---
title: Creating trusted certificate groups
description: Create a new trusted certificate group.
component: pingaccess
version: 9.0
page_id: pingaccess:pingaccess_user_interface_reference_guide:pa_creating_trusted_certificate_groups
canonical_url: https://docs.pingidentity.com/pingaccess/9.0/pingaccess_user_interface_reference_guide/pa_creating_trusted_certificate_groups.html
revdate: February 6, 2023
section_ids:
  steps: Steps
---

# Creating trusted certificate groups

Create a new trusted certificate group.

## Steps

1. Click **Security**, then go to **Certificates > Trusted Certificate Groups**.

2. Click **[icon: plus, set=fa]Add Trusted Certificate Group**.

3. Drag a certificate into the box that appears.

4. In the **Name** field, enter a name for the group.

5. To set the new group to include the Java Trust Store group, select the **Use Java Trust Store** check box.

   Select this option if you create your own intermediate certificate authority (CA) *(tooltip: \<div class="paragraph">
   \<p>An entity that issues digital certificates.\</p>
   \</div>)* certificate that is signed by a well-known CA in the Java Trust Store.

6. To allow PingAccess to ignore date-related errors for certificates that are not yet valid or have expired, select the **Skip certificate date check** check box.

7. To check the client certificate revocation status using certificate revocation list (CRL), select the **CRL checking** check box.

8. To check the client certificate revocation status using Online Certificate Status Protocol (OCSP), select the **OCSP** check box.

   |   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
   | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | If both certificate revocation list (CRL) *(tooltip: \<div class="paragraph">&#xA;\<p>A list of revoked signing certificates, maintained by the issuing authority at a public URL.\</p>&#xA;\</div>)* checking and Online Certificate Status Protocol (OCSP) *(tooltip: \<div class="paragraph">&#xA;\<p>The protocol used by CAs to check the revocation status of an X.509 certificate.\</p>&#xA;\</div>)* are enabled, OCSP checking is used preferentially, and CRL checking is used if OCSP fails. |

9. To deny access when any certificate in the certificate chain cannot be verified using its CRL endpoint, select the **Deny when unable to determine revocation status** check box.

10. To validate client certificate chains that are not in the standard order, such as a reversed certificate chain of `[root, intermediate, leaf]`, select the **Validate disordered certificate chains** check box.

11. To skip validation of any CA certificates configured in the trusted certificate group and their subsequent chain of issuers when trusted CA certificates are found in the client certificate chain, select the **Bypass trust anchor validation** check box.

12. Click **Add**.

13. **Optional:** Add additional certificates to the new trusted certificate group by dragging them into the group.

    |   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
    | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
    |   | PingAccess has increased `WARN` logging during the certificate revocation check. You can adjust the log level using the AsyncLogger in `log4j2.xml` (search for "Certificate Revocation").A commented out `JAVA_SECURITY_OPTS` line is shipped as part of the `run.sh` and `run.bat` scripts.Uncommenting the `JAVA_SECURITY_OPTS` line enables extra java security logging/debugging for the PKIX CertPathValidator and CertPathBuilder implementations. You can use the `ocsp` option with the `certpath` option for OCSP protocol tracing. |