--- title: Manage SSL client keys and certificates description: On Security > Certificate & Key Management > SSL Client Keys & Certificates, you can create and manage your authentication private keys and the certificates your server presents as clients in an outbound SSL/TLS transaction. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:help_certmanagementtasklet_sslcertauth_certmanagementstate canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/help_certmanagementtasklet_sslcertauth_certmanagementstate.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 5, 2022 section_ids: creating-new-certificates: Creating new certificates steps: Steps importing-certificates-and-their-private-keys: Importing certificates and their private keys about-this-task: About this task steps-2: Steps creating-a-certificate-signing-request-csr: Creating a certificate signing request (CSR) steps-3: Steps importing-a-certificate-authority-response-csr-response: Importing a certificate-authority response (CSR response) steps-4: Steps exporting-certificates: Exporting certificates about-this-task-2: About this task steps-5: Steps reviewing-certificates: Reviewing certificates steps-6: Steps removing-certificates: Removing certificates steps-7: Steps --- # Manage SSL client keys and certificates On **Security > Certificate & Key Management > SSL Client Keys & Certificates**, you can create and manage your authentication private keys and the certificates your server presents as clients in an outbound SSL/TLS transaction. The **SSL Client Keys & Certificates** window enables you to manage certificates and CSRs in multiple ways. The window's functionality allows you to create, import, export, review, and delete certificates, as well as create CSRs and import CSR responses. ## Creating new certificates Use the functionality found in the **SSL Client Keys & Certificates** window to create new, customized certificates. ### Steps 1. On the **SSL Client Keys & Certificates** window, click **Create new**. 2. On the **Create Certificate** tab, enter the required information. For information about each field, refer to the following table. | Field | Description | | ------------------------- | ------------------------------------------------------------------------------------------------------ | | Common Name | The common name (CN) identifying the certificate. | | Subject Alternative Names | The additional DNS names or IP addresses possibly associated with the certificate. | | Organization | The organization (O) or company name creating the certificate. | | Organizational Unit | The specific unit within the organization (OU). | | City | The city or other primary location (L) where the company operates. | | State | The state (ST) or other political unit encompassing the location. | | Country | The country © where the company is based. | | Validity (days) | The time during which the certificate is valid. | | Key Algorithm | A cryptographic formula used to generate a key. PingFederate uses either of two algorithms, RSA or EC. | | Key Size (bits) | The number of bits used in the key. (RSA-1024, 2048 and 4096; and EC-256, 384 and 521.) | | Signature Algorithm | The signing algorithm of the certificate. (RSA and ECDSA-SHA256, SHA384, and SHA512.) | 3. When finished, click **Next**. 4. On the **Summary** tab, review your configuration, amend as needed, and click **Done**. ## Importing certificates and their private keys You can import certificates and their private keys in the **SSL Client Keys & Certificates** window. ### About this task This task describes how to import certificates and their private keys. Supported certificate and private key formats differ depending on whether you are running PingFederate with BCFIPS enabled or disabled. * Certificate and private key format: * In non-BCFIPS mode, we support PKCS12 and PEM formatted certificates and private keys, and automatically detect the format between PKCS12 and PEM. * In BCFIPS mode, we only support PEM formatted certificate and private keys. Only PBES2 and AES or Triple DES encryption is accepted and 128-bit salt is required. In practice, this may mean that only PEM files generated by PingFederate can be imported. * For PEM, the private key must precede the certificates. * Password requirement: * In BCFIPS mode, the password must contain at least 14 characters. ### Steps 1. On the **SSL Client Keys & Certificates** window, click **Import**. 2. On the **Import Certificate** tab, choose the applicable certificate file and enter its password. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | If PingFederate is integrated with an HSM in hybrid mode, select the storage facility of the certificate from the **Cryptographic Provider** list.- Select **HSM** to store the certificate in the HSM. - Select **Local Trust Store** to store the certificate in the local trust store managed by PingFederate. | 3. On the **Summary** window, review your configuration, amend as needed, and click **Done**. ## Creating a certificate signing request (CSR) Use the **Certificate Signing** functionality to generate and save a CSR file to submit it to a certificate authority (CA) for a signed certificate. ### Steps 1. On the **SSL Client Keys & Certificates** window, select **Certificate Signing** for the certificate. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | This selection is inactive if you have not yet saved a newly created or imported certificate. Click **Save** and then return to this window to initiate the process.The selection is also inactive if a previously signed certificate is revoked. Because the revocation could indicate that the private key is compromised, the best practice is to import or create a replacement certificate for certificate signing. | 2. On the **Certificate Signing** tab, select the **Generate CSR** option. 3. On the **Generate CSR** tab, click **Export** to save the CSR file, and then click **Done**. | | | | - | ------------------------------------------------------------------------------------------------ | | | Once saved, you can submit this CSR file to a certificate authority for a CA-signed certificate. | ## Importing a certificate-authority response (CSR response) Use the **Certificate Signing** functionality to import your own CSR response file into PingFederate. ### Steps 1. On the**SSL Client Keys & Certificates** window, select **Certificate Signing** for the certificate. 2. On the **Certificate Signing** tab, select the **Import CSR Response** option. 3. On the **Import CSR Response** tab, choose the applicable CSR response file. 4. On the **Summary** tab, review your configuration, and click **Save**. ## Exporting certificates On the **SSL Client Keys & Certificates** window, you can export a certificate with or without its private key. ### About this task This task describes how to export certificates and their private keys. Supported certificate and private key formats differ depending on whether you are running PingFederate with BCFIPS enabled or disabled. * Certificate and private key format: * In non-BCFIPS mode, when the **Certificate and Private Key** option is selected, a **Format** field displays allowing you to choose between exporting a PKCS12 or a PEM formatted certificate and private key. * In BCFIPS mode, you can only export PEM-formatted certificates and private keys. If you need to convert from PEM to PKCS12 format, use the following command: `openssl pkcs12 -export -inkey keypair.pem -in keypair.pem -out keypair.p12` * Password requirement: * In BCFIPS mode, the password must contain at least 14 characters. ### Steps 1. On the **SSL Client Keys & Certificates** window, select **Export** for the certificate. 2. On the **Export Certificate** tab, select the export type. * Select **Certificate Only** to export the selected certificate without its private key. This is the default choice. * Select **Certificate and Private Key** to export the selected certificate with its private key. If you are *not* running in BCFIPS mode, the **Format** section appears, and you must select either **PKCS12** or **PEM**. You must also enter and confirm an **Encryption Password**, since this export contains the private key of the certificate. If the selected certificate is stored in a hardware security module (HSM), the **Certificate and Private Key** option does not apply. 3. On the **Export & Summary** window, click **Export** to save the certificate file, and then click **Done**. ## Reviewing certificates Take a closer look at individual certificates to ensure their properties match your needs. ### Steps 1. On the **SSL Client Keys & Certificates** window, select the certificate by its serial number. 2. Review the selected certificate in the pop-up window. 3. When finished, close the pop-up window. ## Removing certificates Delete certificates you no longer need. ### Steps 1. On the **SSL Client Keys & Certificates** window, select **Delete** for the certificate. | | | | - | ----------------------------------------------------------------------- | | | To cancel the removal request, select **Undelete** for the certificate. | 2. Click **Save** to confirm your action.