Create a self-signed certificate

A self-signed certificate is generated by Advanced Server Access and contains information needed to allow connections to an Active Directory (AD) domain. After the certificate is created within Advanced Server Access, teams must publish the certificate and add it to an auth store on the AD domain. Some of the steps outlined below may differ depending on your specific AD environment.

Self-signed certificates are generally viewed as insecure. Okta does not recommend using self-signed certificates outside of testing environments.

Okta recommends placing Advanced Server Access-protected servers in a separate Organizational Unit (OU) from other resources on the domain. Teams should apply any Group Policy Object (GPO) from this process to servers within the separated OU.

  1. Create a self-signed certificate in Advanced Server Access.
    1. Open the Advanced Server Access dashboard.
    2. From the user menu, click Team Settings.
    3. Go to the Passwordless Certificates tab. 
    4. Click Create > Self-Signed Certificate.
    5. In the Create Self-Signed Certificate window, configure the certificate settings.
    6. Click Create Certificate.
      The certificate is downloaded to your local device. You will need to move this file to an AD domain controller.
  2. Import the certificate into the AD auth store.
    Note: You must adjust the following commands to use the name of your self-signed certificate.
    1. In a command prompt, navigate to the directory where you stored the self-signed certificate.
    2. Publish the certificate with the following command:
      certutil -dspublish -f YOUR_SELF_SIGNED_CERT NTAuthCA
    3. Add the certificate into the registry with the following command:
      certutil -enterprise -addstore NTAuth YOUR_SELF_SIGNED_CERT
  3. Distribute the certificate to client servers using Group Policy.
    1. Start the Group Policy Management snap-in.
    2. Create a new GPO for the Advanced Server Access OU.
    3. Right-click the GPO and click Edit.
    4. In the console tree, go to Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies.
    5. Right-click Trusted Root Certification Authorities and click Import.
    6. In the Welcome to the Certificate Import Wizard, click Next.
    7. Specify the path to the certificate file and click Next.
    8. Click Place all certificates in the following store and click Next.
    9. Verify the information and click Finish.
  4. Disable Network Level Authentication using Group Policy.
    This step is not required if your Advanced Server Access gateway is on the same subnet as your servers.
    1. From the Group Policy Management snap-in locate the Advanced Server Access GPO you created previously.
    2. Right-click the GPO and click Edit.
    3. In the console tree, go to Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security.
    4. Double-click Require user authentication for remove connections by using Network Level Authentication.
    5. In the properties window, select Disabled.
    6. Click Apply and then click OK.
  5. Optional. Require smart card authentication for accounts.
    Important: Teams should only apply this policy to Advanced Server Access-protected servers. If your Okta org uses Active Directory delegated authentication, applying this policy to user accounts will make them unable to access the Okta dashboard.
    1. From the Group Policy Management snap-in locate the Advanced Server Access GPO you created previously.
    2. Right-click the GPO and click Edit.
    3. In the console tree, go to Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options.
    4. Double-click Interactive logon: Require Windows Hello for Business or smart card.
      Note: In some Windows versions, this setting may be located at a different location and named Interactive logon: Require smart card.
    5. In the properties window, select Define this policy setting.
    6. Select Enabled.
    7. Click Apply and then click OK.

Related topics