Use your own certificate authority for managed devices

When an authentication policy requires desktop devices to be managed, Okta checks whether a client certificate is installed on the targeted devices. To attest the certificate, Okta uses the certificate to create a digital signature and validates it on the server. You can configure your own certificate authority (CA) to issue client certificates to devices secured by Okta.

To provide your own CA, your environment requires a public key infrastructure (PKI) that is integrated with your Mobile Device Management (MDM) software. The MDM software performs the following tasks: 

  • Distributes client certificates to targeted devices.

  • Renews certificates before they expire.

  • Revokes certificates from your MDM server and managed devices when devices are no longer managed.

Before you begin

  • To manage devices, you can use your existing MDM software (such as Microsoft Intune for Windows, or Jamf Pro for macOS), or Active Directory Certificate Services (ADCS) infrastructure. You can use your ADCS infrastructure with Okta Verify to register managed devices in Okta. The device user must have a certificate issued by the certificate authority that is set up in Okta. For example, you can use Microsoft Active Directory Certificate Services and Network Device Enrollment Service integrated with Microsoft Intune.
  • To prove that devices are managed by your organization, configure your MDM software to deploy certificates to your registered macOS and Windows devices. The certificates must be signed by your organization's CA. See Device registration.
  • Use the Okta Admin Console to upload the intermediate certificate authorities that your MDM software uses to issue the client certificate. During Single Sign-On (SSO), Okta Verify presents the signed token to the server as proof of possession of the client certificate. Okta uses the trusted CA certificate to validate that the device belongs to your organization.

Start this procedure

Task 1: Confirm that client certificates are deployed

Ensure that client certificates issued by your CA are deployed on your organization's macOS and Windows devices.

Task 2: In Okta, upload your CA and configure the management attestation

  1. In the Okta Admin Console, go to Security > Device integrations.
  2. Go to the Certificate authority tab and click Add certificate authority.
  3. In the Add certificate authority dialog box, browse to the intermediate CA that will be used to issue the client certificate. If you have multiple issuers, upload all of them one at a time.

    Okta doesn’t support PKCS#7, PKCS#12, or PFX certificate formats.

    Certificates are uploaded automatically. A message appears if uploads are successful. To view details, click View root certificate chain details.

  4. Click Close.
  5. Go to the Endpoint management tab.
  6. Click Add platform.
  7. Select Desktop (Windows and macOS only) and click Next.
  8. Configure management attestation. Select Use my own certificate authority for the Certificate authority.
  9. Click Save.

Next steps

Add an authentication policy rule for desktop