Q: How does digiRunner store and manage the private key used for JWS signing?
A: digiRunner manages the JWS private key using a properties-based configuration. The key is securely stored in a KeyStore file (typically in JKS format) and is used for both JWS signing and token generation.
Key settings are managed through the Token Keypair Settings section in the properties file and are loaded at startup. No source code changes are required when updating key-related configurations.
Configuration parameters:
Parameter
Description
Default
digiRunner.token.key-store.path
Directory containing the KeyStore file
digiRunner.token.key-store.name
digiRunner.token.key-store-password
Password to access the KeyStore
digiRunner.token.keyAlias
Alias of the private key within the KeyStore
digiRunner.token.keyStoreType
Keywords: JWS, Private Key, KeyStore, JKS, digiRunner Configuration, Token Signing
Q: What is the process for rotating or updating the JWS private key?
A: To rotate or update the JWS private key, follow these steps:
Prepare a new KeyStore
Generate a new public and private key pair and store it in a new KeyStore file, for example, new-token.jks.
Update configuration properties
Place the new KeyStore file in the configured directory (e.g., keys/) and update the related properties, including the KeyStore name, password, and key alias.
Restart digiRunner
Restart the instance to apply the changes, as these settings are loaded at startup.
Keywords: Key Rotation, Update Private Key, KeyStore Update, Restart Instance
Q: How can clients retrieve the public key for JWS signature verification?
A: Client applications must obtain the corresponding public key to validate JWS signatures or tokens issued by digiRunner.
The currently active public key can be retrieved from the following endpoint:
This endpoint returns the necessary public key information, ensuring that clients can reliably validate responses received from the server.
Keywords: Public Key, Signature Verification, JWS Validation, /ssotoken/enccert
