Credential Signing Keys
You can choose to sign credentials before issuance using your private keys maintained within your infrastructure. However, to properly build the JWT header, Ping Identity requires your public key.
Use the Credential Signing Keys operations to store, retrieve, update, or delete the public signing keys used when communicating credentials between you and Ping Identity for signing before issuing.
Credential signing key data model
| Property | Type | Required? | Mutable? | Description |
|---|---|---|---|---|
|
DateTime |
N/A |
Read-only |
Date and time the credential signing key was created. |
|
String |
Required |
Mutable |
Whether the key is available for use in signing. Allows you to change the key that is used by the credentialing service for signing but retain the key for verification. Can be |
|
String |
N/A |
Read-only |
PingOne environment identifier (UUID) in which the credential signing key exists. |
|
Object |
Required/Optional |
Immutable |
JSON Web Key as defined in RFC 7517. Required for Create Customer Signing Public Key, but optional (because it is immutable) for Update Customer Signing Public Key. Used when sending unsigned credentials to your signing endpoint and verifying returned signed credentials. |
|
String |
Required |
Immutable |
Algorithm, identifies the algorithm intended for use with the key. Refer to Available algorithms for JWK. |
|
String |
Required/Optional |
Immutable |
Curve of the Elliptic Curve (EC) or Octet Key Pair (OKP) public key. Required for EC- and OKP-based algorithms, optional and ignored if present for other algorithms. |
|
String |
Required/Optional |
Immutable |
RSA exponent of the RSA public key. Required for RSA-based algorithms, optional and ignored if present for other algorithms. |
|
String |
Required |
Immutable |
Key ID, a unique identifier for the key that helps when selecting a key. |
|
String |
Required |
Immutable |
Key Type, identifies the cryptographic algorithm family used with the key. Can be |
|
String |
Required/Optional |
Immutable |
RSA modulus of the RSA public key. Required for RSA-based algorithms, optional and ignored if present for other algorithms. |
|
String |
Required/Optional |
Immutable |
Elliptic curve x-coordinate of the EC public key or OKP public key. Required for EC-based algorithms and OKP-based algorithms, optional and ignored if present for other algorithms. |
|
String |
Required/Optional |
Immutable |
Elliptic curve y-coordinate of the EC public key. Required for EC-based algorithms, optional and ignored if present for other algorithms. |
|
String |
Optional |
Mutable |
A friendly name shown in the admin console for the key. Optional and defaults to |
|
DateTime |
N/A |
Read-only |
Date and time the credential signing key was last updated; can be null. |
The jwk object must not contain private key material. If you perform a POST request and the jwk object includes private key material, the service returns an HTTP 400 error.
The key ID, jwk.kid, accepts up to 256 characters from the set: a-z, 0-9, A-Z, -, and _ and must be unique within an environment. Attempted reuse of a kid returns an error.
The service allows multiple keys with enabled set to true. However, the service selects a key to use from the available keys.
All keys, regardless of enabled state, are included in did:web responses so that the key can be used for verifying an issued credential.
Available algorithms for JWK
The service does not allow none.
| Key Management Algorithm | jwk.alg |
|---|---|
RSAES-PKCS1-V1_5 key encryption |
RSA1_5 |
RSAES using OAEP key encryption |
RSA-OAEP |
RSA-OAEP-256 |
|
AES key wrap |
A128KW |
A192KW |
|
A256KW |
|
AES GCM key encryption |
A128GCMKW |
A192GCMKW |
|
A256GCMKW |
|
Elliptic Curve Diffie-Hellman Ephemeral Static key agreement using Concat KDF |
ECDH-ES |
Elliptic Curve Diffie-Hellman Ephemeral Static key agreement using Concat KDF with AES key wrap |
ECDH-ES+A128KW |
ECDH-ES+A192KW |
|
ECDH-ES+A256KW |