This task describes how to import certificates and their private keys. Supported certificate and private key formats differ depending on whether you are running PingFederate with BCFIPS enabled or disabled.
  • Certificate and private key format:
    • In non-BCFIPS mode, we support PKCS12 and PEM formatted certificates and private keys, and automatically detect the format between PKCS12 and PEM.
    • In BCFIPS mode, we only support PEM formatted certificate and private keys. Only PBES2 and AES or Triple DES encryption is accepted and 128-bit salt is required. In practice, this may mean that only PEM files generated by PingFederate can be imported.
    • For PEM, the private key must precede the certificates.
  • Password requirement:
    • In BCFIPS mode, the password must contain at least 14 characters.
  1. On the SSL Server Certificates window, click Import.
  2. On the Import Certificate window, choose the applicable certificate file and enter its password.
    Note:

    If PingFederate is integrated with a hardware security module (HSM) from Thales, you cannot use an elliptic curve (EC) certificate as an SSL server certificate. You must select a certificate that uses the RSA key algorithm.

  3. If PingFederate is integrated with an HSM in hybrid mode, select the storage facility of the certificate from the Cryptographic Provider list.
    1. Select HSM to store the certificate in the HSM.
    2. Select Local Trust Store to store the certificate in the local trust store managed by PingFederate.
  4. On the Summary window, review your configuration, amend as needed, and click Save.