Client certificates | Okta (2024)

Table of Contents
How does Okta use client certificates? How does client certificate binding work? How does the CA affect client certificate binding? How does the lifecycle status of a device affect certificate binding? Related topics

A client certificate is a type of digital certificate that is issued by a certificate authority (CA). Mobile device management (MDM) software issues client certificates to devices using Okta as a CA, or the customer's own CA (referenced in Okta as "provide your own CA").

How does Okta use client certificates?

Okta uses client certificates to determine if a desktop device (macOS and Windows only) is managed or not.

When a device successfully authenticates with Okta FastPass, Okta binds a client certificate to the device (not the user) and attests certificate installation by creating a digital signature with the client certificate and validating it on the server. The Okta server uses the management attestation in the Okta FastPass protocol to satisfy the managed condition in the authentication policy.

How does client certificate binding work?

To verify that client certificates are securely deployed, client certificates can't be reused by a device if it was deleted from the Okta Universal Directory, or used by more than one device. To achieve this:

How does the CA affect client certificate binding?

Client certificate binding rules are different, depending on the certificate authority (CA) that issues the client certificate:

  • Okta as a CA:

    • Okta CA manages the lifecycle of the client certificates, so Okta doesn't need to rely on the certificate revocation list (CRL) to perform certificate status validation.

    • The client certificate is revoked on the 91st day after issuance if it is not used in a successful Okta FastPass flow. 90 days provides time between the deployment of the client certificate and enabling an authentication policy (management attestation) with the client certificate.

    • Revoked client certificates can't be re-used.

  • Provide your own CA:

    • Client certificates are issued by an external CA, so Okta uses the CRL to check the certificate status before processing management attestation signals in Okta FastPass. For this to work, Okta expects the CA and client certificate to include the CRL extension.

    • During the management attestation evaluation if the client certificate is identified as not active in the CRL, Okta marks the device as not managed.

      See Also
      OAuth 2.0 Client Credentials Grant Type

    • Similar to Okta as CA, the client certificate is bound to the device the first time the device successfully authenticates with Okta FastPass.

    • For Windows, client certificates should be in the current user certificate store and not the machine store. If using the local machine certificate store is unavoidable, ensure that no elevation is required for the user to access the private key.

    For macOS, select the appropriate level to deploy the client certificate:

    • To ensure all users of the device are managed, select Computer Level.

    • If you want only MDM-managed users of the device to be identified as managed, select User Level.

    Ensure the client certificate is available to all applications. See Use your own certificate authority for managed devices and SCEP MDM payload settings for Apple devices.

How does the lifecycle status of a device affect certificate binding?

Depending on the lifecycle status of a device, a client certificate might be valid, suspended, or revoked.

For security reasons, a client certificate is associated with the device throughout the lifecycle of the device. It can't be used for any other device.

The following table describes the state of the client certificate during each stage of the device lifecycle:

Device lifecycle status

Client certificate state

Description
Active Valid A client certificate is bound to the device after successful Okta FastPass authentication. The client certificate is valid, so the device user is treated as "managed".
Suspended Valid The client certificate is valid, but user authentication cannot provide management attestation to satisfy the authentication policy "managed" condition.
Deactivated Suspended The client certificate is valid, but user authentication cannot provide management attestation to satisfy the authentication policy "managed" condition.
Deleted Revoked When a device is deleted from the Okta Universal Directory, the client certificate that was associated with that device is revoked, so it can no longer be used to provide management attestation from any device. To use the same device in the future, delete the client certificate from the device, and then re-deploy a new client certificate to it.

Related topics

Device lifecycle

Management attestation FAQ

Configure Okta as a CA with static SCEP challenge for macOS using Jamf Pro

Configure Okta as a CA with static SCEP challenge for Windows using Workspace ONE

Configure Okta as a CA with dynamic SCEP challenge for macOS using Jamf Pro

Configure Okta as a CA with delegated SCEP challenge for Windows using MEM (formally Intune)

Configure Okta as a CA with delegated SCEP challenge for macOS using MEM (formally Intune)

Client certificates | Okta (2024)
Top Articles
A Brief Intro to Taxes for your Creative Business
Peer-to-Peer Lending - Overview, How It Works, Pros & Cons
11 beste sites voor Word-labelsjablonen (2024) [GRATIS]
Jordanbush Only Fans
Matgyn
Devon Lannigan Obituary
Ross Dress For Less Hiring Near Me
9192464227
Exam With A Social Studies Section Crossword
Farmers Branch Isd Calendar
Optimal Perks Rs3
Displays settings on Mac
Produzione mondiale di vino
Ecers-3 Cheat Sheet Free
The Many Faces of the Craigslist Killer
[PDF] INFORMATION BROCHURE - Free Download PDF
Space Engineers Projector Orientation
FIX: Spacebar, Enter, or Backspace Not Working
Hssn Broadcasts
C-Date im Test 2023 – Kosten, Erfahrungen & Funktionsweise
1Win - инновационное онлайн-казино и букмекерская контора
Washington Poe en Tilly Bradshaw 1 - Brandoffer, M.W. Craven | 9789024594917 | Boeken | bol
Radio Aleluya Dialogo Pastoral
Connect U Of M Dearborn
Craigslist Mt Pleasant Sc
Www Craigslist Com Bakersfield
Happy Life 365, Kelly Weekers | 9789021569444 | Boeken | bol
Busted News Bowie County
Parc Soleil Drowning
LG UN90 65" 4K Smart UHD TV - 65UN9000AUJ | LG CA
Dtlr On 87Th Cottage Grove
Human Unitec International Inc (HMNU) Stock Price History Chart & Technical Analysis Graph - TipRanks.com
Newcardapply Com 21961
Joplin Pets Craigslist
Ma Scratch Tickets Codes
Asian Grocery Williamsburg Va
Tds Wifi Outage
Boggle BrainBusters: Find 7 States | BOOMER Magazine
Duff Tuff
Banana Republic Rewards Login
„Wir sind gut positioniert“
Hazel Moore Boobpedia
Expendables 4 Showtimes Near Malco Tupelo Commons Cinema Grill
Blow Dry Bar Boynton Beach
Minterns German Shepherds
Kidcheck Login
Home | General Store and Gas Station | Cressman's General Store | California
Buildapc Deals
Best brow shaping and sculpting specialists near me in Toronto | Fresha
How to Get a Check Stub From Money Network
Grace Charis Shagmag
Latest Posts
Vanguard ETF beleggen - Mr FOB
How to Shop Smart During Tax-Free Weekend in 2022 - Leap to Mama World
Article information

Author: Dan Stracke

Last Updated:

Views: 6658

Rating: 4.2 / 5 (43 voted)

Reviews: 82% of readers found this page helpful

Author information

Name: Dan Stracke

Birthday: 1992-08-25

Address: 2253 Brown Springs, East Alla, OH 38634-0309

Phone: +398735162064

Job: Investor Government Associate

Hobby: Shopping, LARPing, Scrapbooking, Surfing, Slacklining, Dance, Glassblowing

Introduction: My name is Dan Stracke, I am a homely, gleaming, glamorous, inquisitive, homely, gorgeous, light person who loves writing and wants to share my knowledge and understanding with you.