--- title: Certificate management description: PingOne for Enterprise uses signing certificates to sign single sign-on (SSO) messages sent from PingOne for Enterprise. component: pingoneforenterprise page_id: pingoneforenterprise:pingone_for_enterprise:p14e_managing_certificates canonical_url: https://docs.pingidentity.com/pingoneforenterprise/pingone_for_enterprise/p14e_managing_certificates.html revdate: June 22, 2022 --- # Certificate management PingOne for Enterprise uses signing certificates to sign single sign-on (SSO) messages sent from PingOne for Enterprise. Signing certificates created in PingOne for Enterprise are self-signed by default. You can also create a certificate signing request (CSR) in PingOne for Enterprise and send the certificate for signing by a certificate authority (CA). PingOne for Enterprise uses verification certificates to verify the signature on SSO messages received by PingOne for Enterprise. Your SSO partner provides you with a primary and (optionally) a secondary verification certificate. The secondary verification certificate allows for seamless rollover of signature verification in the event that your SSO partner switches certificates. PingOne for Enterprise first attempts to validate a signature using the primary verification certificate. If verification fails, PingOne for Enterprise will then attempt to use the secondary verification certificate, where defined. | | | | - | ---------------------------------------------------------------------------- | | | Verification certificates are not supported for applications using SAML v1.1 | When you sign on to the PingOne for Enterprise admin portal, the **Dashboard** notification area displays an alert for certificates that are about to expire or have expired. A yellow alert indicates: * One or more signing certificates are due to expire in the next three months * A primary verification certificate is about to expire (and will be replaced by a secondary verification certificate, if available) * A secondary verification certificate is about to expire * An encryption certificate is about to expire A yellow alert for expiring certificates creates a link to the **Certificate Management** page. A red alert indicates a certificate has expired. The alert contains a link to the **Certificate Management** page. In addition to **Dashboard** messages, PingOne for Enterprise notifies Global Administrators and SaaS Administrators about expiring certificates by email. Notification emails are sent 60 days, 7 days, and 1 day before a certificate expires, and again after the certificate expires. For more information about email notification preferences, see [Editing administrative roles, permissions, and notifications](p14e_editing_administrative_roles_permissions_notifications.html).