---
title: Managing key pairs
description: Generate a key pair and self-signed certificate, import a key pair from a PKCS#12 or PEM-encoded file, or delete a configured key pair.
component: pingaccess
version: 9.0
page_id: pingaccess:pingaccess_user_interface_reference_guide:pa_managing_key_pairs
canonical_url: https://docs.pingidentity.com/pingaccess/9.0/pingaccess_user_interface_reference_guide/pa_managing_key_pairs.html
revdate: September 22, 2023
section_ids:
  about-this-task: About this task
  importing-existing-key-pairs: Importing existing key pairs
  about-this-task-2: About this task
  steps: Steps
  generating-new-key-pairs: Generating new key pairs
  about-this-task-3: About this task
  steps-2: Steps
  deleting-key-pairs: Deleting key pairs
  about-this-task-4: About this task
  steps-3: Steps
---

# Managing key pairs

Generate a key pair *(tooltip: \<div class="paragraph">
\<p>The private key and public key represented by a certificate.\</p>
\</div>)* and self-signed certificate, import a key pair from a PKCS#12 or PEM-encoded file, or delete a configured key pair.

## About this task

PEM-encoded key pair files use the following format for the key and certificates:

```
-----BEGIN ENCRYPTED PRIVATE KEY-----
 <Base64–encoded private key>
(Private Key:  <domain_name.key>)
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
 <Base64–encoded certificate>
(Primary SSL certificate:  <domain_name.crt>)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
 <Base64–encoded certificate>
(Intermediate certificate:  <Intermediate.crt>)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
 <Base64–encoded certificate>
(Root certificate:  <Root.crt>)
-----END CERTIFICATE-----
```

* Importing existing key pairs

* Generating new key pairs

## Importing existing key pairs

### About this task

|   |                                                                                                                                                                                                                                                                                                |
| - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | If PingAccess is running in Federal Information Processing Standards (FIPS) mode, you can only import or export PEM-encoded key pairs. For more information, see [Managing Federal Information Processing Standards (FIPS) mode](../configuring_and_customizing_pingaccess/pa_fips_mode.html). |

To import a key pair from a PKCS#12 or PEM-encoded file:

### Steps

1. Click **Security**, then go to **Key Pairs > Key Pairs**.

2. Click **Import**.

3. In the **Alias** field, enter a name that identifies the key pair.

   Special characters and spaces are allowed. This name identifies the key pair when you're assigning the key pair to various configurations, such as [HTTPS Listeners](pa_assigning_key_pairs_to_https_listeners.html).

4. In the **Password** field, enter a password to protect the key pair file.

   PingAccess uses the password to read the file.

5. Click **Choose File** to locate the key pair file.

6. Click **Save** to import the file.

   |   |                                                                                                                                                                                                |
   | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | If the key pair is either expired or not yet valid, PingAccess displays a warning, but the import will proceed. If the key pair cannot be read using the specified password, the import fails. |

## Generating new key pairs

### About this task

To generate a key pair and self-signed certificate:

### Steps

1. Click **Security**, then go to **Key Pairs > Key Pairs**.

2. Click **[icon: plus, set=fa]Add Key Pair**.

3. In the **Alias** field, enter an internal alias for the key pair.

4. In the **Common Name** field, enter the common name identifying the certificate.

5. **Optional:** If the key pair is going to be used for incoming requests on multiple hosts or multiple IP addresses, enter additional **Subject Alternative Names** to meet those requirements.

6. In the **Organization** field, enter the organization or company name of the group creating the certificate.

7. **Optional:** In the **Organization Unit** field, enter the unit within the organization.

8. **Optional:** In the **City** field, enter the city or primary location where the organization operates.

9. **Optional:** In the **State** field, enter the state or political unit where the organization operates.

10. In the **Country** field, enter the country where the organization operates.

11. In the **Valid Days** field, enter the number of days that the certificate is valid.

12. **Optional:** In the **Selected HSM** list, select a hardware security module to store the key pair in.

13. In the **Key Algorithm** section, select an algorithm:

    1. In the **Key Size** list, select the number of bits in the key.

    2. In the **Signature Algorithm** list, select the signature algorithm to use for the key.

14. Click **Save**.

## Deleting key pairs

### About this task

|   |                                                          |
| - | -------------------------------------------------------- |
|   | If a key pair is currently in use, you cannot delete it. |

### Steps

1. Click **Security**, then go to **Key Pairs > Key Pairs**.

2. Click to expand the key pair that you want to delete.

3. Click the **Delete** icon.

4. To confirm your changes, click **Delete**.