Okta Device Access SSL Pinning

Jun 4, 2026

Okta Device Access

Okta Identity Engine

Overview

Beginning with Okta Verify for Windows 6.1.0, Okta Device Access employs SSL/TLS public key pinning to prevent data capture or manipulation. This feature prevents the use of custom certificates, such as those used for content inspection using SSL proxies, which causes certificate pinning validation errors. Resolve this issue by excluding Okta traffic from the proxy or configuring the proxy using a Proxy Auto-Configuration (PAC) file or Okta Verify installer flags.

The use of custom certificates with SSL proxies results in a combination of the following error logs:

Message: "URL validation failed during certificate pinning."

Message: "Connection validation failed during certificate pinning."

Message: "SSL policy error during certificate pinning."

Message: "Invalid host detected during certificate pinning."

Message: "Vanity URL bypassed during certificate pinning."

Message: "Exempt domain detected during certificate pinning."

Message: "Certificate pinning validation succeeded."

Message: "Certificate mismatch detected during certificate pinning."

Message: "Error occurred during certificate pinning."

Message: "No pinned certificates found during certificate pinning."

Message: "No pinned keys found during certificate pinning."

Message: "Adding bypass for certificate pinning."

Message: "Cannot bypass certificate pinning."

Message: "Removing bypass for certificate pinning."

Message: "Certificate pinning validation failed."

Message: "Unknown public key format detected."

Message: "Unsupported public key algorithm detected."

Message: "X509 chain validation started."

Message: "Offline fallback used during X509 chain validation."

Message: "Revocation status unknown during X509 chain validation."

Message: "Revocation endpoint not found during X509 chain validation."

Message: "Error occurred during X509 chain validation."

Message: "Mismatch detected during X509 chain validation."

Message: "X509 chain validation succeeded."

Message: "Certificate or chain is null, validation failed."

Message: "SSL policy error during validation: {sslPolicyErrors}, validation failed."

Message: "Cannot validate certificate chain, validation failed."

Message: "Error reading registry: {ex.Message}"

Applies To

Okta Identity Engine (OIE)
Okta Device Access (ODA)
Desktop Multi-Factor Authentication (MFA)
Windows Devices

Cause

Okta Verify for Windows 6.1.0 and later uses SSL/TLS public key pinning to secure traffic between Okta Device Access and the Okta server infrastructure. This security measure rejects custom certificates generated by SSL proxies for content inspection, resulting in validation failures.

Solution

How are SSL pinning errors resolved in Okta Device Access?

If FastPass operates successfully or a proxy with SSL inspection is absent, no action is required.

Prevent service disruptions by excluding Okta traffic from the proxy or configuring proxy credentials using the following methods.

Exclude Okta traffic from any proxy with *.[okta.com](http://okta.com/), *.[oktapreview.com](http://oktapreview.com/), *.[okta-emea.com](http://okta-emea.com/), *.[okta.mil](http://okta.mil/), or [*.okta-gov.com](http://okta-gov.com/).
Configure a proxy using either a Proxy Auto-Configuration (PAC) file or by configuring proxy credentials in the Okta Verify for Windows installer flags.
- Reinstall Windows Okta Verify (WOV) with these flags if the configuration was never previously applied.

How are SSL pinning errors resolved in Okta Device Access?

Your Privacy

Your Privacy

Strictly Necessary Cookies

Strictly Necessary Cookies

Functional Cookies

Functional Cookies

Performance Cookies

Performance Cookies

Share or Sell of Personal Data

Share or Sell of Personal Data

Advertising Cookies

Your Privacy

Your Privacy

Strictly Necessary Cookies

Strictly Necessary Cookies

Functional Cookies

Functional Cookies

Performance Cookies

Performance Cookies

Share or Sell of Personal Data

Share or Sell of Personal Data

Advertising Cookies