Create a self-signed certificate

Advanced Server Access can generate self-signed certificates that contain information needed connect to an Active Directory domain. Teams must publish these certificates and add them to an Active Directory auth store. Some of the following steps may differ depending on the specific Active Directory environment.

Self-signed certificates are viewed as insecure. Okta doesn't recommend using self-signed certificates outside of testing environments.

1. Create a self-signed certificate in Advanced Server Access.
   1. Open the Advanced Server Access dashboard.
   2. From the user menu, click Team Settings.
   3. Go to the Passwordless Certificates tab.
   4. Click CreateSelf-Signed Certificate.
   5. In the Create Self-Signed Certificate window, configure the certificate settings.
   6. Click Create Certificate.

      The certificate is downloaded to your local device. You must move this file to an Active Directory domain controller.

2. Import the certificate into the Active Directory auth store.
   1. In a command prompt, go to the directory where you stored the self-signed certificate.
   2. Publish the certificate with the following command:

      certutil -dspublish -f YOUR_SELF_SIGNED_CERT NTAuthCA

   3. Add the certificate into the registry with the following command:

      certutil -enterprise -addstore NTAuth YOUR_SELF_SIGNED_CERT

After the certificate is imported into Active Directory, teams must still distribute the certificate to domain controllers and member servers using a group policy.

Next Steps

• Configure group policies for AD servers
• Add a certificate to an Active Directory connection