A macOS client machine displays a certificate trust error during authentication because the Okta Certificate Authority (CA) certificate is absent from the device. To resolve this, an administrator pushes the Okta CA certificate to the device using a Mobile Device Management (MDM) profile to complete the chain of trust. Users experience this issue when the macOS client machine displays the following error message:
[CertName] certificate is not trusted.
- Okta Identity Engine (OIE)
- Device Trust 2.0
- Device Integration
- Devices
- Certificate Authority (CA)
The operating system identifies the certificate as untrusted because the certificate fails to complete the chain of trust on the client. For security reasons, Okta does not push the Organization Intermediate Authority or the Organization Root Authority to the macOS client machine to complete the chain.
How does an administrator resolve the certificate trust error?
The macOS client device lacks the installed Okta CA certificate. Administrators resolve this by downloading the Okta CA certificate from the Admin Console, then distributing it to client devices through their chosen MDM. This action enables the device to trust the certificate.
How does an administrator download the x509 certificate?
Complete the following steps to download the x509 certificate for the Okta CA:
-
Sign in to the Okta Admin Console.
-
Navigate to Security > Device Integrations.
-
Select the Certificate authority tab.
-
Locate the Okta CA in the list of authorities.
-
In the Actions column, select the Download x509 certificate icon.
