About Access Gateway certificate use

Background

In general, Secure Socket Layer(SSL) certificates are used to:

  • Establish a secure connection between a browser and a server.
  • Encrypt communication to ensure that sensitive information is safe.
  • Authenticate an organization's identity.

Access Gateway certificate use

Access Gateway uses certificates to:

  • Support HTTPS connectivity between an external load balancer and Access Gateway.
  • Securely transmit traffic between Access Gateway and an Okta tenant.
  • Provide secure HTTPS communications between Access Gateway and protected resources, which are also called back-end applications.
  • Provide secure HTTPS communications between the Access Gateway Admin UI console and a client browser.

Applications use Transport Layer Security (TLS) certificates to define a secure relationship between an end user and an application. Access Gateway acts as a proxy by redirecting application requests to a back-end application, providing the required certificate on behalf of the back-end application.

How TLS termination is implementation determines how certificates are provided:

  • Access Gateway provides the certificate when TLS passes through the load balancer and terminates at Access Gateway.
  • The load balancer is responsible for supplying certificates when TLS terminates at the load balancer. Access Gateway isn't involved in certificate management.

Wildcard, self-signed, and uploaded certificates

Access Gateway uses three types of certificates:

  • Wildcard certificates: When an application is integrated with Access Gateway, a wildcard certificate is automatically generated based on the value of the Public Domain field. Other applications that have similar domains can use the same wildcard certificate. For example, if the certificate uses the wildcard *.mysite.com, then apps with matching domains (for example, abc.mysite.com) use that certificate.
  • Self-signed certificates: Optionally, an application integration can use a self-signed certificate, which must be generated explicitly from the Access Gateway Admin UI console, and is specific to the public domain. A self-signed certificate is only applied to a single application.
  • Uploaded certificates: Uploaded certificates are those certificates obtained from a trusted certificate authority and uploaded to Access Gateway or a load balancer. When used with Access Gateway, an unloaded certificate is first uploaded using the Access Gateway Admin UI console and then associated with an application.

Related topics