Managing certificate rotation settings - PingFederate - 11.0

PingFederate Server

bundle
pingfederate-110
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.0
category
Product
pf-110
pingfederate
ContentType_ce

Use the Signing & Decryption Keys & Certificates window to customize certificate rotation settings for your certificates.

Manage certificate rotation settings for self-signed certificates on Security > Certificate & Key Management > Signing & Decryption Keys & Certificates.

  1. On the Signing & Decryption Keys & Certificates window, select Certificate Rotation for the applicable certificate.
    Note:

    Certificate rotation is only available to self-signed certificates.

  2. Select the check box to turn on certificate rotation for the selected certificate, then click Next.

    If you want to turn off certificate rotation for the selected certificate, clear the check box and then click Save.

  3. Optional: On the Certificate Rotation tab, modify the default values.
    Field Description
    Creation buffer The number of days ahead of expiry that PingFederate creates a new key pair and a new certificate.

    The default value is 25% of the original lifetime of the current certificate.

    Activation buffer The number of days ahead of expiry that PingFederate activates the certificate.

    The default value is 10% of the original lifetime of the current certificate.

    Validity The time during which the certificate is valid.

    The default value matches that of the current certificate.

    Key Algorithm A cryptographic formula used to generate a key. PingFederate uses either of two algorithms, RSA or EC.

    The default value matches that of the current certificate.

    Important:

    For XML decryption keys, PingFederate only supports the RSA key algorithm. When EC (elliptic curve) is selected as the Key Algorithm value on the Certificate Rotation tab, PingFederate does not update the SAML 2.0 connections and their metadata.

    Key Size The number of bits used in the key. (RSA-1024, 2048 and 4096; and EC-256, 384 and 521.)

    The default value matches that of the current certificate.

    Signature Algorithm The signing algorithm of the certificate. (RSA and ECDSA-SHA256, SHA384 and SHA512.)

    The default value matches that of the current certificate.

  4. On the Certificate Rotation Summary tab, review the rotation settings. Adjust as needed, and then click Save to turn on automatic certificate rotation for this certificate.