<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Update a Non-Okta Managed Custom Domain Certificate
Mar 12, 2026
Okta Classic Engine
Okta Identity Engine
All Engines
Custom URL Domains
Overview

This article explains how to update or replace an existing custom domain certificate that is not Okta-managed.

Applies To
  • Custom Domain
  • Certificate
  • Okta Classic Engine
  • Okta Identity Engine (OIE)
Solution



  1. Log in to the Okta Admin Console.
  2. Navigate to Customizations > Brands > select the Brand > go to the Domains tab.
  3. Click the Edit button, and click the Update Certificate button.

TLS certificate

  1. Paste in the new certificate, private key, and certificate chain,  following the format required, adding the "Begin/End" in each field, for example:

Certificate

  1. Click the Finish button.

 

Make sure to review the certificate requirements:

  • The RSA key sizes must be 2048 bits, 3072 bits, or 4096 bits.
  • It should be signed with a SHA256, SHA384, or SHA512 hash algorithm.

For more information, review the Caveats section from the documentation.

Use OpenSSL to review and validate the certificate information

openssl x509 -in certificate.crt -noout -text

For example, to avoid errors such as Private key length exceeded:

Error

    Related References

    Recommended content

    Still looking for help?
    Loading
    Update a Non-Okta Managed Custom Domain Certificate