This article addresses the scenario where a custom domain with an Okta-managed certificate displays a Pending status in the Admin Console.

• Custom URL Domains

The Pending status in the Admin Console, under Customizations > Branding > Domains, can appear even when the Domain Name System (DNS) and certificate propagation are correct, especially if the user is behind a Virtual Private Network (VPN) or a firewall.

1. Navigate to Customizations > Branding > Domains and select the custom domain that displays the Pending status.
2. Verify the domain resolves correctly. A correct resolution indicates the domain is active and functional. NOTE: If users can access the sign-in page for the custom domain and dashboard without issues, and the domain is marked as Verified internally, the domain is active and functional. The Pending status may persist in the UI due to caching or network conditions and can be safely ignored if functionality is unaffected.
3. If the status displays as Pending while connected to a VPN, disconnect from the VPN to view the active state.
4. Verify the certificate in use. If the certificate is Okta-managed, the issuer displays as Let's Encrypt or Digicert.
5. Run the following command to verify that the DNS records are configured correctly and match the expected Okta custom domain endpoint: nslookup <CUSTOM_DOMAIN>.
6. Flush the local DNS cache or check with the DNS provider to ensure no outdated records are cached.
7. Ensure the networking team has included Okta's IP ranges in the allow list. Internal DNS resolver settings can sometimes cause issues if they return internal IPs.
8. Verify the webfinger endpoint. If the webfinger endpoint fails consistently, this may indicate a DNS or network propagation issue rather than a problem with the Okta configuration.
9. Verify if the DNS provider has a CAA (Certificate Authority Authorization) record. If it does, ensure it permits Okta’s certificate authorities(DigiCert or Let’s Encrypt) to issue certificates for the domain.