--- title: SecretsTrustManager description: Uses the Commons Secrets API to manage trust material that verifies the credentials presented by a peer. Trust material is usually public key certificates. The configuration references the secrets store that holds the trust material. component: pinggateway version: 2026 page_id: pinggateway:reference:SecretsTrustManager canonical_url: https://docs.pingidentity.com/pinggateway/2026/reference/SecretsTrustManager.html revdate: 2026-02-19T12:00:00Z section_ids: SecretsTrustManager-usage: Usage SecretsTrustManager-properties: Properties SecretsTrustManager-example: Example SecretsTrustManager-moreinfo: More information --- # SecretsTrustManager Uses the Commons Secrets API to manage trust material that verifies the credentials presented by a peer. Trust material is usually public key certificates. The configuration references the secrets store that holds the trust material. ## Usage ```json { "name": string, "type": "SecretsTrustManager", "config": { "verificationSecretId": configuration expression, "certificateVerificationSecretId": configuration expression, "secretsProvider": SecretsProvider reference, "checkRevocation": configuration expression } } ``` ## Properties * `"verificationSecretId"`: *configuration expression<[secret-id](preface.html#definition-secretid)>, required if certificateVerificationSecretId isn't used* Either `verificationSecretId` or `certificateVerificationSecretId` is required. The secret ID to retrieve trusted certificates. This secret ID must point to a [CryptoKey](../security-guide/keys.html#secret-types). Consider the following requirements for using certificates with `verificationSecretId`: * Certificates loaded from keystores can be used with the following constraint: * The KeyUsage extension `digitalSignature` must be set **or** no KeyUsage extension must be set * Certificates loaded from JWKs or JWK sets can be used with the following constraints: * The `use` parameter must be set to `sig` **or** the `use` parameter must not be set * The `key_ops` parameter must contain `verify` **or** the `key_ops` parameter must not be set * Certificates loaded from PEM can be used without constraint. * `"certificateVerificationSecretId"`: *configuration expression<[secret-id](preface.html#definition-secretid)>, required if verificationSecretId isn't used* Either `verificationSecretId` or `certificateVerificationSecretId` is required. The secret ID to retrieve certificates for trusted certificate authorities (CA). Use this property when you trust client certificates **only because** they are signed by a trusted CA. Consider the following requirements: * Certificates loaded from keystores can be used with the following constraint: * The KeyUsage extension `keyCertSign` must be set **or** no KeyUsage extension must be set * Certificates loaded from JWKs or JWK sets can be used with the following constraints: * The `use` parameter must not be set * The `key_ops` parameter must not be set * Certificates loaded from PEM can be used without constraint. * `"secretsProvider"`: *SecretsProvider [reference](preface.html#definition-reference), required* The [SecretsProvider](SecretsProvider.html) to query for secrets to resolve trusted certificates. * `"checkRevocation"`: *configuration expression<[boolean](preface.html#definition-boolean)>, optional* Specifies whether to check for certificate revocation. Default: `true` ## Example The following example trusts all the certificates in a given keystore: ```json { "name": "SecretsTrustManager-1", "type": "SecretsTrustManager", "config": { "verificationSecretId": "trust.manager.secret.id", "secretsProvider": { "type": "KeyStoreSecretStore", "config": { "file": "path/to/certs/truststore.p12", "storePasswordSecretId": "keystore.pass", "secretsProvider": "SecretsPasswords", "mappings": [{ "secretId": "trust.manager.secret.id", "aliasesMatching": [".*"] }] } } } } ``` The following example trusts specific CA-signed certificates in a given keystore: ```json { "type": "SecretsTrustManager", "config": { "certificateVerificationSecretId": "ca.secret.id", "secretsProvider": { "type": "KeyStoreSecretStore", "config": { "file": "&{ig.instance.dir}/certs/truststore.p12", "storePassword": "keystore.pass", "secretsProvider": "SecretsPasswords", "mappings": [{ "secretId": "ca.secret.id", "aliases": [ "alias-of-trusted-cacert-1", "alias-of-trusted-cacert-2" ] }] } } } } ``` ## More information [Secrets](secrets.html) [org.forgerock.openig.secrets.SecretsTrustManagerHeaplet](../_attachments/apidocs/org/forgerock/openig/secrets/SecretsTrustManagerHeaplet.html)