Understanding Certificate Pinning During Okta SSL Certificate Rotation
Last Updated:
Overview
Administrators periodically receive email notifications from Okta regarding the rotation of Secure Sockets Layer (SSL) certificates, which may mention certificate pinning. Certificate pinning associates a host with its expected public key to prevent man-in-the-middle attacks, primarily in custom applications. To assess the impact of SSL certificate rotation, administrators must contact the application development team to determine if the application code implements pinning and update the certificates using the Okta Public Key Infrastructure (PKI) repository if necessary.
Applies To
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Administrator Emails
- Certificate Pinning
- Secure Sockets Layer (SSL) Certificate Rotation
- Custom Applications
Cause
Solution
What is certificate pinning?
NOTE: While certificate pinning was once a recommended security practice to prevent unauthorized certificate issuance, it has become a legacy technique that often does more harm than good. In the modern Public Key Infrastructure (PKI) ecosystem, the industry universally discourages pinning due to its high risk of service disruption and incompatibility with current security standards.
Certificate pinning associates a host with its expected public key. These implementations aim to prevent man-in-the-middle attacks, and developers mostly use them in custom applications.
Certificate pinning tells the client exactly what certificate to expect. It looks for a specific fingerprint in a certificate and refuses to connect to the server if the fingerprint is missing. This enables organizations to manage and verify the relationship between the server and the endpoint directly.
How is certificate pinning usage determined?
Typically, developers use certificate pinning for custom-developed applications where they embed the pin in the code. Determine if custom applications utilize certificate pinning and obtain the latest certificates from the Okta repository by executing the following actions.
- Contact the team responsible for creating the applications.
- Confirm whether the application code implements pinning.
- If the application uses pinning, refer to the Okta PKI repository to obtain the latest certificates.
If the organization does not use custom-built applications, the environment likely lacks certificate pinning, and certificate renewals have no impact.
