Certificate management - PingOne for Enterprise

Signing certificates created in PingOne for Enterprise are self-signed by default. You can also create a certificate signing request (CSR) in PingOne for Enterprise and send the certificate for signing by a certificate authority (CA).

PingOne for Enterprise uses verification certificates to verify the signature on SSO messages received by PingOne for Enterprise. Your SSO partner provides you with a primary and (optionally) a secondary verification certificate. The secondary verification certificate allows for seamless rollover of signature verification in the event that your SSO partner switches certificates. PingOne for Enterprise first attempts to validate a signature using the primary verification certificate. If verification fails, PingOne for Enterprise will then attempt to use the secondary verification certificate, where defined.

When you sign on to the PingOne for Enterprise admin portal, the Dashboard notification area displays an alert for certificates that are about to expire or have expired.

A yellow alert indicates:

• One or more signing certificates are due to expire in the next three months
• A primary verification certificate is about to expire (and will be replaced by a secondary verification certificate, if available)
• A secondary verification certificate is about to expire
• An encryption certificate is about to expire

A yellow alert for expiring certificates creates a link to the Certificate Management page.

A red alert indicates a certificate has expired. The alert contains a link to the Certificate Management page.

In addition to Dashboard messages, PingOne for Enterprise notifies Global Administrators and SaaS Administrators about expiring certificates by email. Notification emails are sent 60 days, 7 days, and 1 day before a certificate expires, and again after the certificate expires.

For more information about email notification preferences, see Editing administrative roles, permissions, and notifications.