GSA-TTS · monfresh · May 14, 2026 · May 8, 2026 · May 8, 2026 · May 8, 2026
diff --git a/_includes/snippets/oidc/certificates.md b/_includes/snippets/oidc/certificates.md
diff --git a/_pages/oidc/certificates.md b/_pages/oidc/certificates.md
@@ -24,18 +24,14 @@ sidenav:
 Login.gov's public key, used to verify signed JWTs (such as the `id_token`), is available in [JWK](https://tools.ietf.org/html/rfc7517){:class="usa-link--external"} format at the `/api/openid_connect/certs` endpoint.
 
 This public key is rotated periodically (on at least an annual basis). It is important to assume the `/api/openid_connect/certs` endpoint could contain multiple JWKs when rotating application signing keys. Be sure to use the JWK endpoint dynamically through [auto-discovery](/oidc/getting-started/#auto-discovery) rather than hardcoding the public key. This ensures that your application will not require manual intervention when the Login.gov public key is rotated.
+
+For your own public/private keypair used to sign your JWT, please refer to the  [Creating a public certificate](/testing/#creating-a-public-certificate) section of our Testing documentation.
 {% endcapture %}
 
 <div class="grid-row grid-gap">
   <div class="desktop:grid-col-8 mobile:grid-col-full">
     {{ content | markdownify }}
      <a href="{{ '/oidc/logout/' | prepend: site.baseurl }}" class="usa-link margin-top-4 mobile:display-none desktop:display-block">Next step: Logout</a>
   </div>
-    <div class="usa-layout-docs__main code-snippet-column desktop:grid-col-4">
-      <section id="pkce" class="code-snippet-section">
-        <span class="code-button code-button__selected margin-left-2">OpenSSL Command</span>
-          {% include snippets/oidc/certificates.md %}
-      </section>
-    </div>
-      <a href="{{ '/oidc/logout/' | prepend: site.baseurl }}" class="usa-link mobile:display-block desktop:display-none margin-top-2">Next step: Logout</a>
+    <a href="{{ '/oidc/logout/' | prepend: site.baseurl }}" class="usa-link mobile:display-block desktop:display-none margin-top-2">Next step: Logout</a>
 </div>
diff --git a/_pages/oidc/getting-started.md b/_pages/oidc/getting-started.md
@@ -60,7 +60,7 @@ You are able to test authentication methods in real time with a testing account
 
 If you chose to integrate your app using the OIDC private_key_jwt protocol, you will need to create a private key that will be used to sign your request to our token endpoint, and a corresponding public certificate that you will upload to your app in the Partner Portal. Login.gov will use your public certificate to verify the signature in your request.
 
-More details on how to create this public/private keypair are available in the [Creating a public certificate](https://developers.login.gov/testing/#creating-a-public-certificate) section of our Testing documentation.
+More details on how to create this public/private keypair are available in the [Creating a public certificate](/testing/#creating-a-public-certificate) section of our Testing documentation.
 
 
 ### Auto-discovery

diff --git a/_pages/production.md b/_pages/production.md
@@ -51,6 +51,11 @@ Make sure you have the following items ready before you start the deployment pro
 
 -   You must include an agency logo for your application. [Learn more about our logo guidelines.](/user-experience/agency-logo/)
 
+- A public certificate that adheres to these standard best practices:
+  - Expiration date of 1 to 3 years depending on use and risk factors (see [NIST 800-57 Part 1 Rev. 5](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf)). We recommend 1 year or less to be on the safe side.
+  - Positive serial number at least 16 characters in length
+  - Signed by a trusted Certificate Authority
+
 Depending on your agency’s integration additional items may be needed:
 
 - **If this is a SAML integration (not OpenID Connect), then please ensure that:**

diff --git a/_pages/testing.md b/_pages/testing.md
@@ -73,7 +73,7 @@ Login.gov does not manage user accounts. If you have lost access to a team:
 
 ### Creating a public certificate
 
-You can use the following OpenSSL command to generate a self-signed 2048-bit PEM-encoded public certificate for your testing/sandbox application (with a 1-year validity period). Self-signed certificates should be for testing/sandbox purposes only. We recommend using Certificate Authority (CA) issued certificates for your production integration.
+You can use the following OpenSSL command to generate a self-signed 2048-bit PEM-encoded public certificate for your testing/sandbox application (with a 1-year validity period). Self-signed certificates should be for testing/sandbox purposes only. **For security reasons, we highly recommend using Certificate Authority (CA) issued certificates for your production integration.**
 
 ```
 openssl req -nodes -x509 -days 365 -newkey rsa:2048 -keyout private.pem -out public.crt