About application certificate use
Access Gateway applications can make use of three types of certificates:
Access Gateway itself can also take advantage of certificates. See About Access Gateway certificate use for information on Access Gateway and TTLS.
Website owners typically obtain certificates from trusted Certificate Authorities (CA). CAs are trusted entities that manage and issue security certificates and public keys that are used for communication in a public network.
There are three types of SSL certificates each providing a different level of security.
- Domain validated SSL certificates (DV)
These certificates are the least secure of all certificate types.They are issued after an applicant has proven ownership of a domain. Generally, no other validation is performed.
- Organizationally validated SSL certificates (OV)
These certificates require the owner to provide verifiability details of organization, such as registered business name, physical address, and other information. Organizationally validated certificates are preferred over Domain validated certificates.
- Extended validation SSL certificates (EV)
These certificates are a step up from OV certificates and require a considerable review of the requesting company. Typically, such reviews include company documentation, confirmation of the identity of the requester, and more.
Okta recommends the use of Organizationally Validated certificates or Extended Validation certificates whenever possible.
A self-signed certificate is a certificate that is not signed by a certificate authority. Self-signed certificates are free and easy to create. However, these certificates don't provide most of the security properties that certificates signed by a Certificate Authority provide. If used in production, end users who visit that website see a browser warning.
Okta recommends the use of self-signed certificates for development and testing only and never for production use.
A wildcard certificate is a digital certificate that is applied to a domain and all its subdomains. A wildcard notation typically consists of an asterisk and a period before the domain name. For example, *.exampledomain.com.
Access Gateway supports the use of wildcard certificates. Extending a single certificate to subdomains rather than purchasing separate certificates saves money and minimizes administration. However, the downside is that if the certificate is revoked or expired, then all subdomains are impacted.