Passwordless certificates

Passwordless certificates allow users to connect to servers without entering a password. Users must still sign in to their Okta account before connecting to a server. Teams can assign a certificate to one or more Active Directory (AD) connections.

Teams manage certificates from the Passwordless Certificates tab on the Team Settings page. From here, teams can create self-signed certificates or upload an existing signed certificate from their local device. After creating a certificate, admins can review the status and expiration date of each certificate.

When teams create an AD connection, Advanced Server Access can automatically create and assign a self-signed certificate. Teams can also manually assign a certificate to existing AD connections.

The domain controller that authenticates the login request using these passwordless certificates must allow outbound communication to This is because the Advanced Server Access CRL distribution point for passwordless certificates is hosted on that website.

Passwordless certificates are currently incompatible with the Okta Credential Provider for Windows.