<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Old Certificate Still Being Presented for OAG Application
Jan 12, 2026
Access Gateway
Okta Classic Engine
Okta Identity Engine
Overview

After uploading a new certificate to OAG and associating it with a particular application, the client browser is still seeing the old certificate when accessing the application.

Applies To
  • Okta Access Gateway (OAG)
Cause

Possible causes include the new certificate having an issue that is preventing NGINX from properly reloading, the HA issue preventing the admin node from pushing the new certificate to the worker nodes, or TLS termination being implemented at the front-end load balancer such that OAG is not responsible for presenting the certificate to the client.

diagram 

Solution
  1. If the new certificate was never able to properly upload via Management Console, verify that it is in PEM format and not password protected by following this KB article:
  2. If the certificate appeared to successfully upload:
  3. If there are no issues observed from the OAG perspective (certificate was successfully uploaded and associated to the application without any error, NGINX service and HA are in good status, no errors logged on OAG) but still the client is seeing the old certificate, it is likely that the network topology involves TLS termination at the front-end load balancer. In this configuration, the load balancer is responsible for presenting the certificate to the client and, therefore, suggests working with the load balancer team to update the certificate on the LB side.
    • One way to verify this would be to use the workstation's host file to create an entry that points the application URL directly to OAG(Refer to documentation). This way, the load balancer can be bypassed, and the certificate that OAG is presenting can be directly seen. If the updated certificate can be seen in this manner, this confirms that OAG has properly updated the certificate, but the load balancer is still presenting the old certificate.
    • For more details on TLS termination and its role in certificate management, please see:

Recommended content

Still looking for help?
Loading
Old Certificate Still Being Presented for OAG Application