About Access Gateway certificate use
In general, Secure Socket Layer(SSL) certificates are used to:
- Establish a secure connection between a browser and a server.
- Encrypt communication to ensure that sensitive information is safe.
- Authenticate an organization's identity.
When property deployed, a certificate shows a padlock adjacent to the URL of a secured site.
Access Gateway uses certificates to:
- Support HTTPS connectivity between an external load balancer and Access Gateway.
- Securely transmit traffic between Access Gateway and an Okta tenant.
- Provide secure HTTPS communications between Access Gateway and protected resources, which are also called back-end applications.
- Provide secure HTTPS communications between the Access Gateway Admin UI console and a client browser.
From an application perspective, certificates are used to define a secure or trust relationship between an end user and an application using Transport Layer Security (TLS). In this situation, Access Gateway acts as a proxy and redirects application requests to a back-end application. It then serves up the required certificate on behalf of the back-end application.
Depending on how TLS termination is implemented, certificates are served in one of two ways:
- TLS passes through the load balancer, and is terminated at Access Gateway. In this scenario, Access Gateway provides the certificate.
- TLS terminated at the load balancer. In this scenario, the TLS stops at the load balancer. The load balancer is then responsible for supplying certificates and Access Gateway is not involved in certificate management.
You can use Access Gateway to generate and associate self-signed certificates and associate certificates obtained from a certificate authority. You can do these tasks from the Access Gateway Admin UI console. In general Access Gateway uses three types of certificates:
- Wild card certificates: When an application is integrated with Access Gateway a wild card certificate is automatically generated based on the Public domain field. Additional applications which have similar domains would use the same wild card certificate. Examples of wild cards include *.mysite.com. Any domain with a similar domain, for example abc.mysite.com, would use the same wild card certificate.
- Self signed certificates: Optionally, an application can use a self signed certificate. Self signed certificates can be generated per application and are specific to the Public Domain. A self signed certificate must be generated explicitly using the AccessAccess Gateway Admin UI console for a given application integration. Self signed certificate are ONLY applied to a single application.
- Uploaded certificates: Uploaded certificates are those certificates obtained from a trusted certificate authority and uploaded to Access Gateway or a load balancer. When used with Access Gateway, an unloaded certificate is first uploaded using the Access Gateway Admin UI console and then associated with an application.