Configure Okta as a CA with static SCEP challenge for Windows using Workspace ONE

Configuring a Certificate Authority (CA) allows you to issue client certificates to your targeted Windows devices. This topic describes how to create a static Simple Certificate Enrollment Protocol (SCEP) profile in Workspace ONE and generate a SCEP URL in Okta.

If you're using Workspace ONE, use static SCEP. Workspace ONE has known issues with dynamic SCEP.

To configure a delegated (dynamic) SCEP challenge type for Windows using Microsoft Intune, see Configure Okta as a CA with delegated SCEP challenge for Windows using MEM (formally Intune)

Before you begin

Make sure you have access to the Okta Admin Console.

Okta as a CA doesn't support renewal requests. Instead, redistribute the profile before the certificate expires to replace the expired certificate. All MDM SCEP policies should be configured to allow for profile redistribution.

Start this procedure

In Okta, configure management attestation and generate a SCEP URL and a Secret Key

  1. In the Okta Admin Console, go to SecurityDevice integrations.
  2. Click the Endpoint management tab.
  3. Click Add platform.
  4. Select Desktop (Windows and macOS only).
  5. Click Next.
  6. On the Add Device management platform page, enter the following:
    1. Select Use Okta as certificate authority as the Certificate authority.
    2. Select Static SCEP URL as the SCEP challenge type.
    3. Click Generate.
    4. Copy and save the Okta SCEP URL and the Secret key. You will paste these in Workspace ONE in Task 3.

      5. Save the SCEP URL and Secret key. This is the only time they will appear in Okta.

  7. Click Save.

In Okta, download the x509 certificate

The x509 certificate you download from Okta is the Organization Intermediate certificate.

  1. In the Okta Admin Console, go to SecurityDevice integrations.
  2. Click the Certificate authority tab.
  3. For the Okta CA certificate authority, click the Download x509 certificate icon in the Actions column.

    You'll upload the certificate to Workspace ONE in Task 5.

In Workspace ONE, create a static SCEP profile

Configure the Okta CA as a certificate authority in Workspace ONE so you can deploy certificate profiles through the management channel.

  1. If not already, log in to Workspace ONE as an administrator.
  2. In Workspace ONE, click DEVICES (left ribbon bar).
  3. Click CertificatesCertificate Authorities.
  4. Click + ADD.
  5. On the Certificate Authority - Add/Edit page, enter the following:
    1. Name: Enter a name for the CA.
    2. Description: Optional. Enter a description for the CA.
    3. Authority type: Select Generic SCEP.
    4. SCEP Provider: Basic is entered automatically and can't be changed.
    5. SCEP URL: Copy and paste the SCEP URL you generated in Task 1.
    6. Challenge Type: Click STATIC.
    7. Static Challenge: Copy and paste the Secret Key you generated in Task 1.
    8. Confirm Challenge Phrase: Copy and paste the Secret Key you generated in Task 1.
    9. Retry Timeout: Accept the default value of 30.
    10. Max Retries When Pending: Accept the default value of 5, or specify a different number of retries the system allows while the authority is pending.
    11. Enable Proxy: Accept the default value of DISABLED or select ENABLED if appropriate for your environment. If you select Enabled, Workspace ONE UEM acts as a proxy between the device and the SCEP endpoint defined in the CA configuration.
  6. Click TEST CONNECTION. If you select SAVE before TEST CONNECTION, the error Test is unsuccessful appears.
  7. After the Test is successful message appears, click SAVE AND ADD TEMPLATE.

    If the test doesn't succeed, make sure that you can access the Okta SCEP URL you generated in Task 1.

In Workspace ONE, Add/Edit a Certificate Template

In this task you'll add a CA request template after you create a static SCEP profile in Task 3.

  1. In Workspace ONE, click the Request Templates tab.
  2. Click + ADD.
  3. On the Certificate Template - Add/Edit page, enter the following:
    1. Name: Enter a name for the template.
    2. Description: Optional. Enter a description for the template.
    3. Certificate Authority: Select the CA you created in Task 3.
    4. Issuing Template: Leave blank or configure as appropriate for your implementation.
    5. Subject Name: Enter a subject name. For example, CN = {EmailAddress} managementAttestation {DeviceUid}.

      6. Okta does not require the subject name to be in any particular format. Choose a name that indicates that the certificate is used as the device management signal to Okta. As a best practice, you can also include profile variables provided by Workspace ONE to include the device ID (UDID) and user identifier. For a list of supported variables, see Workspace ONE document Workspace ONE Lookup Values.

    6. Private Key Length: Select 2048.
    7. Private Key Type: Select Signing.
    8. SAN Type: N/A.
    9. Automatic Certificate Renewal: Click ENABLED.
    10. Publish Private Key: Click DISABLED.
  4. Click SAVE.

In Workspace ONE, define a device profile to deploy the Okta Intermediate CA to the Intermediate Store on devices

    1. In Workspace ONE, click RESOURCES (left ribbon bar).
    2. Click Profiles & BaselinesProfiles.
    3. Click ADD, and then select Add Profile.
    4. Select WindowsWindows DesktopDevice Profile.
    5. On the General page, enter the following:
      1. Name: Enter a name for the device profile.
      2. Description: Optional. Enter a description for the device profile.
      3. Deployment: Select Managed.
      4. Assignment Type: Accept the default or configure as appropriate for your implementation.
      5. Allow Removal: Accept the default or configure as appropriate for your implementation.
      6. Managed By: Enter the person or group with administrative access to the profile.
      7. Smart Groups: Begin typing the name of the group and then select it from the list.
      8. Exclusions: Allows you to exclude groups from the profile. Accept the default or configure as appropriate for your implementation.
      9. Additional Assignment Criteria: Allows you to schedule a deployment schedule.
      10. Removal Date: Allows you to specify a date when the profile is removed from the device.
    6. Click Credentials in the left pane.
    7. Click CONFIGURE.
    8. On the Credentials page, enter the following:
      1. Credential Source: Select Upload.
      2. Certificate: Click Upload and browse to the certificate you downloaded in Task 2.
      3. Key Location: Accept the default or configure as appropriate for your implementation.
      4. Certificate Store: Select Intermediate.
    9. Click SAVE AND PUBLISH.

In Workspace ONE, define a user profile to deploy the Okta CA-issued client certificate to the Personal Store on devices for management attestation

This task creates the management payload that pushes the client certificate information and credential to the client, allowing the client to connect to Okta and request a new client certificate. The client certificate is used for management attestation as part of Okta Verify-enabled flows.

    1. In Workspace ONE, click RESOURCES (left ribbon bar).
    2. Click Profiles & BaselinesProfiles.
    3. Click ADD, and then select Add Profile.
    4. Select WindowsWindows DesktopUser Profile.
    5. On the General page, enter the following:
      1. Name: Enter a name for the user profile.
      2. Description: Optional. Enter a description for the user profile.
      3. Deployment: Select Managed.
      4. Assignment Type: Select Auto.
      5. Allow Removal: Select Always.
      6. Managed By: Optional. Enter additional admin names.
      7. Smart Groups: Enter the same groups that you specified in Task 5.
      8. Exclusions: Allows you to exclude groups from the profile. Accept the default or configure as appropriate for your implementation.
      9. Additional Assignment Criteria: Allows you to schedule a deployment schedule.
      10. Removal Date: Allows you to specify a date when the profile is removed from the device.
    6. Click Credentials in the left pane.
    7. Click CONFIGURE.
    8. On the Credentials page, enter the following:
      1. Credential Source: Select Defined Certificate Authority.
      2. Certificate Authority: Select the same Certificate Authority that you configured in Task 3.
      3. Key Location: Select TPM If Present to support devices with or without TPM.
      4. Certificate Store: Select Personal.
    9. Click SAVE AND PUBLISH.

On a Windows computer, verify the certificate installation

  1. On a Windows computer, verify that the client certificate was installed:
    1. On the Windows computer, click Start, and then type cert.
    2. Click Manage user certificates.
    3. In Certificates - Current User, click PersonalCertificates.
    4. Make sure the client certificate exists.
  2. Verify the certificate authority (CA):
    1. In Certificates - Local Computer, click Intermediate Certificate AuthorityCertificates.
    2. In the Issued To column, find Organization Intermediate Authority.
    3. Make sure the Issued By column specifies Organization Root Authority for Organization Intermediate Authority.

Next steps