Changing certificates from SHA-1 to SHA-2 in PingFederate
Use your Java Virtual Machine (JVM) to generate SHA-2 certificates and import them into PingFederate to replace default SHA-1 certificates for better security.
Before you begin
Component
-
PingFederate earlier than version 8
Ensure that you have installed a JVM.
About this task
PingFederate generates SHA-1 certificates by default prior to version 8. Use these instructions to create an SHA-2 certificate with keytool
and import it into PingFederate.
Steps
-
If using JDK 1.9 or later, skip to step 4. If using an earlier version, download the JCE Unlimited Strength Jurisdiction Policy Files:
-
For JDK 1.8: https://www.oracle.com/java/technologies/jce8-downloads.html
-
For JDK 1.7: https://www.oracle.com/java/technologies/jce-7-download.html
-
For JDK 1.6: https://www.oracle.com/java/technologies/jce-6-download.html
Java versions 1.9 and later include the appropriate policy files and use them by default.
-
-
Copy
local_policy.jar
andUS_export_policy.jar
to$JAVA_HOME/jre/lib/security
. These .jar files already exist in the JCE, so you must overwrite them. If you have a cluster, do this for each node. -
Restart PingFederate.
-
When signing keypairs, use
keytool
to generate a self-signed certificate in apkcs12
keystore instead of the default.jks
type.keytool -genkeypair -alias sha256 -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -keystore sha256.p12 -storepass 2Federate -storetype pkcs12
-
Import the
sha256.p12
file into the appropriate PingFederate keystore using the administration console. Replicate the configuration change to all nodes within a cluster by clicking Cluster Management → Replicate Cluster Configuration. -
Export the public key certificate using either the administration console or the following command:
keytool -exportcert -alias sha256 -keystore sha256.p12 -storepass 2Federate -storetype pkcs12 -file cert_name.crt
-
To view the contents of the public key certificate, enter the following command:
keytool -printcert -file cert_name.crt