--- title: Assigning key pairs description: Assign a key pair to a virtual host or HTTPS listener. component: pingaccess version: 9.0 page_id: pingaccess:pingaccess_user_interface_reference_guide:pa_assigning_key_pairs canonical_url: https://docs.pingidentity.com/pingaccess/9.0/pingaccess_user_interface_reference_guide/pa_assigning_key_pairs.html revdate: September 22, 2023 section_ids: about-this-task: About this task assigning-key-pairs-to-virtual-hosts: Assigning key pairs to virtual hosts about-this-task-2: About this task steps: Steps assigning-key-pairs-to-https-listeners: Assigning key pairs to HTTPS listeners about-this-task-3: About this task steps-2: Steps --- # Assigning key pairs Assign a key pair *(tooltip: \
\

The private key and public key represented by a certificate.\

\
)* to a virtual host or HTTPS listener. ## About this task PingAccess listens for HTTPS requests on the Admin, Engine, and Agent ports in all deployments, and on the Config query port in clustered deployments. See the [Clustering in PingAccess](../reference_guides/pa_clustering_ref_guide.html) reference guide for a comprehensive overview of the steps necessary to set up a clustered environment. A key pair must be assigned to each listener. By default, the listeners are configured for HTTPS and use pregenerated key pairs associated with `localhost`. **HTTPS Listener Descriptions** | HTTPS Listener | Description | | -------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Admin | Listens for requests for the administrative user interface and the PingAccess REST APIs. | | Engine | Listens for HTTP or HTTPS requests that are proxied to target web servers associated with [Sites](pa_sites_operations.html). For more information, see [Engine listeners](pa_engine_listeners.html). | | Agent | Listens for requests from PingAccess agents. | | Sideband | Listens for requests from sideband clients. | | Config query | Listens for requests for configuration information from replica administrative nodes and engine nodes in clustered deployments. | If you configure a trusted certificate group for a virtual host, or configure an engine key pair to associate it with a virtual host, those settings are used instead of any applicable HTTPS listeners or engine listeners for the virtual host. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Cipher suite ordering for HTTPS listeners:- PingAccess supports the use of a defined cipher suite order to ensure that the most secure cipher suites are used first, regardless of the client request. The cipher suite order is defined by the `tls.default.cipherSuites` property in the `/conf/run.properties` file. - By default, new installations of PingAccess and environments upgraded to PingAccess 5.1 or later use this cipher suite ordering. To direct PingAccess to use the order provided by the client instead, use the PingAccess API `/httpsListeners` endpoint to set the `useServerCipherSuiteOrder` property to `false`. | * To virtual hosts * To HTTPS listeners ## Assigning key pairs to virtual hosts ### About this task To assign a key pair to a virtual host: ### Steps 1. Click **Security**, then go to **Key Pairs > Key Pairs**. 2. Click the **Pencil** icon, and then click **Assign Virtual Host** for the key pair. 3. In the **Virtual Hosts** list, select the virtual hosts that you want to use the key pair with. | | | | - | ------------------------------------------------------------------------------------------------------------------------------- | | | When you assign a key pair to a virtual host, the key pair is also assigned to all other virtual hosts with the same host name. | 4. Click **Save**. ## Assigning key pairs to HTTPS listeners ### About this task To assign a new key pair for an active HTTPS listener: ### Steps 1. Click **Security**, then go to **Key Pairs > Key Pairs**. 2. Click the **Pencil** icon, and then click **Assign HTTPS Listener** for the key pair. 3. In the **Listeners** list, select the HTTPS listeners that you want to use the key pair with. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------- | | | New connections use any of the changes you make to an HTTPS listener's active key pair, but existing connections continue to use the old configuration. | 4. Click **Save**.