Tenant Signing Keys Using SHA1 Instead of SHA256 Algorithm

Additional Features
Sep 10, 2025
Overview

In order to configure an SSO integration for an application, a SHA256 certificate is required. However, the certificate provided by our Auth0 tenant appears to be SHA1. How can this certificate be updated to SHA256?

Cause
Older tenants, such as in prod-us-1, may be using SHA1 signing keys if the signing keys have never been rotated for the tenant.
Solution
Rotate the tenant Signing Keys, as described in Rotate Signing Keys

When rotating the tenant signing keys, it will use the next key in the queue (already generated). Check on this by:
  1. Navigate to Auth0 Dashboard > Settings > Signing Keys
  2. Check the next signing key in the queue by clicking on the three dots next to the entry to download the certificate and run the following command:
openssl x509 -in name-of-new-key-file.cer -text -noout
  1. If the next key in the queue is also a SHA1 certificate (it could have been generated a long time ago), then rotate the keys twice: the first time will be the next key in the queue, but the second time will result in a newly generated key. All the new keys will be SHA256.

Note: There are several things to consider when rotating your tenant's signing keys. Please read the details on Key Rotation Impact

The recommendation is to execute signing key rotation on a development tenant first, then verify that the applications and APIs work as expected. After verifying everything works properly, perform the same signing key rotation on the production tenant.

Recommended content

No recommended content found...
Need more help? Visit the Community
Visit the Auth0 Community