PingFederate Certificate Revocation

StackOverflow https://stackoverflow.com/questions/12246946

  •  29-06-2021
  •  | 
  •  

Pergunta

I just want to know that how Certificate revocation works in PingFederate.

From where it read about the expiration time of any certificate which are used by any connection? Is there a file which consists of all the information about the connection and respective certificates?

Foi útil?

Solução

Is your main question about detecting when your certificates will expire? If so, details about Certificate Revocation List (CRL) functionality probably isn't what you want. CRL's indicate the serial #'s of the certificates that have been revoked before they have expired - and often expired ones are automatically removed from a CRL.

If you want to determine which certificates are close to expiring - you may have to check each connection. Here's an example of where to check if you are talking about your signing certificate on SP connections (if you are an IdP): https://support.pingidentity.com/s/document-item?bundleId=pingfederate-92&topicId=adminGuide%2FconfiguringDigitalSignatureSettings.html

There is no one central place to check the status of all certificates. If you believe certificates have expired and you are experiencing errors - consult the server.log file. See: https://support.pingidentity.com/s/document-item?bundleId=pingfederate-92&topicId=adminGuide%2FmanagingLogFiles.html

If you'd like to be notified when certificates are about to expire, you can enable Runtime Notifications to have PingFederate email you X # of days before a certificate expires: https://support.pingidentity.com/s/document-item?bundleId=pingfederate-92&topicId=adminGuide%2FconfiguringRuntimeNotifications.html

If all else fails - please contact our Customer Support: https://support.pingidentity.com. They will be happy to assist.

(Note: I work for Ping!)

Outras dicas

The Expired certificates report Knowledgebase page shows that you can run

cd $PingFederate_Install_Directory>/pingfederate/server/default/data
keytool -list -v -keystore ping-dsig.jks < /dev/null

to get a dump of all the certificates, out of which you can parse expiry dates.

Licenciado em: CC-BY-SA com atribuição
Não afiliado a StackOverflow
scroll top