diff --git a/src/test/test_config_token.py b/src/test/test_config_token.py
index 15c2adc..86e01dd 100644
--- a/src/test/test_config_token.py
+++ b/src/test/test_config_token.py
@@ -1,3 +1,4 @@
+import base64
 import json
 from calendar import timegm
 from datetime import datetime, UTC, timedelta
@@ -19,9 +20,10 @@ Any variables prefixed with `MY_` or `my_` are variables which are set by fastap
 
 ### FILES
 
-FILE_REQUEST_ROUTING_SI = f'../../doc/database/3-after-upload-license/request_routing.service_instance.json'
-FILE_CONFIG_TOKEN = f'../../doc/files/config-token.json'
-FILE_SI_ARTIFACT = f'../../doc/database/3-after-upload-license/si_d8c07e4af6a449d0b2dc3faf0e1bf2bd.service_instance_artifact.json'
+FILE_REQUEST_ROUTING_SI = '../../doc/database/3-after-upload-license/request_routing.service_instance.json'
+FILE_CONFIG_TOKEN = '../../doc/files/config-token.json'
+FILE_SI_ARTIFACT = '../../doc/database/3-after-upload-license/si_d8c07e4af6a449d0b2dc3faf0e1bf2bd.service_instance_artifact.json'
+FILE_SI_CONFIG = '../../doc/database/3-after-upload-license/si_d8c07e4af6a449d0b2dc3faf0e1bf2bd.configuration.json'
 
 ### DEFAULTS
 
@@ -32,8 +34,8 @@ with open(FILE_CONFIG_TOKEN, 'r') as f:
     NV_CONFIG_TOKEN_RESPONSE = json.loads(f.read())
 
 with open(FILE_SI_ARTIFACT, 'r') as f:
-    rows = json.loads(f.read())
-    si_identity_rows = list(filter(lambda _: _.get('namespace') == 'service_instance.client.all', rows))
+    si_artifact_rows = json.loads(f.read())
+    si_identity_rows = list(filter(lambda _: _.get('namespace') == 'service_instance.client.all', si_artifact_rows))
     si_identity_private_key = next(filter(lambda _: _.get('name') == 'private_key', si_identity_rows))
     si_identity_public_key = next(filter(lambda _: _.get('name') == 'public_key', si_identity_rows))
     NV_SI_KEY_RSA = si_identity_private_key.get('value')
@@ -177,15 +179,34 @@ def test_our_config_token():
         },
     }
 
-    # todo: maybe DLS_SI_CERTIFICATE['private_key'] todo: try different files
-    # our_correct_sign_key = load_key('our_correct_private_key.pem').export_key().decode('utf-8')
+    # todo: maybe DLS_SI_CERTIFICATE['private_key'], but how to decrypt?!
+    # our_correct_sign_key = load_key('where_is_our_correct_private_key.pem').export_key().decode('utf-8')
     # our_correct_sign_key = jwk.construct(our_correct_sign_key, algorithm=ALGORITHMS.RS256)
-    nv_sign_key = jwk.construct(nv_si_private_key_pem.decode('utf-8'), algorithm=ALGORITHMS.RS256)
-
     # our_correct_config_token = jws.sign(payload, key=our_correct_sign_key, headers=None, algorithm=ALGORITHMS.RS256)
-    # until we have not found the correct private key,
+    # fails:
+    # - Table: "service_instance_artifact" => "service_instance.client.all" => "private_key"
+    # - Table: "service_instance_artifact" => "service_instance.identity" => "private_key"
+    # - Table: "public_private_key_pair" => "private_key"
+    # this will fail, until we have not found the correct private key
     # "jwt_encode_key" has invalid signature (can't be verified with DLS_SI_CERTIFICATE['certificate'])
-    my_config_token = jws.sign(my_payload, key=nv_sign_key, headers=None, algorithm=ALGORITHMS.RS256)
+    with open(FILE_SI_CONFIG, 'r') as f:
+        rows = json.loads(f.read())
+        dls_si_certificate = next(filter(lambda _: _.get('property_name') == 'DLS_SI_CERTIFICATE', rows))
+        dls_si_certificate = dls_si_certificate.get('property_value')
+        dls_si_certificate_private_key = dls_si_certificate.get('private_key')
+        dls_si_certificate_private_key = base64.b64decode(dls_si_certificate_private_key)
+    # Mengsk @ discord:
+    # I think it's AES-GCM encrypted, from the cert I saw key length is 2048b,
+    # which should be 1732 bytes in pem format.
+    # private_key is 1744 bytes looks like pem + 12 bytes gcm
+    assert 1744 == len(dls_si_certificate_private_key)
+    # So that this does not work currently, we'll use code below to have a "working" test example.
+    # In the future, this lines will replace the "placeholder" below
+    # my_sign_key = jwk.construct(dls_si_certificate_private_key.decode('utf-8'), algorithm=ALGORITHMS.RS256)
+    # my_config_token = jws.sign(my_payload, key=my_sign_key, headers=None, algorithm=ALGORITHMS.RS256)
+    placeholder_sign_key = jwk.construct(nv_si_private_key_pem, algorithm=ALGORITHMS.RS256)
+
+    my_config_token = jws.sign(my_payload, key=placeholder_sign_key, headers=None, algorithm=ALGORITHMS.RS256)
 
     my_response = {
         "certificateConfiguration": {