Use your own CA for Device Access

If you choose not to use Okta as the Certificate Authority (CA), you can use your own CA for Device Access.

Procedure

  1. In the Admin Console, go to SecurityDevice integrations.

  2. Click the Certificate Authority tab.

  3. Click Add certificate authority.

  4. Select the Device Access radio button.

  5. Click Browse files and then select the appropriate certificate file to upload. Okta uploads certificates automatically, and a message appears if the upload was successful.

    To see the certificate details, click View root certificate chain details.

  6. Click Save.

Deploy certificates

Using your own CA for Device Access follows the same process as outlined in Use your own certificate authority for managed devices.

Three minor changes are required for you to use the CA specifically for Okta Device Access:

  1. Before you upload the certificate to Okta in the Admin Console, select Device Access.

  2. In your MDM, ensure that the certificate is deployed at the Computer Level.

  3. Skip the steps that discuss endpoint management.

If you're unable to verify that a certificate was deployed with the required settings, review the task steps. Ensure that you select Device Access in the Okta Admin Console and that the certificates are set at Computer Level in your MDM.

Add custom certificate extension

After the certificate is uploaded, add a custom certificate extension on issued client certificates to ensure that Device Access can locate and select the correct certificate.

Add the following values to the certificate extension:

  • Extension OID: 1.3.6.1.4.1.51150.13.1

  • Extension value: 1 (integer)

If you configure Okta as the Certificate Authority for Device Access, Okta completes this step for you.

The format of the certificate extension varies depending on your CA provider. Refer to your provider's documentation for the appropriate format to use.

Active Directory Certificate Services

If you're using the Windows Active Directory Certificate Services (AD CS) as your CA, you need to add the following OID extension to the Extended Key Usage (EKU) certificate extension:

  • Extension OID: 1.3.6.1.4.1.51150.13.1.1

If you're using a CA other than the Windows CA, this additional extension isn't required.

Example

The following example shows a custom extension certificate for DigiCert:

Copy 
  {
      "oid": "1.3.6.1.4.1.51150.13.1",
      "critical": true,
      "template": {
        "type": "INTEGER",
        "value": "1"
      }
  }

Next steps

Configure a Certificate Authority

Client certificates

Management attestation FAQ