Configure Okta as a CA with static SCEP challenge for Windows using Workspace ONE

Configuring a Certificate Authority (CA) allows you to issue client certificates to your targeted Windows devices.

To configure a delegated (dynamic) SCEP challenge type for Windows using Microsoft Intune, see Configure Okta as a CA with delegated SCEP challenge for Windows with Microsoft Intune

Purpose

Management attestation certificate

Platform

Windows

MDM

Omnissa Workspace ONE

SCEP URL

Static

Before you begin

Make sure that you have access to the following:

  • Okta Admin Console

  • Workspace ONE admin console

Okta as a CA doesn't support renewal requests. Instead, redistribute the profile before the certificate expires to replace the expired certificate. Configure all MDM SCEP policies to allow for profile redistribution.

Procedure

  1. Configure a CA and generate a SCEP URL and secret key

  2. Download the x509 certificate

  3. Create a static SCEP profile

  4. Add a Certificate Template

  5. Define a device profile

  6. Define a user profile for management attestation

  7. Verify the certificate installation

Configure a CA and generate a SCEP URL and secret key

  1. In the Admin Console, go to SecurityDevice integrations.

  2. On the Endpoint management tab, click Add platform.

  3. Select Desktop (Windows and macOS only), then click Next.

  4. On the Add device management platform page, select the following options:

    • Certificate Authority: Use Okta as Certificate Authority

    • SCEP URL challenge type: Static SCEP URL

  5. Click Generate.

  6. Copy and save the following values in a secure location:

    • SCEP URL

    • Secret Key

    • This is the only time that you can retrieve the secret key in the Admin Console. To see the secret key in plain text, click the show password icon Open eye icon that reveals the saved password when clicked..

      If you need to reset the secret key, click Reset secret key in the Actions menu on the Device Access page.

  7. Click Save.

Download the x509 certificate

  1. In the Admin Console, go to SecurityDevice integrations.

  2. Select the Certificate authority tab.

  3. For the Okta CA Certificate Authority, click the Download x509 certificate icon in the Actions column.

  4. Save the downloaded certificate file. Rename the file with a .cer extension if needed.

This downloaded certificate from Okta is the Organization Intermediate certificate. You need this certificate when you define the device profile in Workspace ONE.

Create a static SCEP profile in Workspace ONE

Configure Okta as the CA in Workspace ONE so you can deploy certificate profiles through the management channel.

  1. Sign in to the Workspace ONE UEM admin console.

  2. Go to DEVICESCertificatesCertificate Authorities.

  3. Click + ADD.

  4. On the Certificate Authority - Add/Edit page, enter the following:

    • Name: Enter a name for the CA.

    • Description: Optional. Enter a description for the CA.

    • Authority type: Select Generic SCEP.

    • SCEP Provider: Basic is entered automatically and can't be changed.

    • SCEP URL: Enter the SCEP URL that you generated earlier.

    • Challenge Type: Click STATIC.

    • Static Challenge: Enter the Secret Key that you generated earlier.

    • Confirm Challenge Phrase: Enter the Secret Key again.

    • Retry Timeout: Accept the default value of 30.

    • Max Retries When Pending: This value specifies the number of retries that the system allows while the authority is pending. Accept the default value of 5, or provide a custom number.

    • Enable Proxy: Accept the default value of DISABLED or select ENABLED if your environment requires a proxy.

  5. Click TEST CONNECTION to test the connection before saving.

    If you select SAVE before you click TEST CONNECTION, the error Test is unsuccessful appears.

  6. When the Test is successful message appears, click SAVE AND ADD TEMPLATE.

    If the test fails, make sure that you can access the SCEP URL that you generated earlier.

Add a Certificate Template

This task adds a CA request template after you create the static SCEP profile.

  1. In Workspace ONE, select the Request Templates tab.

  2. Click + ADD.

  3. On the Certificate Template - Add/Edit page, enter the following:

    • Name: Enter a name for the template.

    • Description: Optional. Enter a description for the template.

    • Certificate Authority: Select the CA that you created in the previous step.

    • Issuing Template: Leave blank or configure as appropriate for your implementation.

    • Subject Name: Enter a subject name. For example, CN = {EmailAddress} managementAttestation {DeviceUid}.

      Okta doesn't require the subject name to be in any particular format. Choose a name that indicates that the certificate is used as the device management signal to Okta.

      As a best practice, you can also include profile variables provided by Workspace ONE to include the device ID (UDID) and user identifier.

      For a list of supported variables, see Workspace ONE document Workspace ONE Lookup Values.

    • Private Key Length: Select 2048.

    • Private Key Type: Select Signing.

    • SAN Type: N/A.

    • Automatic Certificate Renewal: Click ENABLED.

    • Publish Private Key: Click DISABLED.

  4. Click SAVE.

Define a device profile

This device profile is used to deploy the Okta intermediate CA to the intermediate store on your devices.

  1. In Workspace ONE, go to RESOURCESProfiles & BaselinesProfiles.

  2. Click ADD, and then select Add Profile.

  3. Select WindowsWindows DesktopDevice Profile.

  4. On the General page, enter the following:

    • Name: Enter a name for the device profile.

    • Description: Optional. Enter a description for the device profile.

    • Deployment: Select Managed.

    • Assignment Type: Accept the default or configure as appropriate for your implementation.

    • Allow Removal: Accept the default or configure as appropriate for your implementation.

    • Managed By: Enter the person or group with administrative access to the profile.

    • Smart Groups: Select the groups that contain the devices you want to target. Begin typing the name of the group and then select it from the list.

    • Exclusions: Exclude groups from the profile. Accept the default or configure as appropriate for your implementation.

    • Additional Assignment Criteria: This allows you to schedule a deployment schedule.

    • Removal Date: Specify a date when the profile is removed from the device.

  5. Click Credentials in the left pane.

  6. Click CONFIGURE.

  7. On the Credentials page, enter the following:

    • Credential Source: Select Upload.

    • Certificate: Click Upload and browse to the x509 certificate you previously downloaded.

    • Key Location: Accept the default or configure as appropriate for your implementation.

    • Certificate Store: Select Intermediate.

  8. Click SAVE AND PUBLISH.

Define a user profile for management attestation

This task creates a management payload that pushes the client certificate information and credential to the client. This allows the client to connect to Okta and request a new client certificate.

The client certificate is used for management attestation as part of Okta Verify-enabled flows.

  1. In Workspace ONE, go to RESOURCESProfiles & BaselinesProfiles.

  2. Click ADD, and then select Add Profile.

  3. Select WindowsWindows DesktopUser Profile.

  4. On the General page, enter the following:

    • Name: Enter a name for the user profile.

    • Description: Optional. Enter a description for the user profile.

    • Deployment: Select Managed.

    • Assignment Type: Select Auto.

    • Allow Removal: Select Always.

    • Managed By: Optional. Enter other admin names.

    • Smart Groups: Enter the same groups that you specified in the previous task.

    • Exclusions: Exclude groups from the profile. Accept the default or configure as appropriate for your implementation.

    • Additional Assignment Criteria: This allows you to schedule a deployment schedule.

    • Removal Date: Specify a date when the profile is removed from the device.

  5. Click Credentials in the left pane.

  6. Click CONFIGURE.

  7. On the Credentials page, enter the following:

    • Credential Source: Select Defined Certificate Authority.

    • Certificate Authority: Select the same Certificate Authority that you configured in step 3.

    • Key Location: Select TPM If Present to support devices with or without TPM.

    • Certificate Store: Select Personal.

  8. Click SAVE AND PUBLISH.

Verify the certificate installation

On a Windows computer, verify that the client certificate was installed:

  1. Click Start, and then type cert.

  2. Click Manage user certificates.

  3. Under Certificates - Current User, click PersonalCertificates.

  4. Make sure that the client certificate exists.

Verify the Certificate Authority (CA):

  1. In Certificates - Local Computer, select Intermediate Certificate AuthorityCertificates.

  2. In the Issued To column, find Organization Intermediate Authority.

  3. Make sure that the Issued By column specifies Organization Root Authority for Organization Intermediate Authority.

Next steps