What change is happening and why?
Okta must update the expiring certificates for *.ldap.okta.com and *.ldap.okta-emea.com. The certificates expire regularly and are updated at least a month before the expiration date.
What needs to be done?
If using the LDAP interface and/or using certificate key pinning, the certificate trust store for applications that connect to Okta may need to be updated. Okta issues certificates from the DigiCert Certificate Authority. If applications, appliances, or devices connecting to the LDAP interface broadly trust Root Certificates from DigiCert, no action is needed.
If applications, appliances, or devices connecting to the LDAP interface require manual updates to certificate trust, updates will be needed to minimize service disruption.
Okta is publishing the entire certificate chain (consisting of the server or "leaf" certificate, intermediate certificate authority or "ICA," and root certificate authority or "Root CA"). At Okta's request on behalf of its customers, the ICA and Root CA will not change, but they desire to confirm that these are up-to-date in their systems.
If the system requires trusting the ICA and Root CA, the existing certificates will work unchanged.
If the systems must trust the certificate chain, please update the configuration in the provided change windows.
What will happen if no action is taken?
No action may be needed if the systems can broadly trust DigiCert's Root Certificate Authority certificates. However, if manual intervention is required and does not happen, the systems cannot use the LDAP interface. Depending on whether the system uses LDAPS or LDAP with StartTLS, it will not connect entirely or fail to bind to LDAP.
What level of effort is required to mitigate?
If the systems require manual intervention, load the provided certificate chain or part of it into the application, appliance, or device configuration, and then test the connection to the Okta LDAP interface.
