The standard Java Development Kit (JDK) includes a default truststore, which is pre-provisioned with the root certificates of a number of well-known certificate authorities. If you need to store and maintain certificates that are not in the default truststore, you need to create a PingCentral-specific truststore.
Without modification, PingCentral is secure by default:
- The server certificate chain must be ultimately signed by one of the public certificate authority root certificates present in the JVM default trust store.
- Hostname verification is performed. The hostname or IP address specified in the URL must match a name defined in the server certificate presented, which encompasses the distinguished name, subject alternative names, and wildcard matching.
If you want to use self-signed server certificates, root certificates, intermediate certificates, and certificates from a private certificate authorities, create a PingCentral-specific truststore and configure PingCentral to access it.
Each time a connection is made, PingCentral checks the remote server's certificate against the PingCentral-specific truststore. If certificate validation fails, PingCentral delegates validation to the default system truststore. If you disable delegation to the default truststore, the only trusted certificates are those in the PingCentral-specific truststore.
In PingCentral, two types of outbound connections perform server certificate validation using the PingCentral-specific truststore. You cannot configure these connections independently.
- Admin API access to PingFederate to manage environments and deploy applications.
- Back-channel access to the configured OIDC provider when SSO is enabled.
You can configure PingCentral so that hostname verification and certificate validation is disabled. However, it is highly recommended that these options only be disabled for demonstration or testing purposes.
PingCentral only reads truststore configurations at startup, so restart PingCentral after creating or configuring truststore information.