diff --git a/dendrite-config.yaml b/dendrite-config.yaml
index 8c7376923..c27cbf81c 100644
--- a/dendrite-config.yaml
+++ b/dendrite-config.yaml
@@ -38,6 +38,14 @@ global:
   # The path to the signing private key file, used to sign requests and events.
   private_key: matrix_key.pem
 
+  # The paths and expiry timestamps (as a UNIX timestamp in millisecond precision)
+  # to old signing private keys that were formerly in use on this domain. These
+  # keys will not be used for federation request or event signing, but will be
+  # provided to any other homeserver that asks when trying to verify old events.
+  old_private_keys:
+  - private_key: old_matrix_key.pem
+    expired_at: 1601024554498
+
   # How long a remote server can cache our server signing key before requesting it
   # again. Increasing this number will reduce the number of requests made by other
   # servers for our key but increases the period that a compromised key will be