Obtain certificates

During this task you will create or obtain certificates for use with Access Gateway applications.
See Application certificate use for more information about certificate types for use with applications used by Access Gateway.


Certificate Authority provided certificates

Okta recommends the use of Organizationally Validated certificates or Extended Validation certificates whenever possible.

Common Certificate authorities include: ComodoSSL, Digicert, GoDaddy, Thawte, and others.
Okta does not recommend or endorse any particular certificate authority.

To obtain a CA based certificate, follow the procedure detailed by your certificate authority.

Self-signed certificates

Okta recommends the use of self-signed certificates for development and testing only and never for production use.

To generate a self-signed certificate:

You can generate self-signed certificates. For example, using openssl:

$ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem Generating a RSA private key ................................... writing new private key to 'key.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. . . . ----- Country Name (2 letter code) [XX]: <country code> State or Province Name (full name) []: <state> Locality Name (eg, city) [Default City]: <city> Organization Name (eg, company) [Default Company Ltd]: <company name> Organizational Unit Name (eg, section) []: <org unit> Common Name (eg, your name or your server's hostname) []: *.gateway.info Email Address []: noreply@gateway.info $ ls *.pem key.pem certificate.pem

See https://www.openssl.org/.

Wildcard certificates

A wildcard certificate is a digital certificate that is applied to a domain and all its subdomains. A wildcard notation typically consists of an asterisk, followed by a period, followed by a domain name.
For example, *.exampledomain.com.
Access Gateway supports the use of wildcard certificates. Extending a single certificate to subdomains rather than purchasing separate certificates saves money and minimizes administration. However, the downside is that if the certificate is revoked or expired, then all subdomains are impacted.

To obtain a wild card certificate, follow the procedure detailed by your certificate authority.

Password Protected Certificates:

Access Gateway does not support password protected certificates. If you upload a password protected certificate, you must re-enter the certificate’s password every time Access Gateway restarts, otherwise the gateway will not function property.

Next Steps