PingFederate always checks certificates to see if they have expired when they are initially imported. It also checks certificates at runtime when they are used to verify incoming signed assertions.
PingFederate also checks to see whether a certificate has been revoked, using either certificate revocation lists (CRLs) or the online certificate status protocol (OSCP). Depending on the content of the certificate in question and your requirements, the server will perform either of these checks during single sign-on (SSO) or single log-out (SLO) processing for the following cases:
- Signature verification
- Validation of a client certificate used for authentication to PingFederate when the server is handling direct client requests
- Validation of the server SSL certificate when PingFederate acts as the client making an HTTPS request to a separate server
If the system encounters an expired or revoked certificate, the associated SSO or SLO transaction fails at runtime and writes an error to the transaction log. In the administrative console, the Status column of the respective Certificate Management list identifies the expired or revoked certificate.
CRL revocation checking
This process involves querying a CRL distribution-point URL and ensuring that a certificate is not on the returned revocation list maintained at the site. The certificate specifies the URL.The administrative console does not need any setup to enable CRL checking. PingFederate automatically checks CRLs under the following conditions:
- The certificate contains the URL where the CA maintains its CRL.
- The URL is accessible.
- The CRL returns signed with a verified signature.
- The OCSP setup does not explicitly disable CRL validations as a failover option.
OCSP revocation checking
OCSP exists as an alternative to CRL validation and provides a more centralized and potentially more reliable means of checking certificate status. In this scenario, the incoming certificate embeds an OCSP Responder URL or a configured default URL to query the certificate status.
The primary difference between OCSP and CRL checking is how the verification occurs. CRL checking requires the requesting client to determine if the certificate has been revoked, or if any of the certificates in the chain of issuer certificates has been revoked, based on the returned CRL. With OCSP, the client sends the certificate itself, and the Responder server handles revocation checking to return the certificate status.As a PingFederate administrator, enable and configure OCSP processing in the administrative console exclusively or in conjunction with CRL checking as a backup.
For more information about OCSP, see tools.ietf.org/html/rfc2560.
For configuration steps, see Configuring certificate revocation.