• PingFederate earlier than version 8

Ensure that you have installed a JVM.

PingFederate generates SHA-1 certificates by default prior to version 8. Use these instructions to create an SHA-2 certificate with keytool and import it into PingFederate.

  1. If using JDK 1.9 or later, skip to step 4. If using an earlier version, download the JCE Unlimited Strength Jurisdiction Policy Files:
    Note: Java versions 1.9 and later include the appropriate policy files and use them by default.
  2. Copy local_policy.jar and US_export_policy.jar to $JAVA_HOME/jre/lib/security. These .jar files already exist in the JCE, so you must overwrite them. If you have a cluster, do this for each node.
  3. Restart PingFederate.
  4. When signing keypairs, use keytool to generate a self-signed certificate in a pkcs12 keystore instead of the default .jks type.
    keytool -genkeypair -alias sha256 -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -keystore sha256.p12 -storepass 2Federate -storetype pkcs12
  5. Import the sha256.p12 file into the appropriate PingFederate keystore using the administration console. Replicate the configuration change to all nodes within a cluster by clicking Cluster Management > Replicate Cluster Configuration.
  6. Export the public key certificate using either the administration console or the following command:
    keytool -exportcert -alias sha256 -keystore sha256.p12 -storepass 2Federate -storetype pkcs12 -file cert_name.crt
  7. To view the contents of the public key certificate, enter the following command:
    keytool -printcert -file cert_name.crt