Skip to main content

How do I update an expiring x509 certificate in my company's Procore SSO configuration settings?


An x509 certificate must be entered in your Procore company's Single Sign-On (SSO) configuration settings to complete setup of SSO with Procore. x509 certificates expire after a period of time, at which point you will need to input an updated certificate into your SSO configuration settings to maintain login function for users with a targeted domain. Procore does not provide notification of expiring x509 certificates. A notification that your certificate is expiring may be provided by your SSO Identity Provider (IdP).


When you receive notification from your IdP that the x509 certificate for your company's Procore SSO configuration is expiring, you can update the SSO configuration settings to include a new x509 certificate by following the steps below. 

You must update this certificate before the expiration date to prevent interruption to your users' login experience. If your certificate has already expired and you can't access your Procore account, please contact Procore Support for assistance.


  1. Generate a new x509 certificate from within your IdP.
    Note: Please reference your IdP's support documentation for additional details about this action.
  2. Save the certificate as a text file.
  3. Copy the certificate data that appears between the start and end tags for the x509 certificate.
    Do NOT copy the HTML start and end tags if using Azure AD (pictured below). For certificates generated by other IdPs, do NOT copy the --- BEGIN CERTIFICATE --- or ---END CERTIFICATE --- start and end markers within the text file. Only copy the text between those markers.
    Start Tag: <X509Data><X509Certificate> 
    End Tag: </X509Data></X509Certificate>
  4. Log in to your Procore account and navigate to the Company level Admin Tool.
  5. From the navigation panel, select Single Sign-On Configuration.
  6. Delete the existing x509 certificate from the Single Sign-On x509 Certificate field.
  7. Paste the new certificate in the Single Sign-On x509 Certificate field.
  8. Click Save.
    If your SSO configuration is already set to SP-Initiated, but you would prefer to test that the new certificate is functioning before saving it to your current configurations, you may choose to select "Allow Password Login" instead of "Service Provider Forward" before saving. This will temporarily allow users the option to log in with Procore credentials, as well as SSO, preventing you from potentially locking yourself and your users out of your Procore account while making these changes if an error were to occur. Once you have confirmed the new certificate is functioning as expected, you can edit your SSO configuration to re-select "Service Provider Forward" and return to an SP-initiated login flow.