<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Okta Device Access SSL Pinning
Nov 14, 2025
Okta Device Access
Okta Identity Engine
Overview

Okta employs sophisticated methods of analyzing traffic to our endpoints to detect risks to our customers. Beginning with Okta Verify for Windows 6.1.0, Okta Device Access employs SSL/TLS public key pinning to prevent data capture or manipulation between Okta Device Access and Okta’s server infrastructure. This change means that Okta Device Access prevents the use of custom certificates, such as those used for content inspection using SSL proxies.

 

This change may result in a combination of these error logs:

 

Certificate Pinning Validation Log Messages
Message: "URL validation failed during certificate pinning."
Message: "Connection validation failed during certificate pinning."
Message: "SSL policy error during certificate pinning."
Message: "Invalid host detected during certificate pinning."
Message: "Vanity URL bypassed during certificate pinning."
Message: "Exempt domain detected during certificate pinning."
Message: "Certificate pinning validation succeeded."
Message: "Certificate mismatch detected during certificate pinning."
Message: "Error occurred during certificate pinning."
Message: "No pinned certificates found during certificate pinning."
Message: "No pinned keys found during certificate pinning."
Message: "Adding bypass for certificate pinning."
Message: "Cannot bypass certificate pinning."
Message: "Removing bypass for certificate pinning."
Message: "Certificate pinning validation failed."
Message: "Unknown public key format detected."
Message: "Unsupported public key algorithm detected."
Message: "X509 chain validation started."
Message: "Offline fallback used during X509 chain validation."
Message: "Revocation status unknown during X509 chain validation."
Message: "Revocation endpoint not found during X509 chain validation."
Message: "Error occurred during X509 chain validation."
Message: "Mismatch detected during X509 chain validation."
Message: "X509 chain validation succeeded."
Message: "Certificate or chain is null, validation failed."
Message: "SSL policy error during validation: {sslPolicyErrors}, validation failed."
Message: "Cannot validate certificate chain, validation failed."
Message: "Error reading registry: {ex.Message}"

Applies To
  • Okta Identity Engine (OIE)
  • Okta Device Access (ODA)
  • Desktop Multi-Factor Authentication (MFA)
  • Windows Devices
Solution

If FastPass is successfully in use or a proxy with SSL inspection is not used, no action is required.

If a proxy with SSL inspection configured is used, perform the following actions to prevent service disruptions:

  • Exclude Okta traffic from any proxy with *.okta.com, *.oktapreview.com, *.okta-emea.com, *.okta.mil,  or *.okta-gov.com
  • Configure a proxy using either a Proxy Auto-Configuration (PAC) file or by configuring proxy credentials in the Okta Verify for Windows installer flags.
    • If this was never configured, it may be necessary to reinstall Windows Okta Verify (WOV) with these flags.

Recommended content

Still looking for help?
Loading
Okta Device Access SSL Pinning