algorithm to use. Default: the default for the platform, such as `SunX509`. Learn more in [PingGateway expressions](Expressions.html). * `"secretsProvider"`: *SecretsProvider [reference](preface.html#definition-reference), required* The [SecretsProvider](SecretsProvider.html) to query for the keystore password. ## Example The following example configures a KeyManager that depends on a [KeyStore (deprecated)](KeyStore.html) configuration. The KeyManager and KeyStore passwords are provided by Java system properties or environment variables, and retrieved by the SystemAndEnvSecretStore. By default, the password values must be base64-encoded. ```json { "name": "MyKeyManager", "type": "KeyManager", "config": { "keystore": { "type": "KeyStore", "config": { "url": "file://${env['HOME']}/keystore.p12", "passwordSecretId": "keymanager.keystore.secret.id", "secretsProvider": "SystemAndEnvSecretStore" } }, "passwordSecretId": "keymanager.secret.id", "secretsProvider": "SystemAndEnvSecretStore" } } ``` ## More information [org.forgerock.openig.security.KeyManagerHeaplet](../_attachments/apidocs/org/forgerock/openig/security/KeyManagerHeaplet.html) [JSSE Reference](https://docs.oracle.com/en/java/javase/21/security/java-secure-socket-extension-jsse-reference-guide.html) [KeyStore](KeyStore.html) [TrustManager (deprecated)](TrustManager.html)