Server JWK set

The Connect2id server needs to be supplied with an RSA public / private key pair in JSON Web Key (JWK) format to sign the issued ID tokens and other protected objects. The public part of the key will also be published at a well-known URL so that OpenID Connect client applications can verify its signatures.

The Connect2id server expects to find the RSA key in a JWK set file in the following location:


How to generate an RSA JWK

Important! Before you put the server in production you must generate a new RSA JWK and put it in place of the sample JWK that comes with the original installation package.

We suggest you use the JWK generator utility for that, by invoking it with the following parameters:

java -jar json-web-key-generator.jar -t RSA -s 2048 -i 1 -u sig -S

The JWK must be of type RSA and the recommended size is 2048 bits. It must also include a key identifier (a serial number, e.g. "1", or the current date, e.g. "2014-01-31"). Is is also suggested the key use is set to "sig" (for signature).

The above commend will then output a JSON object similar to this:

  "keys": [
      "d": "Y5ULK-bLRqKAg6FcuDx4HCQmnMYUv67IQ394KBmw6F-LbdbMhNyn6UH2RAr4Wkg-TL0QXZbfuOdvvE8ZlGeWJxCGx2XOzO1wQT12mhNTD1S9NtrD_wQMc34sE6Qy5JK2CE-tWzPRT_cKzWXEJGsR0FWHphUjZOg7-vfAgPYZaZ7rptdgtq3mEs45MiURVx7DBgu5AH2x0R-s37wtR1Xw9Vx1tD6ScGl7sMu7RWerDbkkfuAUSnON_8lHzHt_GvWYI3za4KiWRH5HeYVACQ3nBrnKju_kMp9lLEGC6pgbLkthnvjf0KjMcUoKrRMKKbENhyzwFcZ6pZAtdUg-Ec3AYQ",
      "e": "AQAB",
      "n": "j37Y-Fmx2Pr9xCHXhBWvDRaXobvpikF2Nd2J_FoK8U5SlMebmqrEwddegw4OoWbBcTfcK9UMiK7mOYH7xpIxPmXyUl_ByMLT-0gTLhq-KhzsZ3SxoUqVThF6-x8XJ8DiBYO3RUSfZ3xwQwHtlXdhg6hk-iUaArYBEKGhp8R75d4w6gFHXnSzgY_llxwU7dBFUgk6H1CbBK1ozmOP5xzgnSovYt5PEetwfHjbSm_q1yFd9AuwT5QgFQhmB2jJH9rdL_W4zf8U71a3tuN-fG3LmXc2jtuDMg5LAVjzaXtPX0kQKH8_88qER1UeNfa3ceJgCfvr_EVt8PkIkh8mhB4AbQ",
      "kty": "RSA",
      "use": "sig",
      "kid": "1"

Use it to replace the sample WEB-INF/jwkSet.json file, then restart the server.

The Connect2id server performs a check on the JWK set during startup. If a problem is found with the JWK the server will output an error message to the log and terminate.

JWK roll-over

To facilitate key rollover, generate a new RSA JWK with a different identifier and append it to the existing JWK set (the "keys" JSON array).