--- title: Assigning key pairs description: Assign a key pair to a virtual host or HTTPS listener. component: pingaccess version: 9.1 page_id: pingaccess:pingaccess_user_interface_reference_guide:pa_assigning_key_pairs canonical_url: https://docs.pingidentity.com/pingaccess/9.1/pingaccess_user_interface_reference_guide/pa_assigning_key_pairs.html revdate: June 16, 2026 section_ids: assigning-key-pairs-to-virtual-hosts: Assigning key pairs to virtual hosts about-this-task: About this task steps: Steps assigning-key-pairs-to-https-listeners: Assigning key pairs to HTTPS listeners about-this-task-2: About this task steps-2: Steps cipher-suite-ordering-for-https-listeners: Cipher suite ordering for HTTPS listeners autorotation: Automatic key rotation for config query listeners how-do-i-know-if-autorotation-is-working: How do I know if autorotation is working? --- # Assigning key pairs Assign a key pair *(tooltip: \
\

The private key and public key represented by a certificate.\

\
)* to a virtual host or HTTPS listener. PingAccess listens for HTTPS requests on the Admin, Engine, and Agent ports in all deployments, and on the Config query port in [clustered deployments](../reference_guides/pa_clustering_ref_guide.html). You must assign a key pair to each listener. By default, the listeners are configured for HTTPS and use pregenerated key pairs associated with `localhost`. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If using virtual hosts, the following settings take precedence over any applicable HTTPS or engine listeners for the virtual host:- A trusted certificate group configured for a virtual host. - An engine key pair configured for association with a virtual host. | **HTTPS Listener Descriptions** | HTTPS Listener | Description | | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Admin | Listens for requests for the administrative console and the PingAccess REST APIs. | | Engine | Listens for HTTP or HTTPS requests proxied to target web servers associated with [Sites](pa_sites_operations.html). Learn more in [Engine listeners](pa_engine_listeners.html). | | Agent | Listens for requests from PingAccess agents. | | Sideband | Listens for requests from sideband clients. | | Config query | Listens for requests for configuration information from replica admin nodes and engine nodes in clustered deployments. If you assign a new key pair to the config query listener, any clustered PingAccess engine nodes automatically rotate their key pair to match. Learn more in Automatic engine node key rotation for config-query listeners. | * To virtual hosts * To HTTPS listeners ## Assigning key pairs to virtual hosts ### About this task To assign a key pair to a virtual host: ### Steps 1. Click **Security**, then go to **Key Pairs > Key Pairs**. 2. Click the **Pencil** icon, and then click **Assign Virtual Host** for the key pair. 3. In the **Virtual Hosts** list, select the virtual hosts that you want to use the key pair with. | | | | - | ------------------------------------------------------------------------------------------------------------------------------- | | | When you assign a key pair to a virtual host, the key pair is also assigned to all other virtual hosts with the same host name. | 4. Click **Save**. ## Assigning key pairs to HTTPS listeners ### About this task To assign a new key pair for an active HTTPS listener: ### Steps 1. Click **Security**, then go to **Key Pairs > Key Pairs**. 2. Click the **Pencil** icon, and then click **Assign HTTPS Listener** for the key pair. 3. In the **Listeners** list, select the HTTPS listeners that you want to use the key pair with. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------- | | | New connections use any of the changes you make to an HTTPS listener's active key pair, but existing connections continue to use the old configuration. | 4. Click **Save**. ## Cipher suite ordering for HTTPS listeners PingAccess supports the use of a defined cipher suite order to ensure that the most secure cipher suites are used first, regardless of the client request. By default, new PingAccess installations and PingAccess environments upgraded to 5.1 or later use this cipher suite ordering. * You can use the `tls.default.cipherSuites` property in the `/conf/run.properties` file to change the cipher suite order. Learn more in [PingAccess configuration file reference](../reference_guides/pa_config_file_ref.html#pa-tls-ssl). * To direct PingAccess to use the cipher suite order provided by the client instead, use the PingAccess API `/httpsListeners` endpoint to set the `useServerCipherSuiteOrder` property to `false`. Learn more in [PingAccess API endpoints](../reference_guides/pa_api_endpoints.html). ## Automatic key rotation for config query listeners When you assign a new key pair to the config query listener, PingAccess creates a key rotation window automatically, beginning the process of rotating key pairs on any clustered engine nodes without restarting those nodes. The following occurs: * PingAccess opens a temporary port that uses the new key pair. Meanwhile, the old key pair remains accessible on the original port. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The temporary port is configurable using the `clusterconfig.temp.rotation.port` property in the `run.properties` file. Learn more in the [PingAccess configuration file reference](../reference_guides/pa_config_file_ref.html#pa-cluster-config-settings).You can also configure how long the rotation window stays open. Learn more in the [Cert rotation](../reference_guides/pa_config_file_ref.html#pa-cert-rotation) section of the configuration file reference. | * Configured engine nodes poll the [`/engines/rest/config-query-certificate` endpoint](../reference_guides/pa_api_endpoints.html) continually at a set interval. Polling this endpoint allows the engine nodes to detect and retrieve the new key pair. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | For any engines that aren't running when the key rotation window opens, if you start those engines up at any point during the window, they'll still rotate the key. | * The engine nodes save the new key pair to their `bootstrap.properties` file, wait until any active configuration changes happening on the engine node are complete, and then start using the new key pair. * When polling the `/engines/rest/config-query-certificate` endpoint for configuration changes, each engine node uses the `X-PA-Active-Cert-Fingerprint` header to send a fingerprint of the key that's currently in its truststore. * The PingAccess admin console tracks which engines have updated using the fingerprint headers. Once all the engine nodes are using the new key pair, the admin console switches the new key pair to the original port, and then closes the temporary port and the rotation window. ### How do I know if autorotation is working? * The PingAccess admin console shows a warning banner while the rotation window is open. * You can use the PingAccess log to keep track of the specific changes as they're happening. * If you check the `bootstrap.properties` file after the rotation window closes, you should see a comment along the lines of `PingAccess engine bootstrap properties updated by cert rotation`, followed by a timestamp.