The PingFederate administrative console provides a suite of configuration wizards for administrators to manage keys and certificates for various purposes. Tasks includes:

  • Manage trusted certificate authorities (CAs)
  • Manage server certificates for the administrative port and runtime ports
  • Manage client certificate for mutual TLS authentication
  • Manage signing and decryption keys and certificates
  • Manage OAuth and OpenID Connect keys
  • Manage certificates from partners
  • Configure certificate revocation settings
  • Manage partner metadata URLs
  • Rotate system keys

For optimal security, PingFederate can be configured to use a hardware security module (HSM) for cryptographic material storage and operations. Standards such as the Federal Information Processing Standard (FIPS) 140-2 require the storage and processing of all keys and certificates on a certified cryptographic module.


Management of keys and certificates is restricted to administrative users with the Crypto Admin administrative role (see Administrative accounts).

Refer to subsequent topics for configuration steps.