Upload certificates

This topic describes how to upload a self-signed certificate, or a certificate from a Certificate Authority, to Access Gateway.

You must upload certificates to Access Gateway before you can associate them with applications.

If you upload a self-signed certificate, the default virtual hostname is associated with it.

The certificate must be in Privacy Enhanced Mail (PEM) format.

Remove the passphrase from the certificate before you add it to Access Gateway.

You can also use the Access Gateway Admin UI console to select a certificate. See Associate a default host certificate using the Access Gateway Admin UI console .

Upload an SSL certificate

You must upload the certificate to the Access Gateway admin node. If you upload it to a worker node, the certificate will not be visible in the Access Gateway Admin UI console.

Use a Secure Shell (SSH) connection to connect to the Access Gateway Management console. See Management Console command-line reference.
Press 2 to go to the Services submenu.
Press 1 to go to the NGINX submenu.
Press 6 to update a Secure Sockets Layer (SSL) certificate. The list of certificates appears.
Select one of the following commands:
- a: Add a certificate. See Add a certificate for instructions.
- #: Modify a certificate. See Modify a certificate for instructions.

After you assign an uploaded certificate to an app and save the app, Okta Access Gateway (OAG) automatically syncs the new certificate to the worker nodes along with the app configuration.

Add a certificate

You can add certificates using cut and paste operations. Both the certificate and the key must be in Privacy Enhanced Mail (PEM) format.

Note:

Depending on your operating system, the command sequence for copying and pasting certificate contents may be different than what appears here.

In a text editor, open the new certificate file.
Select and copy the contents of the certificate file.
Return to the command-line console and paste the certificate file contents. If you want to include the intermediate and root certificates, you must provide them in the following order: issued certificate, intermediate, and then the root. This example shows how to format the command to include all three certificates:
```
-----BEGIN CERTIFICATE-----
Issued Certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Intermediate Certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Root Certificate
-----END CERTIFICATE-----
```
Press Ctrl + d to save the certificate contents. The command-line console opens a new editor for the certificates' associated key contents.
In a text editor, open the key file.
Select and copy the contents of the key.
Return to the command-line console and paste the key file contents.
Press Ctrl + d to save the key contents. The hostname and certificate type are pulled automatically for the certificate.
If you're updating a certificate, a prompt asks if you want to replace the current certificate. To update the certificate, press y and then Enter.

Modify a certificate

Select one of the following commands:

d: Delete a certificate.
u: Update a certificate. Follow the prompts to copy and paste the replacement certificate's key and certificate file, both of which must be in PEM format.

Next steps

Associate certificates

Associate a default host certificate using the Access Gateway Admin UI console