Use your Java Virtual Machine (JVM) to generate SHA-2 certificates and import them into PingFederate to replace default SHA-1 certificates for better security.
- PingFederate earlier than version 8
Ensure that you have installed a JVM.
PingFederate generates SHA-1 certificates by default prior to version 8. Use these instructions to create an SHA-2 certificate with keytool and import it into PingFederate.
If using JDK 1.9 or later, skip to step 4. If using an earlier version,
download the JCE Unlimited Strength Jurisdiction Policy Files:
Note: Java versions 1.9 and later include the appropriate policy files and use them by default.
- For JDK 1.8: https://www.oracle.com/java/technologies/jce8-downloads.html
- For JDK 1.7: https://www.oracle.com/java/technologies/jce-7-download.html
- For JDK 1.6: https://www.oracle.com/java/technologies/jce-6-download.html
- Copy local_policy.jar and US_export_policy.jar to $JAVA_HOME/jre/lib/security. These .jar files already exist in the JCE, so you must overwrite them. If you have a cluster, do this for each node.
- Restart PingFederate.
When signing keypairs, use keytool to generate a self-signed
certificate in a pkcs12 keystore instead of the default
keytool -genkeypair -alias sha256 -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -keystore sha256.p12 -storepass 2Federate -storetype pkcs12
- Import the sha256.p12 file into the appropriate PingFederate keystore using the administration console. Replicate the configuration change to all nodes within a cluster by clicking .
Export the public key certificate using either the administration console or the
keytool -exportcert -alias sha256 -keystore sha256.p12 -storepass 2Federate -storetype pkcs12 -file cert_name.crt
To view the contents of the public key certificate, enter the following
keytool -printcert -file cert_name.crt