<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Verify what OAG Certificate Is Being Presented
Jul 30, 2025
Access Gateway
Overview

In some cases, users might not see the certificate an admin has configured for an Okta Access Gateway(OAG) application. This article provides the steps to validate the certificate assigned to an application through the shell and also to validate whether the application is presenting the same through openSSL. 

Applies To
  • Okta Access Gateway
  • Certificate Management
Solution

Validate the Certificate being presented using openssl:

  • The following command can be used from the client or can be executed directly on the appliance's shell to see what certificate the application is presenting:

    • openssl s_client -showcerts -connect <oag_server_ip>:443 -servername <Oag_app_public_domain>

Validate Certificate from the application configuration file:

Application configurations are located under /opt/oag/configs/nginx/conf.d/. Each application will have an ID in the filename. The following steps show how to find the associated certificate after finding the specific application configuration:

  • Locate the application config file using labels: 

    • grep label /opt/oag/configs/nginx/conf.d/* | grep "<label>"
    • For example, an application labeled "Header Test" will show the following output:
    • $ grep label /opt/oag/configs/nginx/conf.d/* | grep "Header Test" 
/opt/oag/configs/nginx/conf.d/icsgw_app_374d0c61-6599-43f9-8f64-77a7d3c27e7d.active.conf:    set $label "Header Test";
  • Once the filename has been retrieved, the associated certificate-key pair can be found by using the following command:  
    • grep ssl /opt/oag/configs/nginx/conf.d/<file_name_from_above>
    • Referring to the same example from above, the output will be like this:
    • $ grep ssl /opt/oag/configs/nginx/conf.d/icsgw_app_374d0c61-6599-43f9-8f64-77a7d3c27e7d.active.conf
    ssl_certificate_key "/opt/oag/nginx/ssl/%_domain_tld.key";
    ssl_certificate "/opt/oag/nginx/ssl/%_domain_tld.crt";
  • All the certificate-key pairs are located under /opt/oag/configs/nginx/ssl. The certificate content can be validated using the following command to make sure it is showing the correct domain values: 
    • openssl x509 -noout -text -in <cert_file_name>
    • Using the example output from above: 
    • $ openssl x509 -noout -text -in /opt/oag/nginx/ssl/%_domain_tld.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            19:<redacted>:e9
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: <redacted>
        Validity
            Not Before: Jun  7 17:11:57 2024 GMT
            Not After : Jun  6 17:11:57 2026 GMT
        Subject: <redacted>
If the associated certificate is showing correct domain values but the openssl is not, then there could be an issue with nginx reload on the appliance. Sometimes, one node in the cluster encounters this problem intermittently, resulting in the incorrect representation of the certificate. 
Otherwise, if both the above steps show the correct certificate, then it could be the front-end load balancer presenting the old certificate. Refer to this article to check further on the issue. 
 

Related References

Recommended content

Still looking for help?
Loading
Verify what OAG Certificate Is Being Presented