PingFederate supports automatic certificate rotation for self-signed certificates created for signing SAML requests, responses, and assertions, or XML decryption for browser SSO and WS-Trust STS transactions on a per-certificate basis.

Note:

Certificate rotation is only available to self-signed certificates.

Certificate rotation happens over two stages, identified by the Creation Buffer and Activation Buffer settings.

  • The Creation Buffer is the number of days ahead of expiry that PingFederate creates a new key pair and a new certificate.
  • The Activation Buffer is the number of days ahead of expiry that PingFederate activates the certificate.

When you enable certificate rotation on a certificate, you can customize the values of the Creation Buffer and Activation Buffer settings. Alternatively, you can keep their default values, which are 25% and 10% of the original lifetime of the current certificate, respectively. The following examples illustrate the default values for both buffers based on a 100-day certificate and a 365-day certificate.

Current certificate The default value for the Creation Buffer field The default value for the Activation Buffer field The rotation window
Self-signed certificate #1, valid for 100 days from January 1, 2017 to April 9, 2017 25 days ahead of expiry, which is March 16 10 days ahead of expiry, which is March 31 15 days from March 16 through March 30
Self-signed certificate #2, valid for 365 days from January 1, 2017 to December 31, 2017 91 days ahead of expiry, which is October 2 36 days ahead of expiry, which is November 26 55 days from October 2 through November 25

If the PingFederate server is shut down when the Creation Buffer threshold is reached for a given certificate, a new key pair and a new certificate are created if PingFederate is restarted during the rotation window.

In a clustered PingFederate environment, when the new signing certificate is ready, the administrative console displays a message to remind the administrators to replicate the new certificate to the engine nodes in System > Server > Cluster Management.

Although optional, you can turn on notifications for certificate events in System > Monitoring & Notifications > Runtime Notifications. When configured, PingFederate notifies the configured recipient when a new certificate is available and when it is activated. Depending on the role of the certificate, you can update your partner accordingly.