--- title: Managing certificate and key pair expiration description: Learn how to manage certificate and key pair expiration in PingOne to ensure uninterrupted service and maintain security. component: pingone page_id: pingone:settings:p1_cert_keypair_expiration_and_alerts canonical_url: https://docs.pingidentity.com/pingone/settings/p1_cert_keypair_expiration_and_alerts.html revdate: January 21, 2026 keywords: ["certificate expiration", "key pair expiration", "certificate lifecycle management", "key pair lifecycle management"] section_ids: steps: Steps setting-up-expiration-alerts: Setting up expiration alerts steps-2: Steps --- # Managing certificate and key pair expiration PingOne auto-generates new cryptographic keys every 90 days, exceeding best practices. To maintain uninterrupted service for your single sign-on (SSO) and encrypted applications, you must proactively manage the lifecycle of your certificates and key pairs. If these assets expire, authentication requests might fail, and secure connections will be dropped. ## Steps If a certificate or key pair has already expired, or is nearing its expiration date, perform the following steps: 1. In the PingOne admin console, go to **Settings > Certificates and Key Pairs**. 2. Click the **Certificates** or **Key Pairs** tab to identify any items marked as expired. 3. Create or import a new key pair: * Create a key pair: If your organization allows self-signed keys, generate a new one directly in PingOne. * Import a key pair: If you require a Trusted CA-signed certificate, import the new files provided by your authority. 4. If the expired key pair was the default key pair for your environment, designate your new key as the default. 5. Ensure any applications are updated with the new public certificate. ## Setting up expiration alerts You can configure PingOne to automatically notify your team before a certificate or key pair expires. ## Steps 1. In the PingOne admin console, go to **Monitoring > Alerts**. 2. Click the **[icon: plus, set=fa]**icon and configure the following: * **Name**: A unique name for the alert. * **Email Addresses**: The addresses to which the alert will be sent. You can specify individual email addresses or mailing lists. 3. **Alert Types**: Select the event types that will trigger the alert: | Option | Description | | ------------------------ | ------------------------------------------------------------ | | **Certificate Expiring** | Provides an alert when a certificate will expire in 60 days. | | **Certificate Expired** | Provides an alert when a certificate expires. | | **KeyPair Expiring** | Provides an alert when a certificate will expire in 60 days. | | **KeyPair Expired** | Provides an alert when a key pair expires. | 4. Click **Save**.