PingFederate Certificate Revocation

StackOverflow https://stackoverflow.com/questions/12246946

  •  29-06-2021
  •  | 
  •  

Question

I just want to know that how Certificate revocation works in PingFederate.

From where it read about the expiration time of any certificate which are used by any connection? Is there a file which consists of all the information about the connection and respective certificates?

Était-ce utile?

La solution

Is your main question about detecting when your certificates will expire? If so, details about Certificate Revocation List (CRL) functionality probably isn't what you want. CRL's indicate the serial #'s of the certificates that have been revoked before they have expired - and often expired ones are automatically removed from a CRL.

If you want to determine which certificates are close to expiring - you may have to check each connection. Here's an example of where to check if you are talking about your signing certificate on SP connections (if you are an IdP): https://support.pingidentity.com/s/document-item?bundleId=pingfederate-92&topicId=adminGuide%2FconfiguringDigitalSignatureSettings.html

There is no one central place to check the status of all certificates. If you believe certificates have expired and you are experiencing errors - consult the server.log file. See: https://support.pingidentity.com/s/document-item?bundleId=pingfederate-92&topicId=adminGuide%2FmanagingLogFiles.html

If you'd like to be notified when certificates are about to expire, you can enable Runtime Notifications to have PingFederate email you X # of days before a certificate expires: https://support.pingidentity.com/s/document-item?bundleId=pingfederate-92&topicId=adminGuide%2FconfiguringRuntimeNotifications.html

If all else fails - please contact our Customer Support: https://support.pingidentity.com. They will be happy to assist.

(Note: I work for Ping!)

Autres conseils

The Expired certificates report Knowledgebase page shows that you can run

cd $PingFederate_Install_Directory>/pingfederate/server/default/data
keytool -list -v -keystore ping-dsig.jks < /dev/null

to get a dump of all the certificates, out of which you can parse expiry dates.

Licencié sous: CC-BY-SA avec attribution
Non affilié à StackOverflow
scroll top