This article describes how to create a new X.509 Certificate for an application.

• Applications
• X.509 Certificates
• Security Assertion Markup Language (SAML)

Occasionally, an application or security policy may require an X.509 certificate to have a shorter validity length than the default configured by an Okta Application Integration (10 years). As such, use the Okta REST APIs to generate a new certificate to use.

Additionally, in the event of unauthorized access to an application and X.509 Certificate data is considered compromised, the certificate must be regenerated.

1. Review the Getting Started with the Okta REST APIs guide to download Postman and integrate with the tenant, if necessary.
2. Use the following API Call: 

   {{url}}/api/v1/apps/{{appId}}/credentials/keys/generate?validityYears={{validityYears}}

• • Where {{appId}} is the hashed application identifier - easily located in the URL address bar, for example, https://tenant-admin.okta.com/admin/app/app-name/instance/{{appId-example}}/
  • And {{validityYears}} is the number of years that the X.509 Certificate is valid for.

Once generated, use the generated certificate in place of the originally configured certificate on the application side or as part of a new configuration in place of the given X.509 certificate in the View Setup Instructions for SAML Single Sign-On (SSO).