The PingFederate administrative console provides a suite of configuration wizards for administrators to manage keys and certificates.
- Managing trusted certificate authorities (CAs)
- Managing server certificates for the administrative port and runtime ports
- Managing client certificates for mutual TLS authentication
- Managing signing and decryption keys and certificates
- Managing OAuth and OpenID Connect keys
- Managing certificates from partners
- Configuring certificate revocation settings
- Managing partner metadata URLs
- Rotating system keys
For certificates that you own, you have two export options: certificate only or certificate and private key.
- Certificate only - PingFederate exports in PEM format with the file extension .pem.
- Certificate and private key - PingFederate exports in PEM or PKCS12 format with the file extension .pem or .p12 respectively.
For features that use a certificate that you own, you can either create a new certificate or import an existing PEM or PKCS12 certificate file.
For partner certificates, you can only export the certificate. PingFederate exports the partner certificate in PEM format. You can also import a partner certificate in PEM format.
If you are running in BCFIPS mode, you can only import and export in PEM format.
You can configure PingFederate to use a hardware security module (HSM) for cryptographic material storage and operations. When configured, private keys and their corresponding certificate are stored on the HSM. Related signing and decryption operations are processed there for enhanced security. By default, even in HSM mode, dynamic OAuth and OpenID Connect signing and decryption keys are generated and stored in the memory of PingFederate cluster nodes. To ensure continuity after a full cluster restart, the decryption keys are also persisted to disk, and encrypted there with PingFederate's active configuration encryption key. To ensure OAuth and OpenID Connect keys are instead stored on the HSM, you must enable static keys.
Management of keys and certificates is restricted to administrative users with the Crypto Admin administrative role (see Administrative accounts).
See subsequent topics for configuration steps.