When an Okta Org is configured with a custom Okta domain and uses the option Bring your own certificate (advanced), if that TLS certificate is a wildcard certificate, it must include the full URL in the Common Name (CN) or Subject Alternative Name (SAN) when it is generated. Otherwise, the following error occurs when attempting to upload the certificate:
The specified certificate does not match your Custom URL Domain
- Okta Administration
- Custom URL Domains
- Okta Classic Engine
The uploaded wildcard certificate does not contain the full URL in the Common Name (CN) or Subject Alternative Name (SAN). This issue only occurs when using the option Bring your own certificate (advanced).
To resolve this, the TLS certificate must be generated with a Common Name (CN) or Subject Alternative Name (SAN) entry that reflects the full URL for the custom domain. For more information, please check Related References.
