Certificate chain operations

Certificate chain validation is an Early Access feature. To enable it, contact Okta Support.

The certificate chain operations are supported:

Add a client certificate chain

To add a new client certificate chain:

  1. Connect to the admin instance Access Gateway Management console.
    ssh oag-mgmt@[admin.tld]
  2. Select c - Client certificate chains.
    The Certificate chain root menu displays and resembles:
    Certificate Chains
    
    Issuer Chains (X total):
    ------------------------
    [1]Cert chain one
    [2]Cert chain two (expired)
    [. . . ] . . . 				
    [N]Cert chain N
    
    [i]: Scroll up
    [k]: Scroll down 
    
    [a]: Add certificate chain
    [s]: Show complete certificate chains or [h]: Hide complete certificate chains
    [c]: Manage CRL settings
    [d]: Delete 
    [x]: Exit
    
    
    Build: 2021.... OS Version: ...
  3. Select a- Add certificate chain.
    The add certificate chain sub-menu will appear and resemble:

    Add Certificate Chain
    
    Paste the certificate chain into the terminal and press [Ctrl-d] when finished.
    Note: the certificate chain must be in PEM format and must NOT require a pass phrase.
    
    To cancel press [Ctrl-c]
    
    
  4. Paste the certificate into the command window, entering [Ctrl-d] when complete.
    Note

    Invalid or expired certificate chains will result in an errors and not be loaded.

  5. Press any key to continue

Access Gateway will process certificate chains and return to the certificate chain main menu.

Delete a certificate or an entire certificate chain

To delete an entire certificate chain:

  1. Connect to the admin instance Access Gateway Management console.
    ssh oag-mgmt@[admin.tld]
  2. Select c - Client certificate chains.
    The Certificate chain root menu displays and resembles:
    Certificate Chains
    
    Issuer Chains (X total):
    ------------------------
    [1]Cert chain one
    [2]Cert chain two (expired)
    [. . . ] . . . 				
    [N]Cert chain N
    
    [i]: Scroll up
    [k]: Scroll down 
    
    [a]: Add certificate chain
    [s]: Show complete certificate chains or [h]: Hide complete certificate chains
    [c]: Manage CRL settings
    [d]: Delete 
    [x]: Exit
    
    
    Build: 2021.... OS Version: ...
  3. Select d - Delete. The Delete Cerificate Chain pop-up menu will display.
  4. Enter an index value representing the certificate chain to delete. Enter [Ctrl-c] to cancel.
  5. The You are about to DELETE: verification message will be displayed, including details of the selected chain.
  6. Enter y to delete the chain, n to cancel.
    Caution

    On completion the certificate will be immediately deleted.

  7. Press any key to continue.

Show/hide certificate chain details

Certificate chains can be displayed with a either minimum of information, showing only the root certification, or details, showing the root, intermediate and entity certificates.
By default certificate chain details are minimized.

To toggle certificate chain details.

  1. Connect to the admin instance Access Gateway Management console.
    ssh oag-mgmt@[admin.tld]
  2. Select c - Client certificate chains.
    The Certificate chain root menu displays and resembles:
    Certificate Chains
    
    Issuer Chains (X total):
    ------------------------
    [1]Cert chain one
    [2]Cert chain two (expired)
    [. . . ] . . . 				
    [N]Cert chain N
    
    [i]: Scroll up
    [k]: Scroll down 
    
    [a]: Add certificate chain
    [s]: Show complete certificate chains or [h]: Hide complete certificate chains
    [c]: Manage CRL settings
    [d]: Delete 
    [x]: Exit
    
    
    Build: 2021.... OS Version: ...

  3. Enter s to show details, h to hide details or x to exit and return to the prior menu.
  4. The certificate chain menu will display with simple or complete details depending on selection.

Manage CRL settings

To manage the certificate revocation list settings:

  1. Connect to the admin instance Access Gateway Management console.
    ssh oag-mgmt@[admin.tld]
  2. Select c - Client certificate chains.
    The Certificate chain root menu displays and resembles:
    Certificate Chains
    
    Issuer Chains (X total):
    ------------------------
    [1]Cert chain one
    [2]Cert chain two (expired)
    [. . . ] . . . 				
    [N]Cert chain N
    
    [i]: Scroll up
    [k]: Scroll down 
    
    [a]: Add certificate chain
    [s]: Show complete certificate chains or [h]: Hide complete certificate chains
    [c]: Manage CRL settings
    [d]: Delete 
    [x]: Exit
    
    
    Build: 2021.... OS Version: ...
  3. Select c - Manage CRL settings.
    The CRL setting menu will appear, displaying current settings and resembling:

    CRL settings...
    Access Gateway will download a new CRL every:
    3 hours
    Access Gateway will cache the CRL for:
    24 hours
    [e] Edit settings
    [x] Exit
    
    
  4. Enter e - Edit settings or x to exit and return to the prior menu.
    The Edit CRL settings process will begin, requiring you to enter both a download interval and cache period.
    Note the default values are download every 6 hours, expire cache every 24hrs.
    Edit CRL settings...
    How often do you want Access Gateway to download new CRLs?
    Note: must be in hours. Maximum is 24 hrs. Examples, 3,6, 24.
    
    Download frequency in hours[6]:
    
  5. Download frequency in hours [x]: Enter a value greater then 0 and less than or equal to 24, or x to exit without making any changes. Note the current value is displayed in brackets.
    You will be prompted to enter a cache expiration length. Invalid values will require reentry. [Ctrl-c] can be used to cancel the edit.
    How long should we cache CRLs?
    Note: Must be in hours. Maximum is 72 hrs.  Examples 3,4,24.
    
    Caching period in hours[24]:
    
  6. Cache duration: Enter the length of time to cache the certificate revocation list or x to exit without making any changes.
  7. Changes are saved and the new values displayed.
  8. Press e to re-edit, or x to return to the prior menu.

Related topics

Client Certificate Validation Behavior

Command Line Management Console reference