This site requires JavaScript to be enabled
External Customer KB > General > Creating and Applying Certificates
Creating and Applying Certificates
Article: KB0010585 Published: 08/21/2023 Last modified: 08/21/2023

For an organization connected to many SAML applications, having multiple SAML certificates is a convenient and powerful way to ensure stronger security between those apps and OneLogin. Using multiple certificates also lets you gracefully handle the process of updating expiring certificates.

Certificates can be assigned or changed in the SSO configuration of any SAML-enabled app, and OneLogin automatically sends your administrators a customizable notification one year, 90 days, and 45 days before a certificate expires, then daily after expiration until the certificate is updated.

 


 

To view your X.509 certificates, go to Security > Certificates. All certificates used by your OneLogin account are shown here, with the bit encryption of each, the number of apps associated with each, and the dates of issue and expiration. You can Import a certificate from another source, create a New certificate, or select any existing certificate to manage it.

Certificates

Key Length

Choose 1024, 2048, or 4096. Always be sure to check your app's key length requirements, as some apps cannot support certificates above or below a certain key length.

Note: The key length cannot be changed after saving the certificate.

Signature

Choose SHA1, SHA256, or SHA512 for the certificate's signing algorithm.

Expiration

Choose the period of time for the certificate to remain valid before it must be replaced.

Certificate Keys

If your app requires an identified CA certificate, enable Set the CA flag in the Basic Constraints extension option to "true" and keyCertSign bit for Key Usage.option to identify the certificate as a CA certificate.

Note: Do not use this certificate with apps that do not require the Basic Constraint extension, as they may not function properly.

New Certificate

Once the certificate has been saved, you can return to it at any time to view or change its SHA fingerprint, copy or download the full X.509 certificate string, and see any apps currently using the certificate. You may also Delete it, or choose Set As Default to make it your default certificate for all apps with no other certificate specified.

Example Certificate

Expand/Collapse Comments
:     
Was this helpful?
YesYesNoNo