PingFederate supports automatic certificate rotation for self-signed certificates created for the purpose of signing SAML requests, responses, and assertions, or XML decryption for Browser SSO and WS-Trust STS transactions on a per-certificate basis. This optional feature greatly reduces the cost of managing self-signed certificates.
Certificate rotation is only available to self-signed certificates.
Certificate rotation happens over two stages, identified by the Creation Buffer and Activation Buffer settings.
- The Creation Buffer is the number of days ahead of expiry that PingFederate creates a new key pair and a new certificate.
- The Activation Buffer is the number of days ahead of expiry that PingFederate activates the certificate.
When you enable certificate rotation on a certificate, you can customize the values of the Creation Buffer and Activation Buffer settings. Alternatively, you can keep their default values, which are twenty-five and ten percent of the original lifetime of the current certificate. The following examples illustrate the default values for both buffers based on a 100-day certificate and a 365-day certificate.
|The default value for the Creation Buffer field
|The default value for the Activation Buffer field
|The rotation window
|Self-signed certificate #1, valid for 100 days from January 1, 2017 to April 9, 2017
|25 days ahead of expiry, which is March 16
|10 days ahead of expiry, which is March 31
|15 days from March 16 through March 30
|Self-signed certificate #2, valid for 365 days from January 1, 2017 to December 31, 2017
|91 days ahead of expiry, which is October 2
|36 days ahead of expiry, which is November 26
|55 days from October 2 through November 25
If the PingFederate server is shutdown when the Creation Buffer threshold is reached for a given certificate, a new key pair and a new certificate is created if PingFederate is restarted during the rotation window.
In a clustered PingFederate environment, when the new signing certificate is ready, the administrative console displays a message to remind the administrators to replicate the new certificate to the engine nodes in thescreen.
Although optional, it is recommended that you turn on notifications for certificate events in thescreen. When configured, PingFederate notifies the configured recipient when a new certificate becomes available and when it is activated. Depending on the role of the certificate, you can update your partner accordingly.