Configure a certificate authority
A certificate authority (CA) is a trusted entity that manages and issues digital certificates. The digital certificate shows the ownership of the public keys and represents an online identity for the device.
When Okta evaluates an authentication policy that requires managed devices, Okta identifies the management status of each device by checking whether they have a client certificate installed. Okta attests certificate installation by creating a digital signature with the certificate and validating it on the server. Configuring a CA allows you to issue client certificates to devices to support this operation. You can configure Okta as a CA, or provide your own CA.
Okta as a CA is only available on Okta Identity Engine.
Option 1: Configure Okta as a CA
Configure Okta as a CA if you want to save time, streamline how certificates are issued, and avoid the complexity and expense of deploying and maintaining your own public key infrastructure (PKI).
Okta revokes device certificates that were issued but not used for successful authentication within 90 days.
When a device is deleted from the Universal Directory, the certificate that was associated with that device can no longer be used. To use the same device in the future, you must delete the certificate that was associated with it, and then re-deploy a new certificate to it.
The procedures provided are based on configurations that Okta has tested.
To configure Okta as a CA, create a Simple Certificate Enrollment Protocol (SCEP) profile in your mobile device management (MDM) software, and then generate a SCEP URL in Okta. Okta provides the following methods for generating a SCEP challenge:
- Static SCEP URL: The MDM software assigns the same challenge secret to all devices. With this device management configuration, the challenge secret is shared across devices. The shared secret that was created for the configuration is validated, and then a unique client certificate is issued to each device.
- Configure Okta as a CA with static SCEP challenge for macOS using Jamf Pro.
- Configure Okta as a CA with static SCEP challenge for Windows using Workspace ONE.
- Dynamic SCEP URL (generic): The MDM software assigns a unique challenge secret to a device. With this configuration, a short-lived unique challenge secret is generated for each device. The secret is not shared with other devices. The device can then redeem the challenge secret for a single client certificate.
- Delegated SCEP URL (MEM): Microsoft Endpoint Manager (MEM) generates a unique challenge secret for each request. Okta verifies the challenge secret, and then generates a client certificate for the device.
See the following:
See the following:
Option 2: Provide your own CA
You can provide your own CA if your environment has one of the following:
- A PKI that is integrated with your MDM software
- An existing Active Directory Certificate Services (ADCS) infrastructure
When you provide your own CA, Okta supports certificate revocation. Okta checks the certificate revocation list (CRL) for revoked or on-hold certificates, and then blocks those certificates from sending any management signals. Okta only supports CRL endpoints that use the HTTP or HTTPS protocol, and CRLs that are signed by the same intermediate certificate that the admin uploaded. The client certificate should also include the certificate distribution point uniform resource identifier (URI). When these conditions are met, Okta downloads the CRL, and then revokes any certificates that are on the CRL. The certificate revocation task occurs in a background process that runs a few times each day. When a certificate is marked as revoked, the client cannot use the certificate to set management status. Check your system log events, to see details about when a certificate is revoked.
Manually delete intermediate CAs that are revoked by the root CA. These are not automatically deleted.