Tenant Signing Keys Using SHA1 Instead of SHA256 Algorithm

Problem statement

In order to configure an SSO integration for an application, a SHA256 certificate is required. However, the certificate provided by our Auth0 tenant appears to be SHA1. How can this certificate be updated to SHA256?


Older tenants, such as in prod-us-1, may be using SHA1 signing keys if the signing keys have never been rotated for the tenant.


Rotate the tenant Signing Keys, as described in Rotate Signing Keys. When rotating the tenant signing keys, it will use the next key in the queue (already generated). Check on this by:

  1. Navigating to Auth0 Dashboard > Settings > Signing Keys
  2. Check the next signing key in the queue by clicking on the three dots next to the entry to download the certificate and run the following command:

openssl x509 -in name-of-new-key-file.cer -text -noout

  1. If the next key in the queue is also a SHA1 certificate (it could have been generated a long time ago), then rotate the keys twice: the first time will be the next key in the queue, but the second time will result in a newly generated key. All the new keys will be SHA256.

Note : There are several things to consider when rotating your tenant’s signing keys. Please read the details here:


The recommendation is to execute signing key rotation on a development tenant first, then verify that the applications and APIs work as expected. After verifying that everything works properly, perform the same signing key rotation on the production tenant.