Managing SHA1 Certificate Deprecation Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Managing SHA1 Certificate Deprecation
Published: Oct 11, 2016   -   Updated: Jun 22, 2018

Most major browser vendors will deprecate SHA1 later this year, as SHA256 becomes the new standard. Okta’s service provides our customers with a secure environment that adheres to security industry leading practices. There are three facets to SHA1 certificate deprecation. None of them require action, but there are options available.

  1. Browsers will display deprecation notices.

    Although the deprecation notice will appear in most browsers, Okta is already updated for the change. 

  2. Okta is changing some digital signature algorithms and digest algorithms.

    Okta has identified several Okta Application Network (OAN) applications which leverage SHA1 digital signature algorithms and digest algorithms as part of the assertion. Okta is converting these SAML applications to SHA256-based algorithms over the course of the next few months.

    This change only affects the digital signature algorithm and digest algorithms embedded within the SAML assertion. The certificate associated with an Okta tenant and shared with SAML service providers does not change as a function of this application change. Okta is thoroughly testing applications prior to making changes in production and does not anticipate any issues in  your application environment. 

    Okta has identified and communicated directly with organizations that use one or more of these SAML applications.

  3. You can update existing SAML 2.0 integrations to use a SHA256 certificate. 

    Certificates with a SHA256 signature are supported for SAML 2.0 applications with Okta. You can create new integrations that use SHA256 certificates and update existing integrations from SHA1 certificates to SHA256 certificates. Existing integrations are not changed automatically. The SHA256 certificates and the SHA1 certificates are self-signed. Note: SHA256 certificate creation is an Early Access (EA) feature; contact Okta support to enable it.

    • New SAML 2.0 app integrations automatically use SHA256 certificates when this feature is enabled. As instructed, upload the SHA256 certificate to the ISV.

    • Existing SAML integrations are not affected, unless you explicitly rollover the key used by the app or change the app signon mode to SAML 2.0.

      To update an existing app integration to use certificates with a SHA256 signature, see SAML Apps and SHA256 Certificates. This procedure requires the Okta API.