The optional automatic certificate rotation feature of PingFederate greatly reduces the cost of managing self-signed certificates.
PingFederate supports automatic certificate rotation for self-signed certificates created for signing SAML requests, responses, and assertions, or XML decryption for browser SSO and WS-Trust STS transactions on a per-certificate basis.
Certificate rotation is only available to self-signed certificates. Also, you can't enable rotation on certificates that are used as a secondary signing certificate in a connection, or are used as the primary certificate in a connection configured with a secondary signing certificate.
Certificate rotation happens over two stages, identified by the Creation Buffer and Activation Buffer settings.
- The Creation Buffer is the number of days ahead of expiry that PingFederate creates a new key pair and a new certificate.
- The Activation Buffer is the number of days ahead of expiry that PingFederate activates the certificate.
When you enable certificate rotation on a certificate, you can customize the values of the Creation Buffer and Activation Buffer settings. Alternatively, you can keep their default values, which are 25% and 10% of the original lifetime of the current certificate, respectively. The following examples illustrate the default values for both buffers based on a 100-day certificate and a 365-day certificate.
|The default value for the Creation Buffer field
|The default value for the Activation Buffer field
|The rotation window
Self-signed certificate #1, valid for 100 days from January 1, 2017 to April 9, 2017
25 days ahead of expiry, which is March 16
10 days ahead of expiry, which is March 31
15 days from March 16 through March 30
Self-signed certificate #2, valid for 365 days from January 1, 2017 to December 31, 2017
91 days ahead of expiry, which is October 2
36 days ahead of expiry, which is November 26
55 days from October 2 through November 25
If the PingFederate server is shut down when the Creation Buffer threshold is reached for a given certificate, a new key pair and a new certificate are created if PingFederate is restarted during the rotation window.
In a clustered PingFederate environment, when the new signing certificate is ready, the administrative console displays a message to remind the administrators to replicate the new certificate to the engine nodes in .
Although optional, you can turn on notifications for certificate events in PingFederate notifies the configured recipient when a new certificate is available and when it is activated. Depending on the role of the certificate, you can update your partner accordingly.. When configured,