Skip to main content


         This documentation site is for previous versions. Visit our new documentation site for current releases.      
 

Managing X.509 certificates

Updated on June 30, 2021

Beginning with Pega Platform 8.4, you can import your X.509 certificates directly into the Pega Platform truststore.

Before you begin: The operator must have the Security Administrator role to use the <?pxCanManageCertificates> privilege.

Before you can begin managing x.509 certificates in the Pega Platform truststore, you must perform the following tasks:

  • Obtain an x.509 certificate.
  • Make the certificate available as a file or URL.
  • Create a keystore file instance to import the certificate. For more information about importing the certificate by creating a keystore, see Creating a keystore.
  • Open the certificate management activities. For more information about running an activity rule, see Introduction to activities.
  • Run the certificate management activities as needed.
When your application makes a secure outbound connection using HTTPS, the external host presents a certificate for secure connection authentication. Your application checks this certificate against the certificates in the Pega Platform truststore. If the certificate is not present, the external host is not authenticated, and an exception is thrown. The Pega Platform truststore holds both the public keys and certificates of your trusted external systems.

At runtime, Pega Platform looks for certificates to load in the following order: first from the Pega Platform truststore, then from the application server truststore, and finally from the JVM truststore. After loading a certificate, Pega Platform syncs updates to the certificate in real time and presents them to applications for use with secure outbound connections.

Pega Platform features that require x.509 certificates include the functions described below.

  • Authentication services that import identity metadata exposed over an HTTPS URL
  • Connectors that access external REST API over HTTPS

If you require use of certificates for your applications outbound connections that do not use HTTPS, speak to your regional Pega support team.

  1. In the left navigation pane of Dev Studio, click RecordsTechnicalActivity.
  2. In the Applies To column, click the search icon (▼).
  3. In the Search Text field, enter Data-Admin-Security-Certificate.

    The Record page displays the certificate management activities.

    • The activity Add certificates to Platform Truststore from Pega Keystore (pxAddCertificatesToPlatformTrustore) adds certificates from a Pega keystore rule into the Pega Platform truststore. The activity contains the following parameters:
      • keystoreName: String. The Java KeyStore (JKS) or Public-Key Cryptography Standards (PKCS212) instance from which to import the certificate.
      • overwriteDuplicates: Boolean. When enabled, this activity overwrites the existing Platform truststore certificate with a new certificate of the same alias. When disabled, this activity excludes duplicate certificates from the import.
      • checkExpiryDate: Boolean. Select this check box for this activity to exclude adding expired certificates to the Platform truststore.
    • The activity Change Certificate Status (pxChangeCertificateStatus) changes the status of a certificate to Active or Inactive. The activity contains the following parameters:
      • certificateAliasName: String. The alias name given to the certificate of which you want to change the status.
      • certificateStatus: String. Enter Active or Inactive to apply the respective status to the certificate.
    • The activity Delete Certificate (pxDeleteCertificate) removes the specified certificate from the Platform truststore. The activity contains the following parameter:
      • certificateAliasName: String. The alias name of the certificate to remove from the Platform truststore.
  4. Select an activity to add certificates, change certificate status, or remove certificates from the Platform truststore.
  5. Run the respective certificate activity by clicking ActionsRun.
  6. Complete each field that is defined in the parameters for the activity that you ran.

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us