Use your own CA for Device Access

If you choose not to use Okta as the Certificate Authority (CA) for Device Access, you can use your own CA.

You can only use your own CA with Windows devices.

For macOS devices, see Use Okta as a CA for Device Access.

Start this task

  1. In the Admin Console, go to SecurityDevice integrations.

  2. Click the Certificate Authority tab.

  3. Click Add certificate authority.

  4. Select the Device Access radio button.

  5. Click Browse files and then select the appropriate certificate file to upload.

    Okta uploads certificates automatically, and a message appears if the upload was successful.

    To see the certificate details, click View root certificate chain details.

  6. Click Save.

Deploy certificates

Using your own CA for Device Access follows almost the same process as outlined in Use your own certificate authority for managed devices.

Three minor changes are required for you to use the CA specifically for Okta Device Access:

  1. Before you upload the certificate to Okta in the Admin Console, select Device Access.

  2. In your MDM, ensure that the certificate is deployed at the Computer Level.

  3. Skip any steps that discuss endpoint management.

If you're unable to verify that a certificate was deployed with the required settings, review the task steps.

Add custom certificate extension

After your certificate is uploaded, add a custom certificate extension on issued client certificates to ensure that Device Access can locate and select the correct certificate.

Add the following values to the certificate extension:

  • Extension OID: 1.3.6.1.4.1.51150.13.1

  • Extension value: 1 (integer)

The format of the certificate extension varies depending on your CA provider. Refer to your provider's documentation for the appropriate format to use.

Active Directory Certificate Services

Active Directory Certificate Services integration is only supported with Okta Verify on Windows.

If you're using the Windows Active Directory Certificate Services (AD CS) as your CA, you need to add the following OID extension to the Extended Key Usage (EKU) certificate extension:

  • Extension OID: 1.3.6.1.4.1.51150.13.1.1

See Configure Active Directory Certificate Services.

If you're using a CA other than the Windows CA, this additional extension isn't required.

Example

The following example shows a custom extension certificate for DigiCert:

Copy 
 {
      "oid": "1.3.6.1.4.1.51150.13.1",
      "template": {
        "type": "INTEGER",
        "value": "1"
      }
  }

Related topics

Use Okta as a CA for Device Access

Configure Active Directory Certificate Services

Verify certificate deployments