# Configuration

This section serves as a reminder that for SenseCrypt Face PKI features to work, you must configure the `issuers_private_key` in your `secrets.json` file while running the server (please see the [Starting the server](https://docs.sensecrypt.com/sensecrypt-v3.1.3/sensecrypt-server/starting-the-server) section).

If you do not set this, most SenseCrypt Face PKI end-points will return the following error with a 403 status code:

```json
{
  "code": "ERR_ISSUER_PRIVATE_KEY_NOT_SET",
  "message": "The issuer's private key is not set. Please set the issuer's private key before attempting this operation."
}
```

Assuming you have setup your private key, in the next section we will understand how a third-party can access your Root CA Certificate for Face Certificate verification.

If you want to independently generate a key-pair (without using the installation script), it is described [here](https://docs.sensecrypt.com/sensecrypt-v3.1.3/sensecrypt-server/generate-your-first-face-certificate#generating-secp256k1-key-pairs-for-eid-attribute-encryption-optional).