Revoke a user's certificate from the Okta Certificate Authority

You may need to revoke an end user's Device Trust certificate(s) from the Okta Certificate Authority. This is recommended if the computer is lost or stolen, or if the end user is deactivated. To re-secure an end user's computer with Device Trust after revoking their Device Trust certificate(s), you need to remove the revoked certificate from their computer before enrolling a new certificate.

Managed Windows desktop computers


  1. Go to Directories > People.

  2. Click the end user whose Device Trust certificate you want to revoke.

  3. In the More Actions menu, click Revoke Trust Certificate. ClosedScreenshot

  4. Read the message that displays, and then click Revoke Trust Certificate.

  5. (Optional) If you want to re-secure the end user's computer with Device Trust, first remove any existing Device Trust certificate from the computer.

    • To remove a certificate from a single computer (such as during testing or the Proof of Concept phase of your implementation), use a third-party management tool such as Certificate Manager Tool (Certmgr.exe) to remove the certificate issued by the Okta MTLS Certificate Authority.

    • To remove certificates from multiple computers, use a third-party management tool such as GPO or SCCM to remove the certificate issued by the Okta MTLS Certificate Authority.


Jamf Pro-managd macOS devices


  1. Go to Directories > People.

  2. Click the end user whose Device Trust certificate you want to revoke.

  3. In the More Actions menu, click Revoke Trust Certificate. ClosedScreenshot

  4. Read the message that displays, and then click Revoke Trust Certificate.

  5. To remove the Device Trust certificate for any reason (such as prior to re-securing a computer with Device Trust), first remove any existing Device Trust certificate from the computer. You can use a command line or create an uninstall script in Jamf Pro. Both uninstall methods remove all Device Trust related artifacts from the macOS device.
  6. Security best practice: If you plan to reuse the script that you downloaded and modified in Part Ⓑ, make sure to first remove the OrgThe Okta container that represents a real-world organization. Token before using it. Also, the token is not necessary for the uninstall operation.

    • Remove through a command line — Open a terminal on the target computer and issue the command python <fileName>.py uninstall where <fileName> is the name of Okta Device Registration Task. For example, if the name of the Okta Registration Task is MacOktaDeviceRegistrationTaskSetup.1.0.2.py, you would issue this command:

      python MacOktaDeviceRegistrationTaskSetup.1.0.2.py uninstall

    • Remove with an uninstall script — Create an uninstall script in Jamf Pro configured to pass the uninstall parameter. For details, see the procedure Adding a Script to Jamf Pro in Jamf Pro documentation.
Top