--- title: Managing key pair certificates description: Add, download, or remove a certificate from a key pair, or manage key pairs using the automatic certificate management environment (ACME) protocol. component: pingaccess version: 9.0 page_id: pingaccess:pingaccess_user_interface_reference_guide:pa_managing_key_pair_certificates canonical_url: https://docs.pingidentity.com/pingaccess/9.0/pingaccess_user_interface_reference_guide/pa_managing_key_pair_certificates.html revdate: September 22, 2023 section_ids: about-this-task: About this task adding-certificates-to-key-pairs: Adding certificates to key pairs about-this-task-2: About this task steps: Steps removing-certificates-from-key-pairs: Removing certificates from key pairs about-this-task-3: About this task steps-2: Steps managing-certificates-for-key-pairs-with-acme: Managing certificates for key pairs with ACME about-this-task-4: About this task steps-3: Steps result: Result: downloading-certificates: Downloading certificates about-this-task-5: About this task steps-4: Steps result-2: Result: --- # Managing key pair certificates Add, download, or remove a certificate from a key pair *(tooltip: \
\

The private key and public key represented by a certificate.\

\
)*, or manage key pairs using the automatic certificate management environment (ACME) protocol. ## About this task * [Add a certificate](pa_adding_certificates_to_key_pairs.html) to an existing key pair by starting with a leaf certificate and then adding the intermediate and root certificates as required. * [Remove a certificate](pa_removing_certificates_from_key_pairs.html) from a configured key pair. * [Manage key pairs using the ACME protocol](pa_managing_certificates_for_key_pairs_with_acme.html), which automatically obtains and renews certificates indirectly signed by a well-known trust anchor. * [Download a certificate](pa_downloading_certificates.html) when you need to configure a peer to trust a certificate used by PingAccess. ## Adding certificates to key pairs ### About this task | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | To modify the certificates included in a chain, remove the certificates from the key pair and add them again. Alternatively, delete the certificate and recreate it by importing a new certificate file and adding certificates to the key pair. | To add a certificate to an existing key pair: ### Steps 1. Click **Security**, then go to **Key Pairs > Key Pairs**. 2. Click to expand an existing key pair. 3. In the **Key Pair Chain Certificate** list, select **Add Certificate**. 4. To browse for and select the certificate file, click **Choose File**. 5. Click **Add**. ## Removing certificates from key pairs ### About this task | | | | - | ------------------------------------------------------------------------------------------------------------ | | | Certificates can only be removed in reverse order. This procedure removes the last certificate in the chain. | ### Steps 1. Click **Security**, then go to **Key Pairs > Key Pairs**. 2. Click to expand an existing key pair. 3. To remove the last certificate in the chain, click the **Delete** icon. 4. To confirm your changes, click **Delete**. ## Managing certificates for key pairs with ACME ### About this task The ACME protocol is an Internet Engineering Task Force (IETF) proposed standard protocol that automates the signing of TLS certificates by a certificate authority (CA) *(tooltip: \
\

An entity that issues digital certificates.\

\
)*. By default, the ACME certificate management option in PingAccess uses the staging [Let's Encrypt](https://letsencrypt.org/) ACME CA. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The Let's Encrypt staging server, which PingAccess uses by default, has more lenient rate limits but it doesn't generate functional certificates, to support its use for testing purposes. For more information about rate limits, see the [Let's Encrypt documentation](https://letsencrypt.org/docs/rate-limits/).After testing your environment, you must switch to a production server using the PingAccess administrative application programming interface (API) *(tooltip: \
\

A specification of interactions available for building software to access an application or service.\

\
)*.1) Use a `GET` call to `/pa-admin-api/v3/acme/servers` to retrieve the ID of a production server. 2) Use a `PUT` call to `/pa-admin-api/v3/acme/servers/default` to set the production Let's Encrypt server as the default.To add more ACME servers, use a `POST` call to `/pa-admin-api/v3/acme/servers`. For more information about the administrative API endpoints, see [Administrative API endpoints](../reference_guides/pa_admin_api_endpoints.html). | To manage certificates with ACME: ### Steps 1. Click **Security**, then go to **Key Pairs > Key Pairs**. 2. Click the **Pencil** icon, and then click **Manage with ACME** for the key pair. #### Result: The ACME status changes to **Pending**. When the protocol has completed, the status changes to **Valid** if the protocol completed successfully. ## Downloading certificates ### About this task Download the certificate for the key pair used by a mutual TLS site authenticator and configure the target site to trust the certificate. To download a certificate: ### Steps 1. Click **Security**, then go to **Key Pairs > Key Pairs**. 2. Locate the row corresponding to the key pair, and then click the **Pencil** icon. 3. Click **Download Certificate**. #### Result: Your browser downloads the certificate and saves it in your local file system.