<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Revert a SHA256 Certificate to SHA1 for SAML and API in Okta Using Postman
Jul 31, 2025
Single Sign-On
Okta Classic Engine
Okta Identity Engine
Overview

This article explains the steps to revert a SHA256 certificate to SHA1 for Security Assertion Markup Language (SAML) and API in Okta. This process involves using the Okta API in Postman, modifying certificate files, and updating the application's key credentials. This solution is useful if it is needed to support legacy systems that do not support SHA256 certificates.

Applies To
  • Revert a SHA256 certificate to SHA1
  • Security Assertion Markup Language (SAML)
  • API
Solution

Check out this video for more information.

NOTE: Before following these steps for Okta Integration Network (OIN) applications, please make sure to include the necessary application details. For example, in the case of Office 365, be sure to specify the federated domains, federation method, and SSO method. Incomplete information could reset the app to the default OIN values.

  1. Follow the steps to integrate Postman with Okta.

  2. Get the application's details by calling GET {{url}}/api/v1/apps/{{appID}}. Copy the id, name, label, and signOnMode provided in the response - these will be used later.

API Call

  1. List the application's certificates by calling GET {{url}}/api/v1/apps/{{appID}}/credentials/keys. Note that there are at least 2 certificates provided in the response.

API Call

  1. Copy the value of the first x5c element and save this in a text editor of choice. In the text file, modify it so it follows PEM formatting by prepending -----BEGIN CERTIFICATE----- and appending -----END CERTIFICATE-----.

  2. Save the file as a .crt file.

Certificate

  1. Repeat Steps 4-5 for any other certificates provided in the Get Credential Keys response.

  2. Use the computer's keychain tool or OpenSSL to validate which of the certificates is using SHA1.

  3. In Postman, copy the kid value for the SHA1 cert from the response provided in step 3.

  4. Update the key credential for the app by calling PUT {{url}}/api/v1/apps/{{appid}}.

    • In the Body of the request, enter the following JSON code, substituting the values noted in step 2:

{

"name": "{{appName}}",

"label": "{{appInstanceLabel}}",

"signOnMode": "{{appSignOnMode}}",

"credentials": {

"signing": {

"kid": "{{keyId}}"

}

}

}

 

Request Body

  1. In the Okta Admin Console, navigate to the App's Single Sign-On tab, click View Setup Instructions, and re-upload the metadata, including the new SHA1 certificate, to the service provider.

Recommended content

Still looking for help?
Loading
Revert a SHA256 Certificate to SHA1 for SAML and API in Okta Using Postman