--- title: Updating a verification certificate description: In the event that a verification certificate expires or is about to expire, you must update it. component: pingoneforenterprise page_id: pingoneforenterprise:pingone_for_enterprise:p14e_updating_veritifaction_certificate canonical_url: https://docs.pingidentity.com/pingoneforenterprise/pingone_for_enterprise/p14e_updating_veritifaction_certificate.html revdate: March 23, 2022 section_ids: updating-an-application-verification-certificate: Updating an application verification certificate about-this-task: About this task steps: Steps result: Result: result-2: Result: updating-an-identity-repository-verification-certificate: Updating an identity repository verification certificate about-this-task-2: About this task steps-2: Steps result-3: Result: result-4: Result: result-5: Result --- # Updating a verification certificate In the event that a verification certificate expires or is about to expire, you must update it. You can update: * An application verification certificate using SAML 2.0 or later * A verification certificate associated with an identity provider (IdP) - Application Certificate - IdP Certificate ## Updating an application verification certificate ### About this task When a verification certificate expires or is about to expire, generally you must upload a new verification certificate. ### Steps 1. In the PingOne for Enterprise admin portal, go to **Setup > Certificates**. 2. Expand the relevant certificate and click the **Usage** tab. 3. Click the application for which you need to update the verification certificate. #### Result: The **Replace Primary Certificate** popup window opens, prompting you to upload the new verification certificate. | | | | - | --------------------------------------------------------------------------------------------------------------------------------- | | | If the certificate is used as a secondary verification certificate, the popup window is called **Replace Secondary Certificate**. | 4. Click **Choose File** and browse to the location of the new verification certificate. #### Result: A message is displayed to indicate the certificate has been successfully updated for the application. ## Updating an identity repository verification certificate ### About this task You can update a verification certificate for a PingFederate Bridge manual connection, Microsoft Active Directory Federation Services (AD FS), or a custom SAML identity repository. If a verification certificate expires or is about to expire, you must obtain an updated certificate from the identity repository. If a secondary certificate is defined and you have not yet received an updated primary verification certificate, PingOne for Enterprise can validate a signature using the secondary certificate. In most cases, you must replace the primary verification certificate with the secondary verification certificate. Do this when your single sign-on (SSO) partner confirms they are no longer signing messages with the certificate previously assigned as the primary verification certificate. ### Steps 1. In the PingOne for Enterprise admin portal, go to **Setup > Certificates**. 2. Expand the relevant certificate and click the **Usage** tab. 3. Click the identity repository for which you need to update the verification certificate. #### Result: The **Replace Primary Certificate** popup window opens, prompting you to upload the new verification certificate. | | | | - | --------------------------------------------------------------------------------------------------------------------------------- | | | If the certificate is used as a secondary verification certificate, the popup window is called **Replace Secondary Certificate**. | 4. Click **Choose File** and go to the location of the new verification certificate. #### Result: A message opens to indicate the certificate has been successfully updated for the identity repository. ### Result The identity repository is updated with the new verification certificates.