Obtain certificates

Topics

Certificate Authority provided certificates

Website owners typically obtain certificates from trusted Certificate Authorities (CA). CAs are trusted entities that manage and issue security certificates and public keys that are used for communication in a public network.

There are three types of SSL certificates each providing a different level of security.

  • Domain validated SSL certificates (DV)
    These certificates are the least secure of all certificate types.They are issued after an applicant has proven ownership of a domain. Generally, no other validation is performed.
  • Organizationally validated SSL certificates (OV)
    These certificates require the owner to provide verifiability details of organization, such as registered business name, physical address, and other information. Organizationally validated certificates are preferred over Domain validated certificates.
  • Extended validation SSL certificates (EV)
    These certificates are a step up from OV certificates and require a considerable review of the requesting company. Typically, such reviews include company documentation, confirmation of the identity of the requester, and more.

Okta recommends the use of Organizationally Validated certificates or Extended Validation certificates whenever possible.


Common Certificate authorities include: ComodoSSL, Digicert, GoDaddy, Thawte, and others.
Okta does not recommend or endorse any particular certificate authority.

 

Self-signed certificates

A self-signed certificate is a certificate that is not signed by a certificate authority. Self-signed certificates are free and easy to create. However, these certificates don't provide most of the security properties that certificates signed by a Certificate Authority provide. If used in production, end users who visit that website see a browser warning.

Okta recommends the use of self-signed certificates for development and testing only and never for production use.


Self-signed certificates can be generated using tools, such as openssl.

For example:

$ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
Generating a RSA private key
...................................
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
. . .
-----
Country Name (2 letter code) [XX]:Your country code
State or Province Name (full name) []:Your state
Locality Name (eg, city) [Default City]:Your City
Organization Name (eg, company) [Default Company Ltd]:Your Company, Inc
Organizational Unit Name (eg, section) []:Your organinzational unit. 
Common Name (eg, your name or your server's hostname) []:*.gateway.info
Email Address []:noreply@gateway.infp
$ ls *.pem
key.pem certificate.pem

See https://www.openssl.org/ for more information on Open SSL.

Wildcard certificates

A wildcard certificate is a digital certificate that is applied to a domain and all its subdomains. A wildcard notation typically consists of an asterisk and a period before the domain name. For example, *.exampledomain.com.
Access Gateway supports the use of wildcard certificates. Extending a single certificate to subdomains rather than purchasing separate certificates saves money and minimizes administration. However, the downside is that if the certificate is revoked or expired, then all subdomains are impacted.

Wildcard certificate validity

Wildcard certifcatess created by a trusted CA are only valid for hostnames in a secondary domain and not available for hostnames in tertiary or higher domains.
For example: Given a wildcard certificate with CN=*.gateway.info Accessing https://test.gateway.info will result in the certificate being validated successfully.

Cautions

Info

Caution

Password Protected Certificates: 
Access Gateway does not support password protected certificates. If you upload a password protected certificate, you must re-enter the certificate’s password every time Access Gateway restarts, otherwise the gateway will not function property.

Next Steps