Fix "Invalid Certificate Format" Error when Setting Up a Custom Domain in Okta

Sep 1, 2025

Okta Classic Engine

Okta Identity Engine

Administration

Overview

When setting up a Custom Domain, after pasting the generated certificate in the Certificate field, the following error messages are seen:

The certificate must not be a Certificate Authority (CA) certificate

and/or

Invalid certificate format

Applies To

Custom Domain

Cause

The Invalid certificate format error occurs when the certificate used to set up the Custom Domain is in an incorrect format. This can happen if the certificate is generated using a third-party tool or website that generates certificates in a format that Okta does not accept. Okta only accepts certificates in PEM-encoded RSA format.

Solution

To resolve the Invalid certificate format error, follow these steps:

Generate the certificate from the DNS provider using PEM key format to ensure that the certificate is in a valid PEM-encoded RSA format.
Okta does not accept Certificate Authority (CA) certificates. Therefore, the certificate being used must not be a CA certificate.
Ensure that the certificate chain is in the correct order, starting from the top-level certificate authority down to the domain certificate.

NOTE: If still experiencing issues with setting up a custom domain, contact Okta Support for assistance.

Your Privacy

Your Privacy

Strictly Necessary Cookies

Strictly Necessary Cookies

Functional Cookies

Functional Cookies

Performance Cookies

Performance Cookies

Share or Sell of Personal Data

Share or Sell of Personal Data

Advertising Cookies

Your Privacy

Your Privacy

Strictly Necessary Cookies

Strictly Necessary Cookies

Functional Cookies

Functional Cookies

Performance Cookies

Performance Cookies

Share or Sell of Personal Data

Share or Sell of Personal Data

Advertising Cookies