PingAccess

Managing key pair certificates

Add, download, or remove a certificate from a key pair, or manage key pairs using the automatic certificate management environment (ACME) protocol.

About this task

Adding certificates to key pairs

About this task

To modify the certificates included in a chain, remove the certificates from the key pair and add them again. Alternatively, delete the certificate and recreate it by importing a new certificate file and adding certificates to the key pair.

To add a certificate to an existing key pair:

Steps

  1. Click Security and then go to Key Pairs → Key Pairs.

  2. Click to expand an existing key pair.

  3. In the Key Pair Chain Certificate list, select Add Certificate.

  4. To browse for and select the certificate file, click Choose File.

  5. Click Add.

Removing certificates from key pairs

About this task

Certificates can only be removed in reverse order. This procedure removes the last certificate in the chain.

Steps

  1. Click Security and then go to Key Pairs → Key Pairs.

  2. Click to expand an existing key pair.

  3. To remove the last certificate in the chain, click the Delete icon.

  4. To confirm your changes, click Delete.

Managing certificates for key pairs with ACME

About this task

The ACME protocol is an Internet Engineering Task Force (IETF) proposed standard protocol that automates the signing of TLS certificates by a certificate authority (CA).

By default, the ACME certificate management option in PingAccess uses the staging Let’s Encrypt ACME CA.

The Let’s Encrypt staging server, which PingAccess uses by default, has more lenient rate limits but it doesn’t generate functional certificates, to support its use for testing purposes. For more information about rate limits, see the Let’s Encrypt documentation.

After testing your environment, you must switch to a production server using the PingAccess administrative application programming interface (API).

  1. Use a GET call to /pa-admin-api/v3/acme/servers to retrieve the ID of a production server.

  2. Use a PUT call to /pa-admin-api/v3/acme/servers/default to set the production Let’s Encrypt server as the default.

To add more ACME servers, use a POST call to /pa-admin-api/v3/acme/servers. For more information about the administrative API endpoints, see Administrative API endpoints.

To manage certificates with ACME:

Steps

  1. Click Security and then go to Key Pairs → Key Pairs.

  2. Click the Pencil icon, and then click Manage with ACME for the key pair.

    Result:

    The ACME status changes to Pending. When the protocol has completed, the status changes to Valid if the protocol completed successfully.

Downloading certificates

About this task

Download the certificate for the key pair used by a mutual TLS site authenticator and configure the target site to trust the certificate.

To download a certificate:

Steps

  1. Click Security and then go to Key Pairs → Key Pairs.

  2. Locate the row corresponding to the key pair, and then click the Pencil icon.

  3. Click Download Certificate.

    Result:

    Your browser downloads the certificate and saves it in your local file system.