Certificate Management


Overview

The purpose of this tutorial is to walk through the process of configuring certificates within Okta Access Gateway.


Prerequisites



Background

Certificates are made available for use to the Access Gateway and it’s applications in two ways:

When creating an application, the following logic is used to associate certificates with the new application.

  1. If a certificate already exist for the application domain, then the application uses the existing certificate.
    The certificate could have been created automatically, or loaded through the management console.

  2. If the certificate doesn’t exist, then a self-signed wildcard or hostname certificate is created and associated with the application.


Auto Generated Self-Signed Certificates

When an application is created and no certificate has been loaded that corresponds to the application’s domain a certificate is generated. The following sections show how to create applications using wildcard and hostname certificates.

To use an auto-generated wildcard certificate in the Access Gateway:

  1. In a web browser, log in to the Access Gateway AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. console.

  2. Select the Applications tab.

  3. Click the pencil icon in the row containing the application which should be associated with the certificate.
    In this tutorial we use the Sample Header App.
    Click edit app icon for the selected row.

  4. In the Settings tab expand Advanced

  5. Ensure the Certificate Type toggle is disabled.
    Enable certificate toggle.

  6. Click Done.

  7. In the same row click the Goto Application icon.
    Goto application icon.
    >Note: Your Okta tenant administrator will need to assign the sample application to you.

    Generated certificates should not be used in production environments
  8. When the application is reached click the Not Secure nex to the application URL.
    Secure Application.

    Info

    Note

    This tutorial uses Google Chrome. Other browsers have similar functionality but may use different steps.

  9. Click Certificate.
    Secure Appication.

    The certificate associated with the application is then displayed.
    Self signed generated certificate.

    Info

    Note

    With wildcard certificates, the domain shown in the Issued to: field is prefixed by an * (asterisk) to show this certificate can be used for any hostname that is in the applications domain.
    Note the Issued by: field, indicating this is a self signed certificate.


Configuring Apps with Hostname Certificates

To use an auto-generated hostname certificate in the Okta Access Gateway:

  1. In a web browser, log in to the Access Gateway Admin console.

  2. Select the Applications tab.

  3. In the Settings tab expand Advanced

  4. Ensure the Certificate Type toggle is enabled.
    Enable certificate toggle.

  5. In the same row click the Goto Application icon.
    Goto application icon.

    Info

    Note

    Your Okta tenant administrator will need to assign the sample application to you..

  6. Click Done.

  7. In the same row click the Goto Application icon.

  8. When the application is reached click the Not Secure button to the left of the application URL.

  9. Click Certificate.
    Self signed hostname generated certificate.

  10. Note: For hostname certificates, the domain shown in the “Issued to:” field shows the fully qualified domain name (FQDNA fully qualified domain name (FQDN) is the complete domain name for a specific computer, or host, on the internet.) of the host server.


Adding Certificates and Replacing an Auto-Generated Certificate with a Valid Certificate

The steps below show how the command line console can beused to replace an automatically generated certificate with a user supplied certificate.

Info

Note

User supplied certificates are normally issued and signed by a trusted CA, but can also be a self-signed.

  1. Using SSH connect to the Access Gateway command line console. For a complete list of command line console command see here.
  2. Enter 2 to enter the Services sub-menu.

  3. Enter 1 to enter the NGINXNginx is a web server which can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. sub-menu.

  4. Enter 6 to update an SSL certificate.
    All existing certificates will be displayed and will resemble:

    Available Certificates:
    -----------------------
    [1] admin.crt
    [2] gateway_info.crt
    [3] localhost.crt
    . . . 
    [a] Add new certificate
    [x] Exit
    [#, a, x]: 
    

  5. .Select a command to perform:

    1. x - Exit the add/modify certificates sub-menu.
    2. a - Add a new certificate.
    3. # - Modify an existing certificate.

Reference and Notes

Info

Caution

Password Protected Certificates: Access Gateway does NOT support password protected certificates. If a password protected certificate ios uploaded, the certificate’s password must be re-entered every time NGINX restarts or else the gateway will not function property.

  • Wildcard certificate validity: Wildcard certs created by a Trusted CA are only valid for hostnames in a secondary domain and not available for hostnames in tertiary or higher domains.
    For example: Given a wildcard certificate with CN=*.gateway.info Accessing https://test.gateway.info will result in the certificate being validated successfully.

  • Generating self-signed certificates for testing:  Self-Signed certificates can be generated using tools such as openssl.
    For example:

    $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
    Generating a RSA private key
    ...................................
    writing new private key to 'key.pem'
    -----
    You are about to be asked to enter information that will be incorporated into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    . . .
    -----
    Country Name (2 letter code) [XX]:Your country code
    State or Province Name (full name) []:Your state
    Locality Name (eg, city) [Default City]:Your City
    Organization Name (eg, company) [Default Company Ltd]:Your Company, Inc
    Organizational Unit Name (eg, section) []:Your organinzational unit. 
    Common Name (eg, your name or your server's hostname) []:*.gateway.info
    Email Address []:noreply@gateway.infp
    $ ls *.pem
    key.pem certificate.pem
    

Next Steps

  • Created self signed certificates using openssl and similar tools.
  • Obtain certificates from valid certificate authorities such as Verisign, Let's Encrypt, your DNS Provider, and others.
Top