---
title: Configuring certificate authentication
description: You can configure certificate authentication between your application and PingFederate.
component: agentless
page_id: agentless:custom_application_setup:pf_agentless_ik_configuring_certificate_authentication
canonical_url: https://docs.pingidentity.com/integrations/agentless/custom_application_setup/pf_agentless_ik_configuring_certificate_authentication.html
revdate: June 7, 2024
section_ids:
  steps: Steps
---

# Configuring certificate authentication

You can configure certificate authentication between your application and PingFederate.

## Steps

1. Check that the client certificate issuer is a trusted root certificate authority (CA) in PingFederate. If not, add the intermediate and root CA certificates.

   Learn more in [Manage trusted certificate authorities](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_certmanagementtasklet_trustedcas_certmanagementstate.html) in the PingFederate documentation.

2. In PingFederate, export your signing certificate.

   1. On the PingFederate admin console, go to **Security > Signing & Decryption Keys & Certificates**.

   2. For the certificate that you want to use, in the **Action** column, click **Export**.

   3. On the **Export Certificate** screen, click **Next**.

   4. On the **Export & Summary** screen, click **Export**.

   5. Open the `*.crt` file in a text editor.

3. Import your PingFederate signing certificate into your application.

   |   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
   | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | You can use OpenSSL to convert the PCKS12 certificate and key to PEM format. Use one of the following commands.PEM certificate only```
    openssl pkcs12 -in  <certname>.p12-passin pass:<password>  -nokeys -out  <certname>.cert.pem
   ```PEM key only```
    openssl pkcs12 -in  <certname>.p12 -passin pass:<password>  -nocerts -out  <certname>.key.pem
   ```PEM certificate and key```
    openssl pkcs12 -in  <certname>.p12 -passin pass:<password>  -out  <certname>.certandkey.pem
   ``` |

4. If you have already configured a Reference ID Adapter instance, update it by setting the **Allowed Subject DN** field, the **Allowed Issuer DN** field, or both to match the client certificate.

5. Configure a second port for PingFederate to receive back-channel calls.

   1. Stop PingFederate.

   2. Open the `<pf_install>/pingfederate/bin/run.properties` file for editing.

   3. Change the value of the `pf.secondary.https.port` property to a valid port number, such as 9032.

      You can find information about this property in [Configuring PingFederate properties](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_config_pf_propert.html) in the PingFederate documentation.

   4. Save the file.

   5. Start PingFederate.

6. Configure your application to send requests to the Reference ID Adapter endpoints using the back-channel port:

   ```none
   POST https://pf.example.com:9032/ext/ref/dropoff HTTP/1.1
   Content-Length: 20
   Content-Type: application/json
   ping.instanceId: sample_adapter

   {
     "subject":"jsmith"
   }
   ```

7. Configure your application to send the client certificate with the request.

   |   |                                                                                                                                                                                                                                                                                      |
   | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
   |   | Learn more about exporting your PingFederate certificate in [Manage SSL server certificates](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_certmanagementtasklet_sslservercerts_certmanagementstate.html) in the PingFederate documentation. |

   The following code uses PHP to send the client certificate:

   ```shell
   $client_cert = dirname(__FILE__).'/sample_cert.cert.pem';
   $client_key = dirname(__FILE__).'/sample_cert.key.pem';
   $client_key_password = 'sample_key_password';
   $http_headers[] = 'ping.instanceId: '.$adapter_instance_id;

   // PHP can use curl to make the HTTP calls to the pickup endpoint
   $crl = curl_init();

   // Dropoff URL
   curl_setopt($crl, CURLOPT_URL, $dropoff_loc);
   curl_setopt($crl, CURLOPT_SSLCERT, $client_cert);
   curl_setopt($crl, CURLOPT_SSLKEYTYPE, 'PEM');
   curl_setopt($crl, CURLOPT_SSLKEY, $client_key);
   curl_setopt($crl, CURLOPT_SSLKEYPASSWD, $client_key_password);
   ...
   $result = curl_exec($crl);
   ```