...
You must also download the Okta Certificate (from within the Okta Edit SAML Settings).
Download he the SHA-2 certificate.
...
You can use the same keystore which was created as part of the HTTPS configuration, or create one using a command like this
...