Changing 509 certificates Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
John McCaffreyJohn McCaffrey 

Changing 509 certificates

We have a vendor who uses QlikView to host some of our reports.  We need to create a new Okta App per dashboard.  So when we authenticate there is a gateway and we have been using the same 509 cetificate for many months.  

The 509 certificate has changed in our Org and now we have to create a new gateway when we create new reports.    

We want to avoid having multiple gateways.  Is there a way to update a 509 certificate on old apps?   How often to 509 certificates change in the Okta app (is it when a new version is pushed or on a time scale)?  
Jaypee ManansalaJaypee Manansala (Okta)
Hi John,

Thanks for posting your inquiry in Okta Community portal.

The default certificate generated for all SAML App instances is an X.509 certificate with a SHA1 or SHA256 based signature. SHA1 is insecure and has been deprecated in favour of the stronger SHA256 family. Customers have also been requesting the ability to generate SHA256 signed certificates for their app instances. Below is a link on how you can update your SHA1 to SHA256 or rollover from SHA256 to SHA1. The current work covers only updating the certificate for SAML 2.0 apps, not SAML 1.1 apps. Also, this would NOT involve changing the default Org certificate that is generated when an org is created.

There is no specific lifecycle for the SAML certificate unless the Service Providers (ISV) is requiring to have the latest SAML cert which we can update and deploy on a scheduled time. Okta will provide advance warning on this kind of maintenance.