--- title: Manage SSL server certificates description: On the Security > Certificate & Key Management > SSL Server Certificates window, you can establish and maintain the certificates presented for access to the PingFederate administrative console (or the administrative API) and for incoming HTTPS connections at runtime. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:help_certmanagementtasklet_sslservercerts_certmanagementstate canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/help_certmanagementtasklet_sslservercerts_certmanagementstate.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 5, 2022 section_ids: ssl-server-certificates-configuration: SSL Server Certificates configuration runtime-behavior: Runtime behavior creating-a-new-certificate: Creating a new certificate steps: Steps importing-a-certificate-and-its-private-key: Importing a certificate and its private key about-this-task: About this task steps-2: Steps creating-a-certificate-authority-signing-request-csr: Creating a certificate-authority signing request (CSR) steps-3: Steps importing-a-certificate-authority-response-csr-response: Importing a certificate-authority response (CSR response) steps-4: Steps exporting-a-certificate: Exporting a certificate about-this-task-2: About this task steps-5: Steps reviewing-a-certificate: Reviewing a certificate steps-6: Steps activating-or-deactivating-a-certificate: Activating or deactivating a certificate steps-7: Steps removing-a-certificate: Removing a certificate steps-8: Steps --- # Manage SSL server certificates On the **Security > Certificate & Key Management > SSL Server Certificates** window, you can establish and maintain the certificates presented for access to the PingFederate administrative console (or the administrative API) and for incoming HTTPS connections at runtime. The first system-generated certificate is the default certificate for both the administrative console and the runtime server. As multiple certificates are created, you can activate or deactivate them for the administrative console, the runtime server, or both. Additionally, you can select any of them as the new default certificate for the administrative console, the runtime server, or both at a later time. When creating a certificate, you can add additional domain names through the use of the **Subject Alternative Names** field. Furthermore, if a user agent includes the host name that it intends to reach as part of the TLS handshake, PingFederate selects the applicable certificate based on the provided Server Name Indication (SNI) information. The selection looks at the common name and subject alternative names of each activated certificate. If PingFederate finds no match, it serves the default certificate. If PingFederate finds multiple matches, it serves the certificate with the better match. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If PingFederate finds multiple certificates of the same matching quality, it returns one of them in the TLS handshake. This response should not impact the user agent because either the common name or one of the subject alternative names matches the host name of the request. If PingFederate should always serve a particular certificate for any given host name, ensure that the common name and any configured subject alternative names do not overlap among multiple certificates. | ## SSL Server Certificates configuration | Certificate | Common name | Subject alternative names | Activation status | | ----------- | ----------------------- | ---------------------------------------- | --------------------------------------------------- | | #1 | `www.example.com` | (None) | Administrative console and runtime server | | #2 | `www.example.org` | `*.example.org` and `test.example.local` | Administrative console and runtime server | | #3 | `www.example.info` | `.example.info`** and ``**`.example.com` | Administrative console and runtime server | | #4 | `admin.example.local` | (None) | Administrative console (Default) and runtime server | | #5 | `runtime.example.local` | (None) | Administrative console and runtime server (Default) | ## Runtime behavior | Request type | Host name from SNI | Certificate served | | ------------------------- | ------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Administrative or runtime | www\.example.com | The host name from the SNI is an exact match to the common name of certificate #1 and a partial match to the second subject alternative name (`*.example.org`) of certificate #3.An exact match is a better match, so PingFederate serves certificate #1. | | Administrative or runtime | www\.example.org | The host name from the SNI is an exact match to the common name of certificate #2.PingFederate serves certificate #2. | | Administrative or runtime | sso.example.org | The host name from the SNI is a partial match to the first subject alternative name (`*.example.org`) of certificate #2. There is no other exact or partial match.PingFederate serves certificate #2. | | Administrative or runtime | sso.example.info | The host name from the SNI is a partial match to the first subject alternative name (`*.example.info`) of certificate #3. There is no other exact or partial match.PingFederate serves certificate #3. | | Administrative or runtime | sso.example.com | The host name from the SNI is a partial match to the second subject alternative names (`*.example.com`) of certificate #3. There is no other exact or partial match.PingFederate serves certificate #3. | | Administrative | www\.example.local | The host name from the SNI does not match any configured certificate.PingFederate serves certificate #4, the default certificate for the administrative console. | | Runtime | localhost | The host name from the SNI does not match any configured certificate.PingFederate serves certificate #5, the default certificate for the runtime server. | ## Creating a new certificate On the **SSL Server Certificates** window, you can generate customized certificates. ### Steps 1. On the **SSL Server Certificates** window, click **Create new**. 2. On the **Create Certificate** window, enter the required information. For information about each field, refer to the following table. | Field | Description | | ------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Common Name | The common name (CN) identifying the certificate. | | Subject Alternative Names | The additional DNS names or IP addresses that can be associated with the certificate. | | Organization | The organization (O) or company name creating the certificate. | | Organizational Unit | The specific unit within the organization (OU). | | City | The city or other primary location (L) where the company operates. | | State | The state (ST) or other political unit encompassing the location. | | Country | The country © where the company is based. | | Validity (days) | The time during which the certificate is valid. | | Cryptographic Provider | The storage facility of the certificate.Applicable and visible only when PingFederate is integrated with an HSM in hybrid mode.- Select **HSM** to store the certificate in the HSM. - Select **Local Trust Store** to store the certificate in the local trust store managed by PingFederate. | | Key Algorithm | A cryptographic formula used to generate a key. PingFederate uses either of two algorithms, RSA or EC. | | Key Size (bits) | The number of bits used in the key. (RSA-1024, 2048 and 4096; and EC-256, 384 and 521.) | | Signature Algorithm | The signing algorithm of the certificate. (RSA-SHA256, SHA384, and SHA512; and ECDSA-SHA256, SHA384, and SHA512.) | 3. When finished, click **Next**. 4. On the **Summary** window, review your configuration, amend as needed, and click **Save**. ## Importing a certificate and its private key You can import certificates and their private keys in the **SSL Server Certificates** window. ### About this task This task describes how to import certificates and their private keys. Supported certificate and private key formats differ depending on whether you are running PingFederate with BCFIPS enabled or disabled. * Certificate and private key format: * In non-BCFIPS mode, we support PKCS12 and PEM formatted certificates and private keys, and automatically detect the format between PKCS12 and PEM. * In BCFIPS mode, we only support PEM formatted certificate and private keys. Only PBES2 and AES or Triple DES encryption is accepted and 128-bit salt is required. In practice, this may mean that only PEM files generated by PingFederate can be imported. * For PEM, the private key must precede the certificates. * Password requirement: * In BCFIPS mode, the password must contain at least 14 characters. ### Steps 1. On the **SSL Server Certificates** window, click **Import**. 2. On the **Import Certificate** window, choose the applicable certificate file and enter its password. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If PingFederate is integrated with a hardware security module (HSM) from Thales, you cannot use an elliptic curve (EC) certificate as an SSL server certificate. You must select a certificate that uses the RSA key algorithm. | 3. If PingFederate is integrated with an HSM in hybrid mode, select the storage facility of the certificate from the **Cryptographic Provider** list. 1. Select **HSM** to store the certificate in the HSM. 2. Select **Local Trust Store** to store the certificate in the local trust store managed by PingFederate. 4. On the **Summary** window, review your configuration, amend as needed, and click **Save**. ## Creating a certificate-authority signing request (CSR) On the **SSL Server Certificates** window, you can generate a CSR file for a certificate. ### Steps 1. On the **SSL Server Certificates** window, select **Action > Certificate Signing** for the certificate. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | This selection is inactive if you have not yet saved a newly created or imported certificate. Click **Save** and then return to this window to initiate the process.The selection is also inactive if a previously signed certificate has been revoked. Because the revocation may indicate that the private key has been compromised, the best practice is to import or create a replacement certificate for certificate signing. | 2. On the **Certificate Signing** window, select the **Generate CSR** option. 3. On the **Generate CSR** window, click **Export** to save the CSR file, and then click **Done**. | | | | - | ----------------------------------------------------------------------------------------------------- | | | Once saved, you can submit this CSR file to a certificate authority (CA) for a CA-signed certificate. | ## Importing a certificate-authority response (CSR response) On the **SSL Server Certificates** window, you can import CSR response files for certificates. ### Steps 1. On the **SSL Server Certificates** window, select **Action > Certificate Signing** for the certificate. 2. On the **Certificate Signing** tab, select the **Import CSR Response** option. Click **Next**. 3. On the **Import CSR Response** tab, click **Choose File**, and select the applicable CSR response file. Click **Next**. 4. On the **Summary** tab, review your configuration, and click **Save**. ## Exporting a certificate On the **SSL Server Certificates** window, you can export a certificate with or without its private key. ### About this task This task describes how to export certificates and their private keys. Supported certificate and private key formats differ depending on whether you are running PingFederate with BCFIPS enabled or disabled. * Certificate and private key format: * In non-BCFIPS mode, when the **Certificate and Private Key** option is selected, a **Format** field displays allowing you to choose between exporting a PKCS12 or a PEM formatted certificate and private key. * In BCFIPS mode, you can only export PEM-formatted certificates and private keys. If you need to convert from PEM to PKCS12 format, use the following command: `openssl pkcs12 -export -inkey keypair.pem -in keypair.pem -out keypair.p12` * Password requirement: * In BCFIPS mode, the password must contain at least 14 characters. ### Steps 1. On the **SSL Server Certificates** window, select **Action > Export** for the certificate. 2. On the **Export Certificate** window, select the export type. * Select **Certificate Only** to export the selected certificate without its private key. This is the default choice. * Select **Certificate and Private Key** to export the selected certificate with its private key. If you are *not* running in BCFIPS mode, the **Format** section appears, and you must select either **PKCS12** or **PEM**. You must also enter and confirm an **Encryption Password**, since this export contains the private key of the certificate. If the selected certificate is stored in a hardware security module (HSM), the **Certificate and Private Key** option does not apply. 3. On the **Export & Summary** window, click **Export** to save the certificate file, and then click **Done**. ## Reviewing a certificate On the **SSL Server Certificates** window, you can review a particular certificate. ### Steps 1. On the **SSL Server Certificates** window, select the certificate by its serial number. 2. Review the selected certificate in the pop-up window. 3. When finished, close the pop-up window. ## Activating or deactivating a certificate On the **SSL Server Certificates**, you can configure whether to activate or deactivate a certificate. ### Steps 1. On the **SSL Server Certificates** window, select the relevant option under **Action** for the certificate. Any certificate can be activated for the administrative console, the runtime server, or both. When multiple certificates are activated for the administrative console (or the runtime server), you can deactivate any of them as long as one certificate remains active. Additionally, you may select any of them as the default certificate. 2. Click **Save** to keep your configuration. ## Removing a certificate On the **SSL Server Certificates** window, you can delete unwanted certificates. ### Steps 1. On the **SSL Server Certificates** window, select **Action > Delete** for the certificate. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If the selected certificate is activated for the administrative port, the runtime port, or both, the **Delete** option does not apply.To cancel the removal request, select **Action > Undelete** for the certificate. | 2. Click **Save** to confirm your action.