Application certificate use
You can use three types of certificates for Access Gateway applications:
Access Gateway can also use certificates. See Certificate use.
Certificates provided by a Certificate Authority
Website owners can obtain certificates from trusted Certificate Authorities (CA). CAs are trusted entities that issue and manage security certificates and public keys used for communication in a public network.
There are three types of SSL certificates, each providing a different level of security:
- Domain validated SSL certificates (DV): This is the least secure type of certificate. These certificates are issued after an applicant has proven ownership of a domain. Generally, no other validation is performed.
- Organization validated SSL certificates (OV): These certificates require the owner to provide verifiability details of the organization, such as registered business name, physical address, and other information. Organization validated certificates are preferred over Domain validated certificates.
- Extended validation SSL certificates (EV): These certificates are a step up from OV certificates and require a considerable review of the requesting company. Typically, such reviews include company documentation, confirmation of the identity of the requester, and more.
Okta recommends using Organization Validated certificates or Extended Validation certificates whenever possible.
Common Certificate Authorities include: ComodoSSL, Digicert, GoDaddy, Thawte, and so on. Okta doesn't recommend or endorse any particular Certificate Authority.
A self-signed certificate is a certificate that is not signed by a certificate authority. Self-signed certificates are free and easy to create. However, these certificates don't provide most of the security properties that certificates signed by a Certificate Authority provide. If used in production, end users who visit that website see a browser warning.
Okta recommends the use of self-signed certificates for development and testing only and never for production use.
A wildcard certificate is a digital certificate that is applied to a domain and all its subdomains. A wildcard notation typically consists of an asterisk and a period before the domain name. For example, *.exampledomain.com.
Access Gateway supports the use of wildcard certificates. Extending a single certificate to subdomains rather than purchasing separate certificates saves money and minimizes administration. However, the downside is that if the certificate is revoked or expired, then all subdomains are impacted.