r2w3u (r2w3u) asked a question.
We are using the 'out of the box' SAML signing certificate for Okta applications, which appears to be a global certificate for all applications, self-signed by Okta. In our case it is somewhat long-lived (10 years).
As the number of applications grows in our org, I am concerned about the work that will be required when we eventually have to rotate this certificate. I am curious how other Okta customers are managing this problem? Are other customers using custom certificates for each application? If so, how are they rotating them when necessary, since they also have to be changed on the application side?
On the Okta side, what is the process for rotating the SAML certificate when it expires? Is a new certificate provided in advance with overlap so customers can migrate to the new one?
Hello @r2w3u (r2w3u),
Please check the following links with information:
https://support.okta.com/help/s/article/Replace-SP-Signing-Certificate-In-OKTA?language=en_US
https://support.okta.com/help/s/article/Does-Okta-need-to-make-any-changes-due-to-SAML-App-Vendor-s-SSO-certificate-replacement?language=en_US
Regards,
Natalia
Okta Inc.
Thanks Natalia. Contrary to that article, I do not see anywhere in the Okta SAML application template to replace the SAML signing certificate. Only the encryption certificate.
Moreover, I am asking about the Okta process when the global Okta signing certificate expires. Is the certificate rotated? Or is it extended somehow? Since that certificate is uploaded into most of our applications, rotating it will not be a simple task.