Starting in January 2025, Okta Certificate Authorities (CAs) used for management attestation in the Okta Identity Engine will begin to automatically renew. This article outlines the renewal and activation process for the organization's Okta Certificate Authority (CA) and the necessary actions to avoid service disruptions. Organizations using Mobile Device Management (MDM) solutions may need to take immediate action.

Organizations leveraging:

• Okta Certificate Authority (CA)
• The management attestation condition in OIE authentication policies

To ensure the organization remains secure, Okta periodically renews its Certificate Authority (CA). This renewal process requires action to maintain continuous service and compliance. An Okta CA is valid for a period of five years, and will automatically renew after a period of 3.5 years. If an organization is leveraging the management attestation feature of Okta, it may be necessary to upload the new CA to the MDM to allow new client certificates to be issued.

When is it necessary to take action?

Organization admins will receive an email when the CA is renewed. The renewal date can be determined proactively by navigating to Security > Device Integrations > Certificate authority in the Okta console. 

Steps to Take After CA Renewal

1. Download the Latest CA

• • In the Admin Console, navigate to Admin > Security > Device Integrations.
  • Click the Certificate Authority tab.
  • In the Actions column for Okta CA, click the Download x509 certificate icon.
  • Rename the downloaded file to include a .cer extension.

2. Upload to MDM Solution

• • Before the new CA can issue new client certificates, upload the renewed certificate to the Mobile Device Management (MDM) solution.
  • Be sure not to delete the previous CA from the MDM until it has expired, as this could prevent managed devices from accessing Okta-protected resources.

3. Activate the New CA in Okta

   • Once the new CA is uploaded to MDM and all necessary steps are completed, activate it in Okta by clicking Activate in the Actions column for Okta CA.

Automatic Activation Warning:

If customer does not manually activate the CA within 6 months, it will automatically activate. However, failure to update your MDM solution beforehand may block new client certificates from being issued.

Frequently Asked Questions

What will happen if no action is taken?

• If the new CA is not uploaded to MDM, no new client certificates will be issued, preventing devices from accessing resources. However, existing certificates will continue to function until they expire.

Does the MDM solution require the new CA to be uploaded?

• Some MDM solutions do not require this step, but it is important to confirm with MDM provider whether uploading the new CA is necessary.

What happens if CA is automatically activated after 6 months?

• The CA will activate automatically, but any MDM that has not been updated may block new device certificates from being issued.

What errors will be seen when an MDM solution is not updated?

• Errors related to certificate issuance failures may appear in MDM or Okta. For further troubleshooting steps, contact the Okta administrator or support team.

Next Steps: Organizations must follow the outlined steps to avoid any service disruptions. For further assistance, contact the Okta account team or consult the support documentation.

Learn More:
For more detailed information about the Okta Certificate Authority and integration with MDM systems, please visit Okta Documentation.