How to Update the IdP Certificate in Okta for External IDP Provider [API Only]
Feb 6, 2026
Okta Classic Engine
Okta Identity Engine
Single Sign-On
Overview

This article explains how the IDP certificate can be updated via API. The UI equivalent for this task is to update the certificate via Admin Console > Security > Identity Providers > [IdP] > Action > Configure IdP > Edit > IdP Signature Certificate [Update].

Applies To
  • Use API to update IdP Signature Certificate
Solution

Updating the IDP signature certificate via API is a two-step task. It first requires the upload of the certificate to the keystore and the retrieval of the key ID (kid). Then, reference the key ID to update the certificate for the external IDP.

  1. Add X.509 Certificate Public Key to the Keystore

Request :

POST {{url}}/api/v1/idps/credentials/keys

Body :

{
  "x5c": [
      "MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU ....redacted for simplicity... hEAs9bA7xuqo1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EER ICMFt3GUmtYaZZKHpWSfdJp9"
  ]
}

Response: 

{
    "kty": "RSA",
    "created": "2024-01-25T23:42:56.000Z",
    "lastUpdated": "2024-01-25T23:42:56.000Z",
    "expiresAt": "2025-12-18T22:23:32.000Z",
    "alg": "RSA",
    "kid": "{{the key id}}",
    "use": "sig",
    "x5c": [
        "MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU ....redacted for simplicity... hEAs9bA7xuqo1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EER ICMFt3GUmtYaZZKHpWSfdJp9"
    ],
    "x5t#S256": "wzPVobIrveR1x......6zn7Rm9KuOWOG4Rk6jE",
    "e": "AQAB",
    "n": "tcnyvuVCrsFEKCwHDenS3Ocjed8eWDv3zLtD2K_iZfE8BMj2wpTfn6Ry8zCYey3mWlKdxIybnV9amrujGRnE0ab6Q16v9D6RlFQLOG6dwqoRKuZy33Uyg8PGdEudZjGbWuKCqq.......UKALJHy0X_oY_yV4YEJ00LL6eJWU4wi7ViY3HP6_VCdRjHoRdr5L_Dw"
}

NOTE: The kid from the response above. Also, run a GET request to {{url}}/api/v1/idps/credentials/keys endpoint to get the keys' information.
 

  1. Once the kid has been retrieved, use the kid to update the existing certificate for external IDP with the recently uploaded certificate using the Update Identity Provider API.

PUT {{url}}/api/v1/idps/{{idpId}} 

Rather than building a custom request body, it is best to retrieve the IDP configuration using the Get Identity Provider API.

GET {{url}}/api/v1/idps/{{idpId}}

Use the response as the body for the PUT request with the kid updated with the response from step 1.

....   
....
   "credentials": {
      "trust": {
        "issuer": "https://idp.example.com",
        "audience": "http://www.okta.com/123",
        "kid": "{{kid from step 1}}"
      }
    }
....
....

 

Related References

Recommended content

No recommended content found...
Still looking for help?