PingOne Advanced Services

Creating and updating virtual hosts

You and your administrators can create and update virtual host certificates and TLS configurations yourselves.

Platform version 2.0.0, released in December 2024, contained enhancements that made this functionality possible. To use it, we’ll need to migrate these certificates and configurations from GitOps orchestration to the API.

  • If you’re using platform version 1.19.2.0 or earlier, a Ping Identity representative will reach out to you to complete this migration.

  • If you’re using platform 2.0.0 or later, you can request this migration at any time by submitting a service request.

Keep the following in mind:

  • After you create or update a configuration, it will take some time for the virtual host to become available.

  • Virtual host configurations are automatically replicated to child regions in PingOne Advanced Services.

  • It is up to the user to keep track of the certificate’s fullchain and private key because neither the admin console nor API will return that information.

  • Configurations can only be rolled back once. Then, the configuration needs to be updated at least once before a rollback can be performed again.

Limitations include:

  • You cannot currently create or update the following items yourself. Submit a service request instead.

    • MTLS configurations.

    • Configurations that need custom annotations, such as annotations of Cross-Origin Resource Sharing (CORS) responses.

    • Private Ingress configurations.

    • EC or ECC TLS certificates.

  • Virtual hosts cannot be created for the PingFederate Admin UI or the PingAccess Admin UI in PingOne Advanced Services.

Before you begin

Ensure you have access to either the admin console or the administrative API. Learn more in Accessing the admin console and administrative API.

These instructions explain how to create and update virtual hosts using the admin console. Learn more about using the API in Using the API interactive documentation.

Creating TLS certificates

TLS certificates are required to run virtual hosts. To create TLS certificates, complete the following steps:

  1. In the PingOne Advanced Services admin console, go to Self-service > Secrets.

  2. Click the icon.

  3. Complete the following fields:

    • Secret Type: Enter TLS.

    • Secret Name: A meaningful name for the certificate.

    • Fullchain: Contents of the certificate file.

    • Private Key: Contents of the key file.

  4. For the fullchain, certificates should be concatenated in this order:

    -----BEGIN CERTIFICATE-----
<Leaf certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Intermediate certificate 1>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Intermediate certificate 2>
-----END CERTIFICATE-----

    • The leaf certificate must be first.

    • Followed by all non-root intermediate certificates.

      Most TLS clients perform PKIX path building and require the full chain (excluding root). If intermediate certificates are not provided, clients will fail certificate validation even if the root CA is trusted.

    • The root certificate is typically optional and should not be required.

  5. Click Save.

Updating TLS certificates

To update TLS certificates, complete the following steps:

  1. In the PingOne Advanced Services admin console, go to Self-service > Secrets.

  2. Click the More Options icon and select Edit.

  3. Update the following fields:

    • Fullchain: Contents of the certificate file.

    • Private Key: Contents of the key file.

  4. Click Save.

Creating virtual hosts

To create virtual hosts, complete the following steps. You’ll need to provide the name of the TLS certificate you previously created. Learn more in Creating TLS certificates.

  1. In the PingOne Advanced Services admin console, select Self-service > Virtual hosts.

  2. Click the icon.

  3. Complete the following fields:

    • Hostname: Enter the Fully Qualified Domain Name (FQDN).

    • Product Mapping: The PingOne Advanced Services product that you want to map the virtual host to.

    • Certificate name: The name of the TLS certificate to be used with the virtual host address.

  4. Click Save.

Updating virtual hosts

To update virtual hosts, complete the following steps:

  1. In the PingOne Advanced Services admin console, go to Self-service > Virtual hosts.

  2. Click the More Options icon, and select Edit.

  3. Select the TLS certificate that you want to update from the list and update it.

  4. Click Save.

Troubleshooting

If you’re having trouble:

  • Review the certificate chain structure:

    openssl verify -untrusted intermediate.pem leaf.pem

  • Display full certificate details (verify the expiration date and SANs):

    openssl x509 -text -noout -in leaf.pem

  • Ensure that the private key matches the certificate:

    openssl x509 -noout -modulus -in leaf.pem | openssl md5
openssl rsa  -noout -modulus -in key.pem  | openssl md5