Manage certificates in the trust store

The trust store is a list of Certificate Authority (CA) certificates that Okta Workflows uses to verify the identity of external services during an mTLS handshake. Upload a CA certificate before creating an mTLS connection.

Before you begin

• You're signed in as a super admin, Workflows Administrator, or Connection Manager.

• You're signed in to an org in a federal cell.

• You have a CA certificate in PEM format.

• Your P12 files use FIPS-compliant algorithms. Files must use AES-256-CBC encryption and PBMAC1 with PBKDF2 for its MAC integrity check.

Add a Certificate Authority

Upload a Certificate Authority to the trust store so that you can create an mTLS connection.

1. Go to Settings > Trust store.
2. Click +Certificate authority.
3. Enter a name and an optional description.
4. Click Add files and browse to select the applicable PEM file.
5. Click Create.

The certificate is added to the trust store with an Active status. Click they eye icon to see the certificate's details.

Replace an expiring certificate

When a certificate is nearing expiration or has expired, you can replace it without breaking any connections that depend on it.

1. Click the eye icon on the certificate row to view its details.

2. Click Update.

3. Upload the replacement PEM file and click Save.

The certificate is replaced and all connections that reference it continue to function without interruption.

Delete a certificate

Delete a certificate to remove it from the trust store. Before deleting a certificate, verify that no active connections depend on it.

1. Click the eye icon on the certificate row to view its details.

2. Click Delete.

3. Click Delete again to confirm.

The certificate is removed from the trust store. This action can't be undone.

Next steps

Create an mTLS connection