This article explains how to update an existing custom domain certificate that is not managed by Okta using the Okta Application Programming Interface (API). This is applicable when a user needs to replace a certificate, private key, and certificate chain for a custom domain.

• Custom Domain
• Transport Layer Security (TLS) Certificate
• Okta Management API
• Okta Identity Engine (OIE)
• Okta Classic Engine

Optional: Integrate Postman with Okta to perform API actions by following the steps outlined in the How to Integrate Postman with Okta documentation.

To update a certificate for a non-Okta-managed custom domain, follow these steps:

1. Prepare the new PEM-encoded public certificate, private key, and certificate chain.
2. Ensure the RSA key size is 2048, 3072, or 4096 bits.
3. Identify the domainId for the custom domain by performing a GET request to the /api/v1/domains endpoint.
4. Update the certificate by sending a PUT request to the following endpoint: PUT /api/v1/domains/<domainId>/certificate.
5. Include the following parameters in the request body, ensuring the certificates and keys include the -----BEGIN...----- and -----END...----- delimiters:

[code] { "certificate": "<PEM-encoded-certificate>", "privateKey": "<PEM-encoded-private-key>", "certificateChain": "<PEM-encoded-certificate-chain>" } [code].

6. Verify the update by checking the publicCertificate object in the API response to confirm the new expiration date and fingerprint.

NOTE: If the certificateSourceType was previously OKTA_MANAGED, performing this operation changes the source type to MANUAL, and Okta no longer automatically renews the certificate.

Related References 

• Upsert the custom domain's certificate
• Update a Non-Okta Managed Custom Domain Certificate