The standard Java Development Kit (JDK) includes a default trust store, which is pre-provisioned with the root certificates of a number of well-known certificate authorities. If you need to store and maintain certificates that are not in the default trust store, you must create a PingCentral-specific trust store.
- The server certificate chain must be ultimately signed by one of the public certificate authority root certificates present in the Java virtual machine (JVM) default trust store.
- Host name verification is performed. The hostname or IP address specified in the URL must match a name defined in the server certificate presented, which encompasses the distinguished name, subject alternative names, and wildcard matching.
If you want to use self-signed server certificates, root certificates, intermediate certificates, and certificates from a private certificate authorities, create a PingCentral-specific trust store and configure PingCentral to access it.
Each time a connection is made, PingCentral checks the remote server's certificate against the PingCentral-specific trust store. If certificate validation fails, PingCentral delegates validation to the default system trust store. If you disable delegation to the default trust store, the only trusted certificates are those in the PingCentral-specific trust store.
- Admin API access to PingFederate to manage environments and deploy applications.
- Backchannel access to the configured OpenID Connect (OIDC) provider when single sign-on (SSO) is enabled.
You can configure PingCentral so that host name verification and certificate validation is disabled. However, you should only disable these options for demonstration or testing purposes.
PingCentral only reads trust store configurations at startup, so restart PingCentral after creating or configuring trust store information.