A Microsoft Azure service outage reminds us that there are underlying technologies that support our infrastructure and that they may have an expiration date. It's important to monitor your server and perform periodic maintenance for best performance.
PingFederate also relies on certificates for security: HTTPS for Identity Provider (IdP) and Service Provider (SP) connections and perhaps at your directory services (LDAPS). Certificates are also used to sign assertions and encrypt data sent in assertions. It is important to update these certificates to ensure that your Federation-enabled Single Sign-on (SSO) continues to function.
PingFederate provides an important notification option to send out email notifications before certificates are about to expire. Instructions on how to enable this feature are available in the PingFederate Administrator's Manual section on Configuring Runtime Notifications.
The following articles detail some common problems and their solutions relating to certificates:
New SSL certificate not trusted by Firefox web browser
After replacing an expired SSL certificate within PingFederate with a new one generated and signed by an intermediate Verisign certificate authority, it was not trusted by Firefox web browsers (Internet Explorer worked, however).Converting a DER x509 certificate to PEM
If you are having problems importing a certificate, it may need to be converted from DER to PEM format.Certificate Error - Unable to import the keys from the selected file
During the process of updating an expired SSL server certificate, a CSR Response was generated by the certificate authority. When attempting to import the CSR Response, the following error message was generated: I/O Error occurred while importing the file. Unable to import the keys from the selected file. PKCS12 keys are supported.Certificate error after 6.0 upgrade
After upgrading from PingFederate version 5.3 to 6.0, users see the following message: HTTP/1.x 500 The cert chain is not trusted.- A newly created/imported Digital Signing Certificate is not available in the drop-down list
When PingFederate is communicating with itself (IdP and SP Connections on same server, as when using the Salesforce Connector, or doing internal SSO), any certificate (public/private key pair) which is created for Digital Signing must also have its public key exported as an X.509 certificate and re-imported as a Signature Verification Certificate for use in the IdP Connection(s).