Chain certificates can be issued by a certificate authority or Self-signed certificates. The chain includes one or more intermediate certificates and a root certificate.

The certificate files that are part of the certificate chain are vendor-specific. One or more certificates can be uploaded in order to build the certificate chain used to sign the organization's smart cards. For more details about the Smart Card Identity Provider (IdP), consult the Add a Smart Card Identity Provider document.

• Identity Provider (IdP)
• Smart Card IdP
• Certificate Chain

The Validation of Smart Card/PIV certificate document describes the client certificate validation process:

• The client certificate that is provided in the Sign in with a Smart Card/PIV Card procedure is validated as issued by a known issuer. A known issuer is an issuing certificate authority that has been uploaded explicitly to Okta as part of a certificate chain provided during the Enable Smart Card/PIV Authentication procedure. Validation will fail if the provided client certificate is issued by an unknown issuer.

• The certificate is then verified against a Certificate Revocation List (CRL). Okta periodically downloads and caches CRLs for known issuers. If the CRL has expired or the associated CRL is not in the cache, Okta will try to download the CRL in real time.

• If the client certificate is valid, verified as active, and not revoked against a CRL, the user is then matched against the rule specified in the IDP configuration, and the user is signed in.

For more details about the certificates and the Smart Card IdP, please consult the Related References section.
 

Related References

• Add a Smart Card IdP
• Format a PKI Certificate Chain
• From which sources can Okta retrieve the certificate for Smart Card/PIV Card authentication?
• Users receive a "Certificate validation failed" error message while trying to log in with a PIV card