To maintain security, you should regularly rotate the configuration encryption keys. Rotating keys involves generating a new key and making it the new primary key. PingFederate will use the new primary key to encrypt sensitive information.

To rotate configuration encryption keys:

  1. In the administrative console, go to Security > Certificate & Key Management > Configuration Encryption Keys.
  2. Click Rotate.

    PingFederate generates a new key, inserts it into the top of the pf.jwk file, and displays it at the top of the Configuration Encryption Keys window.

After you rotate the configuration encryption keys, you should use the configkeymgr utility to re-encrypt information that was encrypted with previous keys.