A key pair includes a private key and an X.509 certificate. The certificate includes a public key and metadata about the owner of the private key.

The PingAccess administrative console displays a list of your configured key pairs. You can search for specific key pairs using the Search bar or filter your results using the Filters list.

PingAccess listens for client requests on the administrative console port and on the PingAccess engine port. To enable these ports for HTTPS, the first time you start up PingAccess, it generates and assigns a key pair for each port.

Additionally, key pairs are used by the mutual TLS site authenticator to authenticate PingAccess to a target site. When initiating communication, PingAccess presents the client certificate from a key pair to the site during the mutual TLS transaction. The site must trust this certificate for authentication to succeed.


Ensure that the administrative console node and engines in a cluster have the same cryptographic configuration. For example, if you generate an elliptic curve key pair on the administrative console and the engines in the cluster are not configured to support elliptic curve key pairs, then the engines are not able to use that key pair for the engine HTTPS listeners or as the key pair in a mutual TLS site authenticator.

Cryptographic configuration differences are often caused by having a Java cryptographic extension with limited strength providers installed. For more information, see the Oracle Java documentation.