PingFederate Server

Managing certificate rotation settings

Use the Signing & Decryption Keys & Certificates window to customize certificate rotation settings for your certificates.

About this task

Manage certificate rotation settings for self-signed certificates on Security → Certificate & Key Management → Signing & Decryption Keys & Certificates.

Steps

  1. On the Signing & Decryption Keys & Certificates window, select Certificate Rotation for the applicable certificate.

    Certificate rotation is only available to self-signed certificates.

  2. Select the check box to turn on certificate rotation for the selected certificate, then click Next.

    If you want to turn off certificate rotation for the selected certificate, clear the check box and then click Save.

  3. Optional: On the Certificate Rotation tab, modify the default values.

    Field Description

    Creation buffer

    The number of days ahead of expiry that PingFederate creates a new key pair and a new certificate.

    The default value is 25% of the original lifetime of the current certificate.

    Activation buffer

    The number of days ahead of expiry that PingFederate activates the certificate.

    The default value is 10% of the original lifetime of the current certificate.

    Validity

    The time during which the certificate is valid.

    The default value matches that of the current certificate.

    Key Algorithm

    A cryptographic formula used to generate a key. PingFederate uses either of two algorithms, RSA or EC.

    The default value matches that of the current certificate.

    For XML decryption keys, PingFederate only supports the RSA key algorithm. When EC (elliptic curve) is selected as the Key Algorithm value on the Certificate Rotation tab, PingFederate does not update the SAML 2.0 connections and their metadata.

    Key Size

    The number of bits used in the key. (RSA-1024, 2048 and 4096; and EC-256, 384 and 521.)

    The default value matches that of the current certificate.

    Signature Algorithm

    The signing algorithm of the certificate. (RSA and ECDSA-SHA256, SHA384 and SHA512.)

    The default value matches that of the current certificate.

  4. On the Certificate Rotation Summary tab, review the rotation settings. Adjust as needed, and then click Save to turn on automatic certificate rotation for this certificate.