diff --git a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/DefaultJwtSigningAndValidationService.java b/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/DefaultJwtSigningAndValidationService.java
index 6ce56e8ac..b9cdaff66 100644
--- a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/DefaultJwtSigningAndValidationService.java
+++ b/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/DefaultJwtSigningAndValidationService.java
@@ -164,10 +164,13 @@ public class DefaultJwtSigningAndValidationService implements JwtSigningAndValid
 			
             if (jwk instanceof RSAKey) {
             	// build RSA signers & verifiers
-            	RSASSASigner signer = new RSASSASigner(((RSAKey) jwk).toRSAPrivateKey());
-            	RSASSAVerifier verifier = new RSASSAVerifier(((RSAKey) jwk).toRSAPublicKey());
             	
-            	signers.put(id, signer);
+            	if (jwk.isPrivate()) { // only add the signer if there's a private key            	
+            		RSASSASigner signer = new RSASSASigner(((RSAKey) jwk).toRSAPrivateKey());
+            		signers.put(id, signer);
+            	}
+            	
+            	RSASSAVerifier verifier = new RSASSAVerifier(((RSAKey) jwk).toRSAPublicKey());            	
             	verifiers.put(id, verifier);
             	
             } else if (jwk instanceof ECKey) {
@@ -178,11 +181,15 @@ public class DefaultJwtSigningAndValidationService implements JwtSigningAndValid
             	
             } else if (jwk instanceof OctetSequenceKey) {
             	// build HMAC signers & verifiers
-            	MACSigner signer = new MACSigner(((OctetSequenceKey) jwk).toByteArray());
-            	MACVerifier verifier = new MACVerifier(((OctetSequenceKey) jwk).toByteArray());
-
-            	signers.put(id, signer);
+            	
+            	if (jwk.isPrivate()) { // technically redundant check because all HMAC keys are private
+            		MACSigner signer = new MACSigner(((OctetSequenceKey) jwk).toByteArray());
+            		signers.put(id, signer);
+            	}
+            	
+            	MACVerifier verifier = new MACVerifier(((OctetSequenceKey) jwk).toByteArray());            	
             	verifiers.put(id, verifier);
+            	
             } else {
             	logger.warn("Unknown key type: " + jwk);
             }
diff --git a/openid-connect-server/src/main/webapp/WEB-INF/crypto-config.xml b/openid-connect-server/src/main/webapp/WEB-INF/crypto-config.xml
index 648c18a95..1e96a372f 100644
--- a/openid-connect-server/src/main/webapp/WEB-INF/crypto-config.xml
+++ b/openid-connect-server/src/main/webapp/WEB-INF/crypto-config.xml
@@ -3,12 +3,12 @@
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
 
-	<bean id="defaultKeyStore" class="org.mitre.jose.keystore.JWKSetKeyStore">
-		<property name="location" value="classpath:keystore.jwks" />
-	</bean>
-
 	<bean id="defaultsignerService" class="org.mitre.jwt.signer.service.impl.DefaultJwtSigningAndValidationService">
-		<constructor-arg name="keyStore" ref="defaultKeyStore" />
+		<constructor-arg name="keyStore">
+			<bean id="defaultKeyStore" class="org.mitre.jose.keystore.JWKSetKeyStore">
+				<property name="location" value="classpath:keystore.jwks" />
+			</bean>
+		</constructor-arg>
 		<property name="defaultSignerKeyId" value="rsa1" />
  		<property name="defaultSigningAlgorithmName" value="RS256" />
 	</bean>