How does digirunner store and update its private key? #86

Eddie-Las · 2025-09-17T03:10:18Z

Eddie-Las
Sep 17, 2025
Collaborator

Hi all,
I’m trying to understand how digiRunner handles its own private key storage and updates. For example, when it signs JWTs — where are those keys kept, and how are they rotated?

Answered by TPIsoftwareOSPO

Sep 18, 2025

Hey 👋 thanks for asking!

digiRunner manages its JWS (JSON Web Signature) private key through properties-based configuration, which allows you to update keys via startup parameters without modifying code.
Below is a clear overview of how the private key is stored, configured, and updated.

🔐 How digiRunner Stores and Uses the JWS Private Key

The private key used for JWS signing (and token generation) is stored in a KeyStore file (e.g., JKS format) and configured in the Token Keypair Setting section of the digiRunner properties file.

Key configuration parameters

Parameter	Description	Default
digiRunner.token.key-store.path	Directory containing the KeyStore file	keys
digiRunner.toke…

View full answer

TPIsoftwareOSPO · 2025-09-18T08:15:02Z

TPIsoftwareOSPO
Sep 18, 2025
Maintainer

Hey 👋 thanks for asking!

digiRunner manages its JWS (JSON Web Signature) private key through properties-based configuration, which allows you to update keys via startup parameters without modifying code.
Below is a clear overview of how the private key is stored, configured, and updated.

🔐 How digiRunner Stores and Uses the JWS Private Key

The private key used for JWS signing (and token generation) is stored in a KeyStore file (e.g., JKS format) and configured in the Token Keypair Setting section of the digiRunner properties file.

Key configuration parameters

Parameter	Description	Default
digiRunner.token.key-store.path	Directory containing the KeyStore file	keys
digiRunner.token.key-store.name	KeyStore filename	opendgr-token.jks
digiRunner.token.key-store-password	Password for accessing the KeyStore	(none)
digiRunner.token.keyAlias	Alias of the private key inside the KeyStore	opendgr-token
digiRunner.token.keyStoreType	KeyStore type	JKS

🔄 How to Update the Private Key

Updating the JWS private key is straightforward:

1. Prepare a new KeyStore

Generate a new public/private key pair
Store it in a new KeyStore (e.g., new-token.jks)

2. Update digiRunner’s properties

Place the new KeyStore file in your configured directory (e.g., keys/)

Update the following parameters:

digiRunner.token.key-store.name
digiRunner.token.key-store-password
digiRunner.token.keyAlias
digiRunner.token.keyStoreType (optional)

3. Restart digiRunner

These settings are loaded at startup, so a restart is required for changes to take effect.

🔑 How Clients Retrieve the Public Key (for JWS Verification)

digiRunner signs tokens using the private key, and clients verify them using the public key.

Clients can retrieve the active public key from:

https://{dgr-ip}:{dgr-port}/dgrv4/ssotoken/enccert

This endpoint returns the currently used public key so clients can verify JWS signatures issued by digiRunner.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

How does digirunner store and update its private key? #86

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

How does digirunner store and update its private key? #86

Uh oh!

Eddie-Las Sep 17, 2025 Collaborator

🔐 How digiRunner Stores and Uses the JWS Private Key

Key configuration parameters

Replies: 1 comment

Uh oh!

Uh oh!

TPIsoftwareOSPO Sep 18, 2025 Maintainer

🔐 How digiRunner Stores and Uses the JWS Private Key

Key configuration parameters

🔄 How to Update the Private Key

1. Prepare a new KeyStore

2. Update digiRunner’s properties

3. Restart digiRunner

🔑 How Clients Retrieve the Public Key (for JWS Verification)

Eddie-Las
Sep 17, 2025
Collaborator

TPIsoftwareOSPO
Sep 18, 2025
Maintainer