How to Migrate to an Okta-Managed Certificate (Let's Encrypt)
Last Updated:
Overview
Okta provides an option to migrate a custom domain certificate from a custom BYOC (bring your own certificate) to an Okta-managed certificate. This knowledge article presents the process and answers frequently asked questions.
NOTE: Let's Encrypt makes validation requests during the domain validation process. Network zones can introduce complexities or restrictions that interfere with these processes, leading to potential failures in certificate management. Therefore, to maintain a seamless, reliable certificate management experience, Okta may require removing network zones when using Okta-managed certificates.
NOTE: Network zones can cause potential failures in certificate management. If a network zone is active and causing failures in the renewal process, and the certificate fails to renew and expires, it cannot be manually renewed, and the custom domain needs to be recreated or switched to BYOC.
Applies To
- Custom Domain
- Okta-managed certificate
- BYOC (bring your own certificate)
- Okta Classic Engine
- Okta Identity Engine (OIE)
Solution
Okta Admins can raise a case with Okta Support to request migration of a certificate to an Okta-managed certificate. The Okta Support team will then trigger the migration on the back end. This process usually takes several minutes to complete and propagate. This method allows Admins to migrate without downtime or reconfiguring the custom certificate setup.
In the unlikely event that the migration fails, the domain will still use the previous certificate and will not cause any downtime. Most of the time, failures are caused by improper DNS Records. However, Okta Support Engineers will provide more details as to why the migration did not complete if necessary.
NOTE: Once the migration is completed, Okta does not have the possibility to rollback to your previous manually managed certificate and would require the Admin to re-add the previously used certificate/keys which should be saved before the migration.
Frequently Asked Questions
Table of Contents
What are the advantages of migrating to an Okta-managed certificate?
Will Admins receive a notification if the Okta-managed Certificate does not renew automatically?
In what situations would the Okta-managed certificate not renew automatically?
Are new DNS records required to update the DNS provider?
How to verify if the certificate has been migrated?
How to view the migrated certificate?
What are the advantages of migrating to an Okta-managed certificate?
One less thing to worry about: the Okta-managed certificate updates automatically upon its expiration.
Will Admins receive a notification if the Okta-managed Certificate does not renew automatically?
Yes, if there are any issues with the automatic certificate renewal process, Admins will receive a notification via email.
In what situations would the Okta-managed certificate not renew automatically?
If the CNAME and TXT records are deleted or incorrect, Okta will not be able to confirm them with the DNS provider, leading to a renewal failure. Another scenario for failure could occur if the custom domain has expired, as it is not possible to add a certificate to a non-existent custom domain. If a blocklist network zone is being used, the request to renew could also be blocked. If it is not possible to remove the Network zone blocklist, please provide an owned managed certificate.
Are new DNS records required to update the DNS provider?
When migrating from BYOC to an Okta-managed certificate, the process is automatic and only updates the certificate to a Let's Encrypt certificate. This means the DNS records are not being changed or updated; they remain the same.
How to verify if the certificate has been migrated?
- To verify if the certificate has been migrated, navigate to the system log and use the following query:
eventType eq "system.custom_url_domain.cert_renew"
This should result in an event similar to the following:
- An additional verification method is to navigate to Customizations > Domain to verify if the certificate now appears as Okta-managed.
How to view the migrated certificate?
To view the migrated certificate, navigate to the custom domain in a browser and click the lock icon next to the URL (for Chrome). Next, navigate to Connection is Secure > Certificate is Valid and preview the cert. It should now be issued by Let's Encrypt and show as issued recently. An example is shown in the screenshot below:
