Skip to content

Signing

required

Under the signing config option the signatures are configured.

alg

enum ES512 optional

The signing algorithm that is used.

Supported values are:

  • ES256
  • ES384
  • ES512
  • EdDSA (ed25519)
  • RS256
  • RS384
  • RS512
  • PS256
  • PS384
  • PS512
config.yaml 
signing:
    alg: EdDSA

rsa_key_len

integer 2048 optional

The rsa_key_len option defines the length of the generated key, if an RSA-based signing key is used and the key is generated by LightHouse because it was not provided externally.

config.yaml 
signing:
    alg: PS256
    rsa_key_len: 4096

key_file

Deprecated

The key_file option is deprecated and must no longer be used. Instead key_dir is used. To keep the existing signing key place it in the key_dir directory (if not already the case) and rename it to the following naming scheme: federation_<alg>.pem, e.g. federation_ES512.pem

key_dir

directory path required

The key_dir option specifies the path to a directory that contains the private signing key(s), as well as a key set for public keys.

config.yaml 
signing:
    key_dir: /path/to/keys

automatic_key_rollover

object / mapping optional

Under the automatic_key_rollover option key rollover / key rotation is configured.

config.yaml 
signing:
    key_dir: /path/to/keys
    automatic_key_rollover:
        enabled: true
        interval: 30d

enabled

boolean false optional

To enable automatic key rollover / rotation set enabled to true. If enabled, Lighthouse will automatically generate a new signing key when needed (according to the configured interval). The current and next public key are published in the entity configuration; this allows other entities to already have the public key of the next signing key when it will be used.

interval

duration 600000 seconds = ca. 1 week optional

The interval option is used to set the interval at which keys should be rotated, i.e. this defines the lifetime of a key. This cannot be smaller than the lifetime of the Entity Configuration. It also should not be smaller than the lifetime of entity statements, trust marks, or other JWTs signed with the federation entity key.

old_keys_kept_in_jwks

number 0 optional

The old_keys_kept_in_jwks option sets a number of old keys that are still published in the jwks in the entity configuration. This option should only be changed when it is needed. Usually, it will not be required to publish old keys here.