PingFederate Server

Manage SSL client keys and certificates

On Security → Certificate & Key Management → SSL Client Keys & Certificates, you can create and manage your authentication private keys and the certificates your server presents as clients in an outbound SSL/TLS transaction.

The SSL Client Keys & Certificates window enables you to manage certificates and CSRs in multiple ways. The window’s functionality allows you to create, import, export, review, and delete certificates, as well as create CSRs and import CSR responses.

Creating new certificates

Use the functionality found in the SSL Client Keys & Certificates window to create new, customized certificates.

Steps

  1. On the SSL Client Keys & Certificates window, click Create new.

  2. On the Create Certificate tab, enter the required information.

    For information about each field, refer to the following table.

    Field Description

    Common Name

    The common name (CN) identifying the certificate.

    Subject Alternative Names

    The additional DNS names or IP addresses possibly associated with the certificate.

    Organization

    The organization (O) or company name creating the certificate.

    Organizational Unit

    The specific unit within the organization (OU).

    City

    The city or other primary location (L) where the company operates.

    State

    The state (ST) or other political unit encompassing the location.

    Country

    The country © where the company is based.

    Validity (days)

    The time during which the certificate is valid.

    Key Algorithm

    A cryptographic formula used to generate a key. PingFederate uses either of two algorithms, RSA or EC.

    Key Size (bits)

    The number of bits used in the key. (RSA-1024, 2048 and 4096; and EC-256, 384 and 521.)

    Signature Algorithm

    The signing algorithm of the certificate. (RSA and ECDSA-SHA256, SHA384, and SHA512.)

  3. When finished, click Next.

  4. On the Summary tab, review your configuration, amend as needed, and click Done.

Importing certificates and their private keys

You can import certificates and their private keys in the SSL Client Keys & Certificates window.

About this task

About this task

This task describes how to import certificates and their private keys. Supported certificate and private key formats differ depending on whether you are running PingFederate with BCFIPS enabled or disabled.

  • Certificate and private key format:

    • In non-BCFIPS mode, we support PKCS12 and PEM formatted certificates and private keys, and automatically detect the format between PKCS12 and PEM.

    • In BCFIPS mode, we only support PEM formatted certificate and private keys. Only PBES2 and AES or Triple DES encryption is accepted and 128-bit salt is required. In practice, this may mean that only PEM files generated by PingFederate can be imported.

    • For PEM, the private key must precede the certificates.

  • Password requirement:

    • In BCFIPS mode, the password must contain at least 14 characters.

Steps

  1. On the SSL Client Keys & Certificates window, click Import.

  2. On the Import Certificate tab, choose the applicable certificate file and enter its password.

    If PingFederate is integrated with an HSM in hybrid mode, select the storage facility of the certificate from the Cryptographic Provider list.

    • Select HSM to store the certificate in the HSM.

    • Select Local Trust Store to store the certificate in the local trust store managed by PingFederate.

  3. On the Summary window, review your configuration, amend as needed, and click Done.

Creating a certificate signing request (CSR)

Use the Certificate Signing functionality to generate and save a CSR file to submit it to a certificate authority (CA) for a signed certificate.

Steps

  1. On the SSL Client Keys & Certificates window, select Certificate Signing for the certificate.

    This selection is inactive if you have not yet saved a newly created or imported certificate. Click Save and then return to this window to initiate the process.

    The selection is also inactive if a previously signed certificate is revoked. Because the revocation could indicate that the private key is compromised, the best practice is to import or create a replacement certificate for certificate signing.

  2. On the Certificate Signing tab, select the Generate CSR option.

  3. On the Generate CSR tab, click Export to save the CSR file, and then click Done.

    Once saved, you can submit this CSR file to a certificate authority for a CA-signed certificate.

Importing a certificate-authority response (CSR response)

Use the Certificate Signing functionality to import your own CSR response file into PingFederate.

Steps

  1. On theSSL Client Keys & Certificates window, select Certificate Signing for the certificate.

  2. On the Certificate Signing tab, select the Import CSR Response option.

  3. On the Import CSR Response tab, choose the applicable CSR response file.

  4. On the Summary tab, review your configuration, and click Save.

Exporting certificates

On the SSL Client Keys & Certificates window, you can export a certificate with or without its private key.

About this task

About this task

This task describes how to export certificates and their private keys. Supported certificate and private key formats differ depending on whether you are running PingFederate with BCFIPS enabled or disabled.

  • Certificate and private key format:

    • In non-BCFIPS mode, when the Certificate and Private Key option is selected, a Format field displays allowing you to choose between exporting a PKCS12 or a PEM formatted certificate and private key.

    • In BCFIPS mode, you can only export PEM-formatted certificates and private keys.

      If you need to convert from PEM to PKCS12 format, use the following command:

      openssl pkcs12 -export -inkey keypair.pem -in keypair.pem -out keypair.p12

  • Password requirement:

    • In BCFIPS mode, the password must contain at least 14 characters.

Steps

  1. On the SSL Client Keys & Certificates window, select Export for the certificate.

  2. On the Export Certificate tab, select the export type.

    • Select Certificate Only to export the selected certificate without its private key. This is the default choice.

    • Select Certificate and Private Key to export the selected certificate with its private key. If you are not running in BCFIPS mode, the Format section appears, and you must select either PKCS12 or PEM.

      You must also enter and confirm an Encryption Password, since this export contains the private key of the certificate.

    If the selected certificate is stored in a hardware security module (HSM), the Certificate and Private Key option does not apply.

  3. On the Export & Summary window, click Export to save the certificate file, and then click Done.

Reviewing certificates

Take a closer look at individual certificates to ensure their properties match your needs.

Steps

  1. On the SSL Client Keys & Certificates window, select the certificate by its serial number.

  2. Review the selected certificate in the pop-up window.

  3. When finished, close the pop-up window.

Removing certificates

Delete certificates you no longer need.

Steps

  1. On the SSL Client Keys & Certificates window, select Delete for the certificate.

    To cancel the removal request, select Undelete for the certificate.

  2. Click Save to confirm your action.