--- title: Creating a key pair description: Learn how to create a key pair in PingOne. component: pingone page_id: pingone:settings:p1_adding_a_key_pair canonical_url: https://docs.pingidentity.com/pingone/settings/p1_adding_a_key_pair.html revdate: December 1, 2025 keywords: ["create key pair", "generate key pair", "self-signed key pair", "key pair"] section_ids: steps: Steps --- # Creating a key pair Use the **Key Pairs** tab of the **Certificates and Key Pairs** page to set up a key pair for your environment. Generate a self-signed key pair directly in PingOne for standard single sign-on (SSO) needs like SAML or OAuth. Use this option when your use case doesn't require a certificate signed by an external authority. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Follow the instructions in [Importing a key pair](p1_import_cert_and_key_pair.html) if your organization requires a certificate signed by a trusted certificate authority (CA), or if you need a key for specific use cases like SSL/TLS or Windows passwordless authentication. | ## Steps 1. In the PingOne admin console, go to **Settings > Certificates and Key Pairs**. 2. On the **Key Pairs** tab, click the **[icon: plus, set=fa]icon**. ![A screenshot of the view of the certificates page.](_images/p1-cert-keypairs-page-keypair-tab.png) 3. Select **Create New Key Pair**. 4. Enter the following information: | Option | Description | | -------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Common Name** | The server name that is covered by the certificate. It is typically made up of the domain name, such as `www.example.com`.Don't use special characters (?, $, % and so on), IP addresses, port numbers, or http\:// or https\:// in the common name. | | **Usage Type** | Select the primary usage for this certificate.- **Signing - Verification** Used to create and validate digital signatures. Enables the certificate to sign tokens or data so that other systems can verify the signature to ensure authenticity and integrity. - **Encryption – Decryption**: Used to securely protect sensitive data. Allows the certificate to encrypt information so only the holder of the matching private key can decrypt it. - **SSL/TLS**: Used to secure network connections. Supports encrypted HTTPS communication, ensuring secure connections between clients and servers. - **Issuance**: Used by certificate authorities (CAs) to sign and issue other certificates. Typically selected when the certificate will be used to generate subordinate or leaf certificates within a trust hierarchy. | | **Organization** | The corporation, university, or government agency that is covered by the certificate. Use the legal name under which your organization is registered. Don't use abbreviations or any of these symbols: ! @ # $ % ^ \* ( ) \~ ? > < / \\. | | **Organization unit** (optional) | A division within the primary organization, such as `Engineering` or `Human Resources`. If your organization does business as a trade name, you can specify the trade or DBA name in this field. | | **City** (optional) | The city in which the organization is located. Don't use abbreviations. For example, spell `Saint Louis` rather than `St. Louis`. | | **State** (optional) | The state or province in which the organization is located. | | **Country** | The two-character ISO 3166-1 country code. For example, `US` for the United States. You can find more information about country codes in the [ISO 3166-1 standard documentation](https://www.iso.org/iso-3166-country-codes.html). | | **Validity Days** | The number of days the key is valid, with a maximum of 730 days. | | **Key Algorithm** | The public key algorithm with which to generate the public-private key pair. Choose RSA or EC (Elliptic Curve). | | **Key Size Bits** | The number of bits in the key's algorithm. The available values depend on the selected key algorithm. | | **Signature Algorithm** | The cryptographic algorithm used by the certification authority to sign the certificate. The available values depend on the selected key algorithm. | 5. Click **Save**.