Certificate rotation
The optional automatic certificate rotation feature of PingFederate greatly reduces the cost of managing self-signed certificates.
PingFederate supports automatic certificate rotation for self-signed certificates created for signing SAML requests, responses, and assertions, or XML decryption for browser SSO and WS-Trust STS transactions on a per-certificate basis.
Certificate rotation is only available to self-signed certificates. Also, you can’t enable rotation on certificates that are used as a secondary signing certificate in a connection, or are used as the primary certificate in a connection configured with a secondary signing certificate. |
Certificate rotation happens over two stages, identified by the Creation Buffer and Activation Buffer settings.
-
The Creation Buffer is the number of days ahead of expiry that PingFederate creates a new key pair and a new certificate.
-
The Activation Buffer is the number of days ahead of expiry that PingFederate activates the certificate.
When you enable certificate rotation on a certificate, you can customize the values of the Creation Buffer and Activation Buffer settings. Alternatively, you can keep their default values, which are 25% and 10% of the original lifetime of the current certificate, respectively. The following examples illustrate the default values for both buffers based on a 100-day certificate and a 365-day certificate.
Current certificate | The default value for theCreation Bufferfield | The default value for theActivation Bufferfield | The rotation window |
---|---|---|---|
Self-signed certificate #1, valid for 100 days from January 1, 2017 to April 9, 2017 |
25 days ahead of expiry, which is March 16 |
10 days ahead of expiry, which is March 31 |
15 days from March 16 through March 30 |
Self-signed certificate #2, valid for 365 days from January 1, 2017 to December 31, 2017 |
91 days ahead of expiry, which is October 2 |
36 days ahead of expiry, which is November 26 |
55 days from October 2 through November 25 |
If the PingFederate server is shut down when the Creation Buffer threshold is reached for a given certificate, a new key pair and a new certificate are created if PingFederate is restarted during the rotation window.
In a clustered PingFederate environment, when the new signing certificate is ready, the administrative console displays a message to remind the administrators to replicate the new certificate to the engine nodes in System → Server → Cluster Management.
Although optional, you can turn on notifications for certificate events in System → Monitoring & Notifications → Runtime Notifications. When configured, PingFederate notifies the configured recipient when a new certificate is available and when it is activated. Depending on the role of the certificate, you can update your partner accordingly.