Format a PKI Certificate Chain

To add a Smart Card identity provider, you must provide a name, the certificate chain, and specify the amount of time for Okta to consider the CRL valid after a successful download.


If you are using more than one certificate, follow this procedure to combine them into a single file.

  1. Convert DER encoded root and intermediate certificates (with .cer, .crt extension) into PEM format using the following openssl command: openssl x509 -inform der -in $input-cert-file-name -out $out-cert-file-name-with-pem-extension
  2. Concatenate all the PEM certificates into a single file with root certificate being the last one using the following command: cat $intermediate-cert-file-1 ... $intermediate-cert-file-N $root-cert-file-with-pem-extension > trust-chain.pem

    Important: Be sure the root certificate is last.

  3. Upload trust-chain.pem when creating the the Smart Card Identity Provider and make sure that no other Smart Cards IDPs exist.

Next task

Add a Smart Card Identity Provider