Okta Managed Certificates For Custom Domains

In a previous post, I described how to configure a custom domain for your Okta tenant and get a TLS certificate for that domain, so your end users can use a familiar and easy to remember URL when accessing Okta. It's a great setup that every Okta administrator should implement for their users' sake.

Configure Secure Custom Domains on Okta
By default, Okta tenants use a subdomain under an Okta-owned domain name, which might not the best URL for multiple reasons. In this blog post, I go through the process of configuring a custom subdomain for your tenant and how to acquire a TLS certificate to secure said domain.

However, the manual renewal process for Let's Encrypt certificates was rather daunting, so you can imagine my happiness when I learned Okta has released a beta feature that finally offers Let's Encrypt certificates that are managed by Okta. In this post, I walk you through what you need to do to make use of this new feature.

Important Disclaimer: This feature is in beta stage, it might have some bugs or unsuspected behaviours, so keep that in mind when enabling it in your environment.

Requirements

  • You need to be a super administrator on your Okta tenant.
  • You need to have your DNS management service of choice (e.g. AWS Route53, Namecheap, ...) open, so you can make some required DNS changes.
  • You should perform this outside working hours and still inform your users about the possible downtime just in case someone is working late.

Enable The Feature

To enable this new feature, you need to do the following:

  • Login into your Okta account.
  • Switch to the administrator view.
  • Navigate to SettingsFeatures
  • Enable the feature named: Custom Domains with Okta-Managed Certificates

Remove Your Custom Domain

Unfortunately, we can't switch to the managed certificates without removing and readding the custom domain one again. To accomplish this, simply:

  • Navigate to CustomizationsDomain
  • Click Edit and then Remove Domain buttons. Confirm the dialogue to proceed with the deletion.
  • Domain removed, success!
Remove the custom domain

Reconfigure Your Custom Domain

Now that our custom domain and certificate is gone, we need to reconfigure it.

  • On the same page (CustomizationsDomain), click Get Started
  • In the first configuration window, enter the custom domain and select Okta-managed (faster and easier) in the Certificate management section.
Configure custom domain and certificate management
  • The next window will provide the updated DNS record values that you need to replace the old values with (in case you configured a custom domain before) or create new DNS records. Give it few minutes to proper gate before clicking Next.
  • Once Okta verifies the DNS records, the system will request a certificate from Let's Encrypt and deploy it onto your tenant.
Update your DNS records
  • It takes a few minutes for DNS records to propagate and everything to settle in place, but once that happens, you should see the following in your domain confirmation page:
Mission Accomplished

That's It 🎉🎉🎉

You have successfully configured Okta-managed certificates on your Okta tenant, your users and security engineers will thank you for this simple change. 🎉🎉🎉