In this article, Okta clarifies the behavior of the Okta CA in revoking client certificates after 90 days of issuance if they are not used in FastPass authentication.
- Okta Identity Engine (OIE)
- Device Management Attestation
- Public Key Infrastructure (PKI) - Certificate Authority and Client Certificates
From the Okta Manual chapter Managed Devices - Client Certificates:
- "The client certificate is revoked on the 91st day after issuance if it is not used in a successful Okta FastPass flow. 90 days provides time between the deployment of the client certificate and enabling an authentication policy (management attestation) with the client certificate."
To clarify, the timeline specified above is the time between when the certificate is issued to the user or device and when it is used by Okta FastPass and bound to the device. The timeline (T) would be:
T0: Okta issues a certificate as a CA. This could happen before Okta Verify is deployed or after, and it can also happen before FastPass is enrolled or after.
T1: The certificate is used by FastPass. This means FastPass is enrolled and authenticated successfully.
T2: The Certificate Validity Period, as configured in the MDM SCEP Configuration Profile.
-
-
- T1 must happen after T0.
- T1 must be within 90 days of T0.
- T2 is the expiry of the certificate after T1.
-
