The certificate management service manages two types of records, keys and certificates. Keys represent a key pair that consists of a private key and a public key. A certificate represents the electronic document used to verify the owner of the public key. This service supports FIPS 140-2 Level 1 compliant security algorithms to generate key pairs, and manages:

The certificate management service listens for the “create organization” event, and when the organization is created, the certificate management service creates a default key and certificate for the organization resource. The default organization certificate includes the following details:

Property Value
version V3 (2)
serialNumber Secure Random generated
algorithmID sha256WithRSAEncryption
issuer commonName: Ping Identity v2; organizationalUnit: www.pingidentity.com; organization: Ping Identity Corporation; country: US
subject commonName: value; Organization Name: value; organizationalUnit: value; organization: value; country: value
validity not before: current date, not after: 1 year from current date
extensions none

The service also listens for “create environment” events and creates the default key and certificate for the environment resource. The default organization certificate signs all environment certificates.

The default environment certificate includes the following details:

Property Value
version V3 (2)
serialNumber Secure Random generated
algorithmID sha256WithRSAEncryption

The default environment key includes the following details:

Property Value
algorithm RSA
validity period 1 year
key length 2048

When uploading certificates, the certificate must be valid at the time of upload. You cannot upload a certificate before its validity period begins (the certificate’s NotBefore date) or after it expires (the certificate’s NotAfter date). The private key must be unencrypted. You cannot upload a private key that is protected by a password or passphrase. The certificate, private key, and certificate chain must all be PEM-encoded unless uploading a pkcs12 file format.

The certificate management service also manages encryption and decryption operations as well as signing and validation operations.

Certificate management data model

Property Description
algorithm A string that specifies the key algorithm. Options are RSA, EC, and UNKNOWN.
createdAt The time the resource was created.
default A boolean that specifies whether this is the default key for the specified environment.
environment.id A string that specifies the environment resource’s unique identifier.
expiresAt The time the key resource expires.
id A string that specifies the resource’s unique identifier.
issuerDN A string that specifies the distinguished name of the certificate issuer.
keyLength An integer that specifies the key length. For RSA keys, options are 2048, 3072, and 7680. For elliptical curve (EC) keys, options are 224, 256, and 384.
name A string that specifies the resource name.
organization.id A string that specifies the organization resource’s unique identifier.
serialNumber An integer that specifies the serial number of the key or certificate.
signatureAlgorithm A string that specifies the signature algorithm of the key. Options are SHA256withRSA and SHA512withRSA.
startsAt The time the validity period starts.
status A string that specifies the status of the key. Options are VALID, EXPIRED, NOT_YET_VALID, and REVOKED.
subjectDN A string that specifies the distinguished name of the subject being secured.
usageType A string that specifies how the certificate is used. Options are ENCRYPTION and SIGNING.
validityPeriod An integer that specifies the number of days the key is valid.

Response codes

Code Message
200 Successful operation.
201 Successfully created.
204 Successfully removed. No content.
400 The request could not be completed.
404 The requested resource was not found.