Login.gov’s public key, used to verify signed JWTs (such as the
id_token), is available in JWK format at the
This public key is rotated periodically (on at least an annual basis). It is important to assume the
/api/openid_connect/certs endpoint could contain multiple JWKs when rotating application signing keys. Be sure to use the JWK endpoint dynamically through auto-discovery rather than hardcoding the public key. This ensures that your application will not require manual intervention when the Login.gov public key is rotated.
openssl req -nodes -x509 -days 365 -newkey rsa:2048 -keyout private.pem -out public.crt