Certificate chain operations

Certificate validation behavior is an Early Access feature. To enable it, contact Okta Support.

The following certificate chain operations are supported:

Add a client certificate chain

To add a new client certificate chain:

  1. Connect to the admin instance Access Gateway Management console.

  2. Copy
    ssh oag-mgmt@[admin.tld]
  3. Select c - Client certificate chains

    The Certificate chain root menu displays and resembles:

    Copy
    Certificate Chains

    Issuer Chains (X total):
    ------------------------
    [1]Cert chain one
    [2]Cert chain two (expired)
    [. . . ] . . .
    [N]Cert chain N

    [i]: Scroll up
    [k]: Scroll down

    [a]: Add certificate chain
    [s]: Show complete certificate chains or [h]: Hide complete certificate chains
    [c]: Manage CRL settings
    [d]: Delete
    [x]: Exit


    Build: 2021.... OS Version: ...
  4. Select a - Add certificate chain.

  5. Paste the certificate into the command window. Enter Ctrl-d when complete.

    Invalid or expired certificate chains result in error and won't be loaded.

  6. Press any key to continue. Access Gateway processes certificate chains and returns to the certificate chain main menu.

Delete a certificate or an entire certificate chain

To delete an entire certificate chain:

  1. Connect to the admin instance Access Gateway Management console.

  2. Copy
    ssh oag-mgmt@[admin.tld]
  3. Select c - Client certificate chains

    The Certificate chain root menu displays and resembles:

    Copy
    Certificate Chains

    Issuer Chains (X total):
    ------------------------
    [1]Cert chain one
    [2]Cert chain two (expired)
    [. . . ] . . .
    [N]Cert chain N

    [i]: Scroll up
    [k]: Scroll down

    [a]: Add certificate chain
    [s]: Show complete certificate chains or [h]: Hide complete certificate chains
    [c]: Manage CRL settings
    [d]: Delete
    [x]: Exit


    Build: 2021.... OS Version: ...
  4. Select d - Delete. The Delete Cerificate Chain pop-up menu will display.

  5. Enter an index value representing the certificate chain to delete. Enter Ctrl-C to cancel.

  6. The You are about to DELETE: verification message will be displayed, including details of the selected chain.

  7. Enter y to delete the chain, n to cancel.

    On completion the certificate will be immediately deleted.

  8. Press any key to continue.

Show/hide certificate chain details

You can display certificate chains either with a minimum of information, showing only the root certification, or detailed information, where the root, intermediate, and entity certificates are shown. The default setting hides the certificate chain details.

To toggle certificate chain details:

  1. Connect to the admin instance Access Gateway Management console.
    ssh oag-mgmt@[admin.tld]
  2. Select c - Client certificate chains.
    Copy
    Certificate Chains

    Issuer Chains (X total):
    ------------------------
    [1]Cert chain one
    [2]Cert chain two (expired)
    [. . . ] . . .
    [N]Cert chain N

    [i]: Scroll up
    [k]: Scroll down

    [a]: Add certificate chain
    [s]: Show complete certificate chains or [h]: Hide complete certificate chains
    [c]: Manage CRL settings
    [d]: Delete
    [x]: Exit


    Build: 2021.... OS Version: ...

  3. Enter s to show details, h to hide details or x to exit and return to the prior menu.
  4. The certificate chain menu displays either simple or complete details depending on the selection.

Manage CRL settings

To manage the certificate revocation list settings:

  1. Connect to the admin instance Access Gateway Management console.
    ssh oag-mgmt@[admin.tld]
  2. Select c - Client certificate chains.
    Copy
    Certificate Chains

    Issuer Chains (X total):
    ------------------------
    [1]Cert chain one
    [2]Cert chain two (expired)
    [. . . ] . . .
    [N]Cert chain N

    [i]: Scroll up
    [k]: Scroll down

    [a]: Add certificate chain
    [s]: Show complete certificate chains or [h]: Hide complete certificate chains
    [c]: Manage CRL settings
    [d]: Delete
    [x]: Exit


    Build: 2021.... OS Version: ...
  3. Select c - Manage CRL settings.

    CRL settings... Access Gateway will download a new CRL every: 3 hours Access Gateway will cache the CRL for: 24 hours [e] Edit settings [x] Exit
  4. Enter e - Edit settings or x to exit and return to the prior menu.
    The Edit CRL settings process will begin, requiring you to enter both a download interval and cache period.
    Note the default values are download every 6 hours, expire cache every 24hrs. Edit CRL settings... How often do you want Access Gateway to download new CRLs? Note: must be in hours. Maximum is 24 hrs. Examples, 3,6, 24. Download frequency in hours[6]:
  5. Download frequency in hours [x]: Enter a value greater then 0 and less than or equal to 24, or x to exit without making any changes. Note the current value is displayed in brackets.
    You will be prompted to enter a cache expiration length. Invalid values will require reentry. [Ctrl-c] can be used to cancel the edit.
    How long should we cache CRLs? Note: Must be in hours. Maximum is 72 hrs. Examples 3,4,24. Caching period in hours[24]:
  6. Cache duration: Enter the length of time to cache the certificate revocation list or x to exit without making any changes.
  7. Changes are saved and the new values displayed.
  8. Press e to re-edit, or x to return to the prior menu.

Related topics

Client Certificate Validation Behavior

Command Line Management Console reference