Contact Us
Help Center Home > SSO Troubleshooting > Manage Public Certificate and Private Key Pairs

Manage Public Certificate and Private Key Pairs

A public certificate and private key pair are required to successfully connect applications with JumpCloud. This certificate and key pair are used during SAML handshakes to successfully authenticate users during an SSO login. After you activate an application, JumpCloud automatically generates a public certificate and private key pair for you. You can use this pair or upload your own from the Application Details panel. Learn how to generate a custom certificate and private key pair.

You can upload, download, and regenerate certificates from the Application Details panel. Additionally, you can view the status for both the certificate and key at the top of the configuration window. Certificate and key status is indicated as grey if there isn’t a certificate or key detected for the application. Status is indicated as green if a certificate and key are detected.

connector and cert status at top of connector window

Warning:

Your private key should be closely guarded. If this key has been lost or compromised, it should be regenerated immediately. An easy way to do this is to regenerate your certificate.

When it gets close to the time when the certificate will expire, emails will be sent out to notify admins. These emails will be sent out with 60 days, 30 days, 7 days, and 24 hours before expiration. The emails contain a link labeled Regenerate Certificate that can be used to renew the public certificate. 

Uploading a public certificate

  1. Go to Access > SSO Applications.
  2. Select an application from the Configured Applications list.
  3. Go to Actions and then select Upload New certificate.
  4. Browse to the certificate file and then click Open.

Uploading a private key

  1. Go to Access > SSO Applications.
  2. Select an application from the Configured Applications list.
  3. Go to Actions and then select Upload IdP Key.
  4. Browse to the private key file and then click Open.

Warning:

These must be uploaded in pairs, i.e., if you upload a new certificate, you must upload a new private key and vice versa.

Downloading a certificate

  1. Go to Access > SSO Applications.
  2. Select an application from the Configured Applications list.
  3. Go to Actions and then select Download Certificate.
  4. The certificate will download to your local Downloads folder with the name certificate.pem.

Tip:

After the application is saved, you can also download the certificate by clicking Download Certificate in the notification in the upper-right corner of the screen.  

Regenerating a certificate

Note:

You can't regenerate a certificate until you activate an application connector.

  1. Go to Access > SSO Applications.
  2. Select an application from the Configured Applications list.
  3. Go to Actions and then select Regenerate Certificate.
  4. Click continue.
  5. After you regenerate the certificate, the private key is also regenerated.

Warning:

If your SSO Service Provider uses JumpCloud metadata and you regenerate the certificate, you must export new metadata and upload it to the Service Provider.

Troubleshooting

After regenerating or rotating the Identity Provider (IdP) certificate for a SAML SSO application in JumpCloud, users may experience login failures. This section outlines the most common causes for these failures and the specific steps to resolve them.

Symptoms include:

  • Users receiving "Invalid Assertion," "Signature Validation Failed," or "SAML Response Invalid" errors
  • Users being redirected back to the login screen without signing in
The “Unsaved Change” Oversight (Most Common)

The “Unsaved Change” Oversight (Most Common)

Issue: If you download the new certificate but do not click Save on the JumpCloud Application configuration page, JumpCloud continues to sign SSO tokens using the old (expired) certificate. Meanwhile, your Service Provider has been updated with the new certificate, causing a mismatch.

Resolution:

  1. Log in to the JumpCloud Admin Portal.
  2. Navigate to the specific SSO Application.
  3. Verify that the IdP Certificate dropdown displays the new certificate (check the expiration date).
  4. Click Save at the bottom of the page.
  5. Retry the login.
Certificate Mismatch (Wrong File Uploaded)

Certificate Mismatch (Wrong File Uploaded)

Issue: If you have performed multiple downloads, it is easy to accidentally upload an older or incorrect file (e.g., certificate(1).pem vs certificate.pem).

Resolution:

  1. Download the active certificate from the JumpCloud Admin Portal again.
  2. Open this file in a text editor (like Notepad or TextEdit) and note the first few characters of the string (e.g., MIID...).
  3. Log in to your Service Provider’s admin console and view the certificate currently uploaded there.
  4. Compare the strings. If they do not match exactly, upload the file you just downloaded from JumpCloud.
Copy-Paste Formatting Errors

Copy-Paste Formatting Errors

If your Service Provider requires you to paste the certificate text rather than uploading a file, formatting errors can break the integration.

The Fix:

  1. Ensure you included the Header (-----BEGIN CERTIFICATE-----) and the Footer (-----END CERTIFICATE-----). Most providers require these to identify the key.
  2. Check for trailing spaces. Ensure there are no extra spaces after the footer or before the header.
  3. Ensure there are no line breaks inside the certificate string itself (unless the provider specifically requests them).
Browser Cache and Session Data

Browser Cache and Session Data

Sometimes the configuration is correct, but the browser is attempting to use cached session data from before the change.

The Fix:

  • Open an Incognito (Chrome) or Private (Firefox/Edge) window.
  • Attempt to log in to the Service Provider again.
  • If this works, advise your users to clear their browser cache and cookies.
Back to Top

List IconIn this Article

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case