Does anyone think it would be a good idea to store the private key encrypted?  This would require a separate secret, presumably stored in a configuration file, or using the PicketLink Vault Tool, to decrypt the private key for use. Anyone who can get the private key can start issuing access tokens to whatever resources they want.