Set up license token validation keys
Use the 10Duke Scale UI console to set up the validation key pairs needed for the signing and verification of license tokens in license consumption.
At checkout and heartbeat, 10Duke Scale returns a JSON Web Token (JWT) license token to your client application, signed using the private key from the currently active key pair in 10Duke Scale. The application uses the corresponding public key to verify the signature of the license token.
To improve security, you can issue and use signing certificates. Signing certificates enable issuing an X.509 certificate per license token signing key. The response from the 10Duke Scale JSON Web Keys API endpoint contains the full certificate chain for each license token signing key when a certificate has been issued. Your application is responsible for matching the certificates it trusts with the ones responded with the license token signing keys.
When using the 10Duke Scale Local License Server product your client application can use the certificate chain that the JWKS endpoint returns, and validate that the chain leads to a trusted signing certificate.
You can create multiple key pairs for the purpose of periodically rolling the keys. Only one key pair can be active at a time. Currently all keys are valid indefinitely, so you roll keys manually by changing which key pair is the active one.
Your client application can retrieve the public keys through 10Duke Scale License Management API. When returning a signed license token, 10Duke Scale also includes the ID of the key pair that was used, which the application uses to identify which public key it needs to use.
Manage validation keys in the UI console
To manage the validation keys for license tokens, go to SETTINGS > Token validation keys in the UI console.
The list shows which of the key pairs is currently active, and you can manage the key pairs as follows:
-
To generate a new key pair, click Generate new key. The new key is added at the top of the list.
-
To request a certificate for a key pair, click the three-dot menu for the key pair, and select Request certificate.
-
To set a key pair as the active key pair, click the three-dot menu for the key pair, select Set as active, and click Yes to confirm the change.
-
To delete a key pair, click the three-dot menu for the key pair, select Delete and click Yes to confirm the deletion. You cannot delete the active key pair.
-
To see the public key of a key pair, click the arrow icon to expand the row. When a certificate has been requested for a key pair, you can also see the certificate.
-
To download the public key of a key pair, click the arrow icon to expand the row, and click Download key.
-
To download the certificate of a key pair, click the arrow icon to expand the row, and click Download certificate.
Manage validation keys through the API
Use the following License Management API operations to manage validation key pairs:
| Operation | URL (relative, prepend the environment base URL) |
|---|---|
| Generate a validation key pair | POST /licensing-signing-keys/actions/generate |
| Set a validation key pair as the active key pair | PUT /licensing-signing-keys/{id}/actions/activate |
| Delete a validation key pair | DELETE /licensing-signing-keys/{id} |
Use the following License Management API operations to retrieve the public keys and information on the key pairs:
| Operation | URL (relative, prepend the environment base URL) |
|---|---|
| Retrieve information on validation key pairs | GET /licensing-signing-keys |
| Retrieve information on a validation key pair based on key pair ID | GET /licensing-signing-keys/actions/find-by-keyid/{keyId} |
| Retrieve the public keys in JSON Web Key Set (JWKS) format | GET /licensing-signing-keys/.well-known/jwks.json |
See more about the JWKS format in RFC 7517.
Next steps
Verify the signature of license tokens in your client application using the validation keys.