The optional automatic certificate rotation feature of PingFederate greatly reduces the cost of managing self-signed certificates.
PingFederate supports automatic certificate rotation for self-signed certificates created for signing SAML requests, responses, and assertions, or XML decryption for browser SSO and WS-Trust STS transactions on a per-certificate basis.
Certificate rotation is only available to self-signed certificates.
Certificate rotation happens over two stages, identified by the Creation Buffer and Activation Buffer settings.
- The Creation Buffer is the number of days ahead of expiry that PingFederate creates a new key pair and a new certificate.
- The Activation Buffer is the number of days ahead of expiry that PingFederate activates the certificate.
When you enable certificate rotation on a certificate, you can customize the values of the Creation Buffer and Activation Buffer settings. Alternatively, you can keep their default values, which are 25% and 10% of the original lifetime of the current certificate, respectively. The following examples illustrate the default values for both buffers based on a 100-day certificate and a 365-day certificate.
|Current certificate||The default value for the Creation Buffer field||The default value for the Activation Buffer field||The rotation window|
|Self-signed certificate #1, valid for 100 days from January 1, 2017 to April 9, 2017||25 days ahead of expiry, which is March 16||10 days ahead of expiry, which is March 31||15 days from March 16 through March 30|
|Self-signed certificate #2, valid for 365 days from January 1, 2017 to December 31, 2017||91 days ahead of expiry, which is October 2||36 days ahead of expiry, which is November 26||55 days from October 2 through November 25|
If the PingFederate server is shut down when the Creation Buffer threshold is reached for a given certificate, a new key pair and a new certificate are created if PingFederate is restarted during the rotation window.
In a clustered PingFederate environment, when the new signing certificate is ready, the administrative console displays a message to remind the administrators to replicate the new certificate to the engine nodes in .
Although optional, you can turn on notifications for certificate events in PingFederate notifies the configured recipient when a new certificate is available and when it is activated. Depending on the role of the certificate, you can update your partner accordingly.. When configured,