SSL certificates

Inbound connections

Ping Identity domains

PingOne Advanced Identity Cloud uses Google-managed SSL certificates to secure inbound traffic to the forgeblocks.com and forgerock.io domains used by your tenant environments.

Custom domains

Google-managed SSL certificates (default)

If you use a custom domain to access Advanced Identity Cloud, by default a Google-managed SSL certificate is used to secure inbound traffic to the domain. The domain is added to the certificate’s Subject Alternative Name (SAN) field.

Self-managed SSL certificates

Advanced Identity Cloud offers you the choice of using a self-managed SSL certificate with your custom domain, in place of the default Google-managed SSL certificate.

You can create self-managed SSL certificates in two ways:

Use a tenant-generated private key that is only accessible by the tenant itself. The tenant generates the CSR, and you install the resulting certificate on the same tenant. Learn more in Create a certificate using a tenant-generated private key.
Use a locally generated private key that you retain access to. You generate the CSR locally and install the resulting certificate on as many tenants as you need. Learn more in Create a certificate using a locally generated private key.

Learn how to set up your own certificate in Manage SSL certificates using the API.

DV and EV certificates

Providing your own Domain Validation (DV) or Extended Validation (EV) SSL certificate can give your end users extra confidence that your applications are secure. Most browser vendors have now removed the visual signals in the browser address bar that distinguished these certificates (green padlock, highlighted company name, highlighted https protocol). However, the additional EV certificate information is still available when you click the padlock in the browser address bar and inspect the certificate:

Standard SSL certificate:

EV SSL certificate:

browser ssl padlock info

browser ssl certificate info

browser ssl padlock info ev

browser ssl certificate info ev

Wildcard certificates

Wildcard certificates allow subdomains of the same domain to share a certificate in the following ways:

Within the same realm
Across different realms
Within the same realm and across different realms

For example, a certificate for the wildcard domain "*.example.com" could be shared between an Alpha realm using the subdomain "customers.example.com" and a Bravo realm using the subdomain "employees.example.com".

Similarly, the same certificate could be shared between subdomains "employees-emea.example.com" and "employees-apac.example.com" within the same Alpha or Bravo realm.

Outbound connections

Advanced Identity Cloud lets you secure outbound traffic from your tenant environments to your own network; for example, you may want to secure outbound emails from your Advanced Identity Cloud tenant environments to your on-premises SMTP server.

To do this, you supply your own CA or TLS certificates to ForgeRock. ForgeRock then adds the certificates into the trust store of your tenant environments. You can supply as many certificates as you need.

Send Ping Identity a CA or TLS certificate

Go to Backstage Support, and click PingOne Advanced Identity Cloud.
Click Advanced Identity Cloud: Config Request from the PingOne Advanced Identity Cloud options.

In the Request Type section, provide values for the following fields:

Field	Value
Hostname(s)	Enter a comma-separated list of FQDNs for your sandbox^[1], development, UAT^[2], staging, and production tenant environments.
What would you like to do?	Select Add CA or TLS certificate to tenant trust stores.
Do you give permission for ForgeRock to access and make changes to your environment?	Select Yes to allow Backstage Support to access your environments.

Field

Value

Hostname(s)

Enter a comma-separated list of FQDNs for your sandbox^[1], development, UAT^[2], staging, and production tenant environments.

What would you like to do?

Select Add CA or TLS certificate to tenant trust stores.

Do you give permission for ForgeRock to access and make changes to your environment?

Select Yes to allow Backstage Support to access your environments.

In the Upload tab of the Upload your files section:
1. (Optional) Select a storage region for your certificate from the region drop-down list.
2. Click Select files… to open a local file explorer:
  1. Locate a local file containing your certificate, then select it.
  2. Click Open to confirm the local file selection. This also closes the local file explorer.
Click Submit to create the support ticket with your certificate attached.
Backstage Support confirms when the certificate has been imported into the trust stores of your tenant environments.

1. A sandbox environment is an add-on capability.

2. A user acceptance testing (UAT) environment is an add-on capability.