You can import certificates and their private keys in the SSL Server
Certificates window.
This task describes how to import certificates and their
private keys. Supported certificate and private key formats differ depending on whether
you are running PingFederate with BCFIPS enabled or disabled.
- Certificate and private key format:
- In non-BCFIPS mode, we support PKCS12 and PEM formatted certificates and
private keys, and automatically detect the format between PKCS12 and
PEM.
- In BCFIPS mode, we only support PEM formatted certificate and private
keys. Only PBES2 and AES or Triple DES encryption is accepted and
128-bit salt is required. In practice, this may mean that only PEM files
generated by PingFederate can be imported.
- For PEM, the private key must precede the certificates.
- Password requirement:
- In BCFIPS mode, the password must contain at least 14 characters.
-
On the SSL Server Certificates window, click
Import.
-
On the Import Certificate window, choose the applicable
certificate file and enter its password.
Note:
If PingFederate is integrated with a hardware security module
(HSM) from Thales, you cannot use an elliptic curve (EC) certificate as
an SSL server certificate. You must select a certificate that uses the
RSA key algorithm.
-
If PingFederate is integrated with an HSM in hybrid mode, select the
storage facility of the certificate from the Cryptographic
Provider list.
-
Select HSM to store the certificate in the
HSM.
-
Select Local Trust Store to store the
certificate in the local trust store managed by PingFederate.
-
On the Summary window, review your configuration, amend as
needed, and click Save.