Obtain certificates

During this task you will create or obtain certificates for use with Access Gateway applications.
See About application certificate use for more information about certificate types for use with applications used by Access Gateway.

Topics

Certificate Authority provided certificates

Okta recommends the use of Organizationally Validated certificates or Extended Validation certificates whenever possible.

Common Certificate authorities include: ComodoSSL, Digicert, GoDaddy, Thawte, and others.
Okta does not recommend or endorse any particular certificate authority.

To obtain a CA based certificate, follow the procedure detailed by your certificate authority.

 

Self-signed certificates

Okta recommends the use of self-signed certificates for development and testing only and never for production use.

To generate a self-signed certificate:

Self-signed certificates can be generated using tools, such as openssl.

For example:

$ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
Generating a RSA private key
...................................
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
. . .
-----
Country Name (2 letter code) [XX]:Your country code
State or Province Name (full name) []:Your state
Locality Name (eg, city) [Default City]:Your City
Organization Name (eg, company) [Default Company Ltd]:Your Company, Inc
Organizational Unit Name (eg, section) []:Your organinzational unit. 
Common Name (eg, your name or your server's hostname) []:*.gateway.info
Email Address []:noreply@gateway.infp
$ ls *.pem
key.pem certificate.pem

See https://www.openssl.org/ for more information on Open SSL.

Wildcard certificates

A wildcard certificate is a digital certificate that is applied to a domain and all its subdomains. A wildcard notation typically consists of an asterisk, followed by a period, followed by a domain name.
For example, *.exampledomain.com.
Access Gateway supports the use of wildcard certificates. Extending a single certificate to subdomains rather than purchasing separate certificates saves money and minimizes administration. However, the downside is that if the certificate is revoked or expired, then all subdomains are impacted.

To obtain a wild card certificate, follow the procedure detailed by your certificate authority.

Caution

Password Protected Certificates: 
Access Gateway does not support password protected certificates. If you upload a password protected certificate, you must re-enter the certificate’s password every time Access Gateway restarts, otherwise the gateway will not function property.

Next Steps