In general, Secure Socket Layer(SSL/X509) certificates are used to:
- Establish a secure connection between a client and a server.
- Client - A browser or VPN client
- Server - <your-org>.okta.com or the Okta RADIUS agent
- Encrypt communication to ensure that sensitive information is safe.
- Authenticate an organization's identity.
Various subsystems including Okta RADIUS agents uses certificates to:
- Secure communications when using the Extensible Authentication Protocol /Tunneled Transport Layer Security protocol or EAP/TTLS.
Certificate issuers and types
A digital certificate certifies the ownership of a public key by the named subject of the certificate.
From an issuer perspective there are three certificate types:
- Certificate Authority (Root CA) certificates are those owned and managed by certificate authorities (CAs). CAs are entities that issues digital certificates.
- Intermediate certificates are certificates granted to a company or by a company to a subordinate division. Intermediate certificates can be used by themselves but are often use to sign lower level intermediate certificates or end certificates.
- End certificates are certificates that are created by a individual company from one of their intermediate certificates for individual use.
Certificate chains are groupings of certificates. Okta typically in requires all certificate changes be in Privacy Enhanced Mail (PEM) format.
Certificate chains are the contents of all certificates concatenated together in order from entity certificate to trusted root certificate. If there are multiple intermediate certificates then they also must be included in the chain. Certificates can be concatenated together using an editor or command line tools.
For example under Linux, to concatenate an entity certificate, an intermediate certificate and the entities private key:
cat entity.pem intermediate.pem entity-primarykey.pem > certificate-chain.pem
When chained, groupings of certificates resemble:
-----BEGIN CERTIFICATE----- .... (entity certificate contents) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- .... (Intermediate certificate contents) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- .... (Trusted root certificate contents, only required for self signed chains) -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- .... (entity private key contents) -----END RSA PRIVATE KEY-----
You must create a chain containing each certificate, starting with all intermediate certificates followed by the entity certificate, but excluding the trusted CA root certificate. The root certificate is only required when using self-signed certificate chains. For EAP-TTLS or EAP-GTC, also include the entity private key.
Generally, Okta requires certificates in PEM format. If you have received or generated certificates in another format they may need to be converted to PEM before being concatenated and then uploaded. Various tools can be used to convert a certificate from one format to another, including openssl.
The following examples show converting various formats to .PEM.
CRT to PEM
openssl x509 -in cert.crt -outform PEM -out cert.pem
CER to PEM
openssl x509 -in cert.cer -outform DER -out cert.pem
Additionally, EAP-TTLS and EAP-GTC protocols support pfx and p12 formats, which allow the specification of a password to protect an associated private key.
Convert to PFX
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt
Sample command to convert to P12
openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in certificate.crt
Multiple additional input and conversions also exist. See the openssl documentation and the openssl man page for more information.