<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
OAG: Expired SSL Certificate is Showing in Monitoring Log and UI
Apr 24, 2026
Access Gateway
Overview

The OAG monitoring log reports that an SSL Certificate has expired, and warnings are also visible in the UI. Below is a logged error message.

2026-04-07T09:40:15.972-07:00 admin.standalone.com OAG_MONITOR MONITOR CERT_CHECK ERROR SSL_CERT_VALIDITY_CHECK [USER="oag-local" EXPIRY="20251207"] SSL Certificate has expired

By checking certificates in OAG admin UI, there are 3 expired self signed certificates.

Settings

 

 

 

Applies To
  • Okta Access Gateway (OAG)
  • User Interface (UI)
Cause

Expired localhost self-signed certificates caused the expiry message in monitoring logs. These certificates are used for initial deployment and as a fallback.

There are 5 self-signed certificates created by the system during setup and will eventually expire, and they are below:

  • lab.local (Cookie domain)
  • *.admin (Wildcard admin ui)
  • *.domain.local (Initial setup) 
  • *.lab.local(Wildcard cookie domain)
  • admin (Admin ui)
Solution

The *.domain.local certificate is only used for initial deployment and can be deleted. If a certificate is needed by the system but has been deleted, the system will automatically create/recreate a self-signed cert.

Delete a Certificate 

  1. Use a Secure Shell (SSH) connection to connect to the Access Gateway Management console. See Management Console command-line reference.
  2. Press 2 to go to the Services submenu.
  3. Press 1 to go to the NGINX submenu.
  4. Press 6 to update a Secure Sockets Layer (SSL) certificate. The list of certificates appears.
  5. Enter the number next to the corresponding certificate, and select option "d" to delete.
  6. To delete the *.domain.local cert specify the number next to the localhost.crt (5 would be used, as shown in the screenshot).
      
  7. Once the certificate is shown, the Domain specified is *.domain.local (All certs except this one have the domain specified as the file name).
      

Regenerate a Certificate  

If the 4 other certificates need to be regenerated, then the steps below can be followed.

  1. Use a Secure Shell (SSH) connection to connect to the Access Gateway Management console. See Management Console command-line reference.
  2. Press 2 to go to the Services submenu.
  3. Press 1 to go to the NGINX submenu.
  4. Press 5 Re-generate SSL certificate
  5. Follow the prompt a * does not need to be added as a wildcard option can be specified in the next prompt, which will add one.

 

Recommended content

Still looking for help?
Loading
OAG: Expired SSL Certificate is Showing in Monitoring Log and UI