Tasks include:

  • Managing trusted certificate authorities (CAs)
  • Managing server certificates for the administrative port and runtime ports
  • Managing client certificates for mutual TLS authentication
  • Managing signing and decryption keys and certificates
  • Managing OAuth and OpenID Connect keys
  • Managing certificates from partners
  • Configuring certificate revocation settings
  • Managing partner metadata URLs
  • Rotating system keys
Note:

For certificates that you own, you have two export options: certificate only or certificate and private key.

  • Certificate only - PingFederate exports in PEM format with the file extension .pem.
  • Certificate and private key - PingFederate exports in PKCS #12 format with the file extension .p12.

For features that use a certificate that you own, you can either create a new certificate or import an existing PKCS #12 certificate file.

For partner certificates, you can only export the certificate. PingFederate exports the partner certificate in PEM format. You can also import a partner certificate in PEM format.

You can configure PingFederate to use a hardware security module (HSM) for cryptographic material storage and operations. When configured, private keys and their corresponding certificate are stored on the HSM. Related signing and decryption operations are processed there for enhanced security. Leveraging an HSM can help achieve FIPS 140-2 compliance for your deployment.

Note:

Management of keys and certificates is restricted to administrative users with the Crypto Admin administrative role (see Administrative accounts).

See subsequent topics for configuration steps.