Key generation

Andrew Stuart edited this page Apr 13, 2017 · 5 revisions

Prepackaged keys

Both the MITREid Connect server webapp and the Simple Web App client come pre-packaged with public/private RSA key pairs, found in the keystore.jwks file included in each project's src/main/resources/ directory. Since these keys are the same for every clone of the repository, they are not suitable for use in a deployed system and MUST be replaced by newly generated keys.

Generating a public/private keypair

For testing purposes, you can use the Online JSON Web Key Generator.

You can use the JSON Web Key Generator project to generate a JSON Web Key suitable for your installation.

To generate a key, run java -jar json-web-key-generator-0.1-SNAPSHOT-jar-with-dependencies.jar. Several other arguments are defined which may be required depending on your key type:

 -a Algorithm (optional)
 -c Key Curve, required for EC key type. Must be one of P-256, P-384, P-521
 -i Key ID (optional) 
 -p Display public key separately 
 -s Key Size in bits, required for RSA and OCT key types. Must be an integer divisible by 8 
 -S wrap output in a JWK Set
 -t Key Type, one of: RSA, oct, EC 
 -u Usage, one of: enc, sig (optional)

The most common settings are for an RSA key pair of size 1024 wrapped in a key set with a key identifier, such as rsa1:

java -jar json-web-key-generator-0.2-SNAPSHOT-jar-with-dependencies.jar -t RSA -s 1024 -S -i rsa1

This will output to the console a key like the following (but with a different key each time):

  "keys": [
      "d": "bj_wcFHzrMVSTQJV0-DO7S7kR7z4nW3b0EyPsFrRVuzb4Vyb_G_tmcxgHG3l31V4IXH70DOYlB3FldNC0hKenNuCb4qoSZbgZxrfX9yixESIl0V5jErDXUsHau8nQN60CPivmnv535ySP8O8b1REba1gKJBx-sYhkm83jN-AFxE",
      "e": "AQAB",
      "n": "it4yc9J1iTP_FiOMF6ExWpqCcinQKJLm5K4nQeXh4zBJC6iBvU_b6hDdpYdH5O-bvedCA7T2OOX0yjjZu5Zqx7gYMxF2707_2McmPnLQu46oVQGJATaE-ZMe-hq1U4rnsB5CVeiGc2BG1FNEHDygDf-JhIJtn4jTNg3wO55jcxE",
      "kty": "RSA",
      "kid": "rsa1"

This JSON object is a JSON Web Key Set can be copied and pasted directly into a keystore.jwks file for use by the MITREid Connect JWKSetKeyStore class used in both the client and server.

Installing the key into a server

The server configuration uses the crypto-config.xml file to define the keys used by the server. The default configuration looks like this:

<beans xmlns=""

	<bean id="defaultKeyStore" class="org.mitre.jose.keystore.JWKSetKeyStore">
		<property name="location" value="classpath:keystore.jwks" />
	<bean id="defaultsignerService" class="org.mitre.jwt.signer.service.impl.DefaultJWTSigningAndValidationService">
		<constructor-arg name="keyStore" ref="defaultKeyStore" />
		<property name="defaultSignerKeyId" value="rsa1" />
 		<property name="defaultSigningAlgorithmName" value="RS256" />

	<bean id="defaultEncryptionService" class="org.mitre.jwt.encryption.service.impl.DefaultJWTEncryptionAndDecryptionService">
		<constructor-arg name="keyStore" ref="defaultKeyStore" />
		<property name="defaultAlgorithm" value="RSA1_5" />
		<property name="defaultDecryptionKeyId" value="rsa1" />
		<property name="defaultEncryptionKeyId" value="rsa1" />


The defaultKeyStore bean points to a file on disk that stores the public and private key pair in JWKS (JSON) format, such as the one generated above or included in the demo keystore.jwks file. This bean automatically loads the contents of the file at startup and creates a key set that can be plugged into other services. To replace the set of keys, either override the keystore.jwks file and replace its contents with a new key, or override the crypto-config.xml file and point this bean's location parameter to a different keystone file somewhere else on disk, such as /etc/mitreid-connect/keystore.jwks.

The defaultsignerService and defaultEncryptionService beans use the keys from the defaultKeyStore to create a set of signer/validator and encrypter/decrypter services based on those keys. These services are used in the creation of ID Tokens, access tokens, JWT-formatted outputs from the UserInfo endpoint, and processing of signed and encrypted Request Objects. The keys are also fed into the JWK publication endpoint, which publishes the public key portion of the server's JWK at ${issuer}/jwk.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.