The optional automatic certificate rotation feature of PingFederate greatly reduces the cost of managing self-signed certificates.
PingFederate supports automatic certificate rotation for self-signed certificates created for signing SAML requests, responses, and assertions, or XML decryption for browser SSO and WS-Trust STS transactions on a per-certificate basis.
Certificate rotation is only available to self-signed certificates.
Certificate rotation happens over two stages, identified by the Creation Buffer and Activation Buffer settings.
- The Creation Buffer is the number of days ahead of expiry that PingFederate creates a new key pair and a new certificate.
- The Activation Buffer is the number of days ahead of expiry that PingFederate activates the certificate.
When you enable certificate rotation on a certificate, you can customize the values of the Creation Buffer and Activation Buffer settings. Alternatively, you can keep their default values, which are 25% and 10% of the original lifetime of the current certificate, respectively. The following examples illustrate the default values for both buffers based on a 100-day certificate and a 365-day certificate.
Current certificate | The default value for the Creation Buffer field | The default value for the Activation Buffer field | The rotation window |
---|---|---|---|
Self-signed certificate #1, valid for 100 days from January 1, 2017 to April 9, 2017 | 25 days ahead of expiry, which is March 16 | 10 days ahead of expiry, which is March 31 | 15 days from March 16 through March 30 |
Self-signed certificate #2, valid for 365 days from January 1, 2017 to December 31, 2017 | 91 days ahead of expiry, which is October 2 | 36 days ahead of expiry, which is November 26 | 55 days from October 2 through November 25 |
If the PingFederate server is shut down when the Creation Buffer threshold is reached for a given certificate, a new key pair and a new certificate are created if PingFederate is restarted during the rotation window.
In a clustered PingFederate environment, when the new signing certificate is ready, the administrative console displays a message to remind the administrators to replicate the new certificate to the engine nodes in .
Although optional, you can turn on notifications for certificate events in PingFederate notifies the configured recipient when a new certificate is available and when it is activated. Depending on the role of the certificate, you can update your partner accordingly.
. When configured,