---
title: TrustManager (deprecated)
description: The configuration of a Java Secure Socket Extension TrustManager to manage trust material (typically X.509 public key certificates) for PingGateway. The configuration references the keystore that holds the trust material.
component: pinggateway
version: 2025.11
page_id: pinggateway:reference:TrustManager
canonical_url: https://docs.pingidentity.com/pinggateway/2025.11/reference/TrustManager.html
revdate: 2025-12-08T18:08:46Z
section_ids:
  TrustManager-usage: Usage
  TrustManager-properties: Properties
  TrustManager-example: Example
  TrustManager-moreinfo: More information
---

# TrustManager (deprecated)

|   |                                                                                         |
| - | --------------------------------------------------------------------------------------- |
|   | This object is deprecated. Use [SecretsTrustManager](SecretsTrustManager.html) instead. |

The configuration of a Java Secure Socket Extension [TrustManager](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/javax/net/ssl/TrustManager.html) to manage trust material (typically X.509 public key certificates) for PingGateway. The configuration references the keystore that holds the trust material.

When PingGateway acts as a client, it uses a trust manager to verify that the server is trusted. When PingGateway acts as a server, it uses a trust manager to verify that the client is trusted.

## Usage

```json
{
    "name": string,
    "type": "TrustManager",
    "config": {
      "keystore": KeyStore reference,
      "alg": configuration expression<string>
    }
}
```

## Properties

* `"keystore"`: *KeyStore [reference](preface.html#definition-reference), required*

  The [KeyStore (deprecated)](KeyStore.html) object that references the store for key certificates. When `keystore` is used in a KeyManager, it queries for private keys; when `keystore` is used in a TrustManager, it queries for certificates.

  Provide either the name of the keystore object defined in the heap or an inline keystore configuration object.

- `"alg"`: *configuration expression<[string](preface.html#definition-string)>, optional*

  The certificate algorithm to use.

  Default: the default for the platform, such as `SunX509`.

## Example

The following example configures a trust manager that depends on a KeyStore configuration. This configuration uses the default certificate algorithm:

```json
{
  "name": "MyTrustManager",
  "type": "TrustManager",
  "config": {
    "keystore": {
      "type": "KeyStore",
      "config": {
        "url": "file://${env['HOME']}/keystore.p12",
        "passwordSecretId": "${system['keypass']}",
        "secretsProvider": "SystemAndEnvSecretStore"
      }
    }
  }
}
```

## More information

[org.forgerock.openig.security.TrustManagerHeaplet](../_attachments/apidocs/org/forgerock/openig/security/TrustManagerHeaplet.html)

[JSSE reference guide](https://docs.oracle.com/en/java/javase/21/security/java-secure-socket-extension-jsse-reference-guide.html), [KeyManager (deprecated)](KeyManager.html), [KeyStore (deprecated)](KeyStore.html)