Create a self-signed certificate

Advanced Server Access can generate self-signed certificates that contain information needed connect to an Active Directory (AD) domain. Teams must publish these certificates and add them to an AD auth store. Some of the following steps may differ depending on the specific AD environment.

Self-signed certificates are generally viewed as insecure. Okta doesn’t recommend using self-signed certificates outside of testing environments.

  1. Create a self-signed certificate in Advanced Server Access.
    1. Open the Advanced Server Access dashboard.
    2. From the user menu, click Team Settings.
    3. Go to the Passwordless Certificates tab. 
    4. Click Create > Self-Signed Certificate.
    5. In the Create Self-Signed Certificate window, configure the certificate settings.
    6. Click Create Certificate.
      The certificate is downloaded to your local device. You must move this file to an AD domain controller.
  2. Import the certificate into the AD auth store.
    Note: You must adjust the following commands to use the name of your self-signed certificate.
    1. In a command prompt, navigate to the directory where you stored the self-signed certificate.
    2. Publish the certificate with the following command:
      certutil -dspublish -f YOUR_SELF_SIGNED_CERT NTAuthCA
    3. Add the certificate into the registry with the following command:
      certutil -enterprise -addstore NTAuth YOUR_SELF_SIGNED_CERT

After the certificate is imported into AD, teams must still distribute the certificate and configure settings using a group policy.

Next Steps