Configure a certificate authority

A certificate authority (CA) is a trusted entity that manages and issues digital certificates. The digital certificate shows the ownership of the public keys and represents an online identity for the device.

When Okta evaluates an authentication policy that requires managed devices, Okta identifies the management status of each device by checking whether they have a client certificate installed. Okta attests certificate installation by creating a digital signature with the certificate and validating it on the server. Configuring a CA allows you to issue client certificates to devices to support this operation. You can configure Okta as a CA, or provide your own CA.

Okta as a CA is only available on Okta Identity Engine.

Option 1: Configure Okta as a CA

Configure Okta as a CA if you want to save time, streamline how certificates are issued, and avoid the complexity and expense of deploying and maintaining your own public key infrastructure (PKI).

Okta revokes device certificates that were issued but not used for successful authentication within 90 days.

When a device is deleted from the Universal Directory, the certificate that was associated with that device can no longer be used. To use the same device in the future, you must delete the certificate that was associated with it, and then re-deploy a new certificate to it.

The procedures provided are based on configurations that Okta has tested.

To configure Okta as a CA, create a Simple Certificate Enrollment Protocol (SCEP) profile in your mobile device management (MDM) software, and then generate a SCEP URL in Okta. Okta provides the following methods for generating a SCEP challenge:

Option 2: Provide your own CA

You can provide your own CA if your environment has one of the following:

  • A PKI that is integrated with your MDM software
  • An existing Active Directory Certificate Services (ADCS) infrastructure

When you provide your own CA, Okta supports certificate revocation. Okta checks the certificate revocation list (CRL) for revoked or on-hold certificates, and then blocks those certificates from sending any management signals. Okta only supports CRL endpoints that use the HTTP or HTTPS protocol, and CRLs that are signed by the same intermediate certificate that the admin uploaded. The client certificate should also include the certificate distribution point uniform resource identifier (URI). When these conditions are met, Okta downloads the CRL, and then revokes any certificates that are on the CRL. The certificate revocation task occurs in a background process that runs a few times each day. When a certificate is marked as revoked, the client cannot use the certificate to set management status. Check your system log events, to see details about when a certificate is revoked.

Manually delete intermediate CAs that are revoked by the root CA. These are not automatically deleted.

See Use your own certificate authority for managed devices.