Skip to main content

Key Management

GOV.UK Wallet needs to verify the validity of the credentials your service issues.

When issuing credentials in W3C Verifiable Credential Data Model 2.0 format and signing with your private keys, your credentials need to be verified by the public keys you made available in the did:web document.

Your public keys need to stay available through the lifecycle of your credentials. A public key used to sign a group of verifiable credentials (VCs) can not be made inactive until after the VCs have expired. Public keys should be kept in an inactive state, available to be verified.

For their credential issuer service, credential issuers should include specific key management features.

The service needs a key refresh process that creates a new asymmetric public or private key pair for signing new VCs, but that retains trust in the previous versions of the public key for verifying.

This is done by making sure the public part of the historical key is retained, while the private key is destroyed. For example, a VC issued by an internal and external issuer.

The service also needs key revocation. This needs to include a notice made from the credential issuer explaining that a specific key should be removed from operational use before the key expires. This will generally happen when the key is lost or compromised. If a key is compromised, it can be used by an attacker to decrypt or forge messages, impersonate an identity, or access sensitive information.

The table below describes the possible states of a key pair used for signing credentials:

Key State Description
Created A key pair is generated with an activation date in the future. It is not yet used for signing.
Active A key becomes active on the activation date, and enabled for signing and verifying the VC. There must not be multiple keys active at the same time.
Inactive A key becomes inactive past its expiration date or time. The public key will still be valid for verifying the VC.
Revoked A key is destroyed and removed from the issuer’s server, and is not valid for signing or verifying the signatures.
This page was last reviewed on 5 March 2025. It needs to be reviewed again on 5 September 2025 .