Questions about the SAML ZITADEL certificate and its management

Hello,

We have successfully put in place a self hosted Zitadel instance and plugged it to log into AWS SSO/Identity Center. We followed this documentation: https://zitadel.com/docs/guides/integrate/services/aws-saml

It has been now close to a year and AWS sends us the following alert:

The SAML certificate associated with your identity provider expires in xx days. Please update or import a new certificate.

We are wondering about the following:

Will Zitadel renew the certificate for a new year or let it expire ? (we tried a restart but to no avail)
If not, is it possible to launch the renewal ourselves (we saw this post questions-help-bugsHow to update SAMLv2 certificate at "$ZIT_URL/saml/v2/certificate" when acting as IDP about passing a custom key pair but we would like to keep the current one and just update the cert if possible)
Is it possible to customize the validity period ?

Thank you for your assistance,
Regards.

ZITADEL Docs

This guide shows how to enable login with ZITADEL on AWS SSO.

Ask Inkeep•11/26/25, 2:23 PM

Hi @Lenny, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.

Ask Inkeep•11/26/25, 2:23 PM

Answer

Based on the available sources, here's what we know about SAML certificate management in ZITADEL:

Certificate Renewal
ZITADEL does not automatically renew SAML certificates when they expire (1) . This is a known area for improvement, as there are currently no notifications sent in advance of the expiration date, and the ZITADEL UI does not display warnings when a certificate has expired .

Manual Certificate Regeneration
You can manually regenerate the SAML certificate using the API. For a self-hosted instance where you're using ZITADEL as the Identity Provider (IdP) for AWS, you would use the Admin API endpoint to regenerate the certificate (2) .

The endpoint is:

POST <https://$CUSTOM-DOMAIN/admin/v1/idps/saml/:id/_generate_certificate>

POST <https://$CUSTOM-DOMAIN/admin/v1/idps/saml/:id/_generate_certificate>

Note: If your identity provider is configured at the organization level (not instance level) , you'll need to use the Management API instead and include the x-zitadel-orgidx-zitadel-orgid header with the organization that owns the IDP (3) .

Customizing Validity Period
For cloud instances, the certificate expiration is fixed to 1 year (1) . However, for self-hosted instances, it is possible to customize the certificate expiration date .

Next Steps
You'll need to regenerate the certificate using the appropriate API endpoint, then update the certificate in AWS IAM Identity Center with the new one from ZITADEL's metadata endpoint.

If you'd like more detailed guidance on the API call or have questions about your specific setup, feel free to click the "Ask for help" button to tag a team member.

Ask Inkeep•11/26/25, 2:23 PM

To learn more, see the sources I considered:

[1] SAML certs for external IDPs expiration handling
[2] Regenerate SAML Identity Provider Certificate
[3] Getting 404 trying to regenerate SAML IDP Certificate

Ask Inkeep•11/26/25, 2:23 PM

Feel free to tag @Ask Inkeep with additional questions.

AAsk Inkeep To learn more, see the sources I considered: [[1] SAML certs for external IDP...

Ask InkeepAPP•12/1/25, 9:32 AM

Got it. Tagging @Rajat for additional help.

LennyOP•12/1/25, 9:38 AM

Hi,

The solution proposed by the bot is for certificates associated with external IdP configured in Zitadel but we are talking about the Zitadel own certificate (CN=ZITADEL SAML response, O=ZITADEL)

Regards.

Rajat•12/2/25, 11:03 AM

hey @Lenny I cannot really say that you can customize the certificate validity period but you can regenerate a new one I hope this helps.
Thanks

LennyOP•12/2/25, 3:18 PM

Hello @Rajat,

We already saw this doc and endpoint but as I said its to generate a new certificate for an external idp, but we are not in this case, the certificate expiring is the Zitadel one.
The one you can download at https://zitadel/saml/v2/certificate

I guess it is generated upon instance creation ?

Regards.

LLenny Hello <@1346540274674827395>, We already saw this doc and endpoint but as I sai...

Rajat•12/3/25, 1:29 PM

yes you are correct @Lenny in that case.

LennyOP•12/4/25, 7:23 AM

Ok, but then what are we supposed to do ?
When the certificate expires we will not be able to log to AWS anymore.

ZITADEL Docs

This guide shows how to enable login with ZITADEL on AWS SSO.

LennyOP•12/4/25, 7:33 AM

Will the certif be renewed by Zitadel ? Or can we manage the lifecycle of this certificate ourselves ?

LennyOP•12/4/25, 10:21 AM

Ok, I found the answer to one of my questions, the validity can be modified with the following parameter:
https://github.com/zitadel/zitadel/blob/f9e3871bb32873a172a5e63055db3ece3eb2acab/cmd/defaults.yaml#L776

GitHub

zitadel/cmd/defaults.yaml at f9e3871bb32873a172a5e63055db3ece3eb2ac...

ZITADEL - Identity infrastructure, simplified for you. - zitadel/zitadel

LennyOP•12/4/25, 10:28 AM

I wanted to be sure so I launched a local instance with the compose method and the following envvar: ZITADEL_SYSTEMDEFAULTS_KEYCONFIG_CERTIFICATELIFETIME: 1hZITADEL_SYSTEMDEFAULTS_KEYCONFIG_CERTIFICATELIFETIME: 1h

Here is a summary of my tests for other people stuck like us:

The certificate is generated upon the first call to the saml/v2 endpoints.
If you change the duration after that it will not regenerate a certificate.
After one hour a new certificate is generated when you call the endpoint.

Gigi the Giraffe (Zitadel)•12/4/25, 11:05 AM

Looks like you just helped out another community member! Thanks for being so helpful @1406995774335746048! You're now one step closer to leveling up—keep up the amazing peer support!