<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content

Understanding Certificate Pinning During Okta SSL Certificate Rotation

Single Sign-On
Administration
Okta Classic Engine
Okta Identity Engine
Custom URL Domains

Overview

Administrators periodically receive email notifications from Okta regarding the rotation of Secure Sockets Layer (SSL) certificates, which may mention certificate pinning. Certificate pinning associates a host with its expected public key to prevent man-in-the-middle attacks, primarily in custom applications. To assess the impact of SSL certificate rotation, administrators must contact the application development team to determine if the application code implements pinning and update the certificates using the Okta Public Key Infrastructure (PKI) repository if necessary.

Applies To

  • Okta Identity Engine (OIE)
  • Okta Classic Engine
  • Administrator Emails
  • Certificate Pinning
  • Secure Sockets Layer (SSL) Certificate Rotation
  • Custom Applications

Cause

Okta Admins may periodically receive email notifications from Okta regarding the rotation of SSL certificates. The notification may also mention certificate pinning.

Solution

What is certificate pinning?

NOTE: While certificate pinning was once a recommended security practice to prevent unauthorized certificate issuance, it has become a legacy technique that often does more harm than good. In the modern Public Key Infrastructure (PKI) ecosystem, the industry universally discourages pinning due to its high risk of service disruption and incompatibility with current security standards.

 

Certificate pinning associates a host with its expected public key. These implementations aim to prevent man-in-the-middle attacks, and developers mostly use them in custom applications.

 

Certificate pinning tells the client exactly what certificate to expect. It looks for a specific fingerprint in a certificate and refuses to connect to the server if the fingerprint is missing. This enables organizations to manage and verify the relationship between the server and the endpoint directly.

 

How is certificate pinning usage determined?

Typically, developers use certificate pinning for custom-developed applications where they embed the pin in the code. Determine if custom applications utilize certificate pinning and obtain the latest certificates from the Okta repository by executing the following actions.

  1. Contact the team responsible for creating the applications.
  2. Confirm whether the application code implements pinning.
  3. If the application uses pinning, refer to the Okta PKI repository to obtain the latest certificates.

If the organization does not use custom-built applications, the environment likely lacks certificate pinning, and certificate renewals have no impact.

 

Related References

Recommended content

Loading
Okta Support - Understanding Certificate Pinning During Okta SSL Certificate Rotation