Starting January 2025, Okta Certificate Authorities (CAs) used for management attestation in OIE orgs will begin to automatically renew. Organizations using Mobile Device Management (MDM) solutions and leveraging management attestation may need to upload the new CA to their MDM to ensure continued service and certificate issuance. ZeroTek has reached out individually to affected orgs.
Organizations using this feature must update their MDM configurations with the new CA.
FAQ
How do I know if I need to take action?
ZeroTek will proactively contact MSPs for affected tenants using a technical support ticket. You can proactively determine your renewal date by navigating to Security > Device Integrations > Certificate authority in the Okta console.
What will happen if no action is taken?
If the new CA is not uploaded to your MDM, no new client certificates will be issued, preventing devices from accessing resources. However, existing certificates will continue to function until they expire.
Does my MDM solution require me to upload the new CA?
Some MDM solutions do not require this step, but it is important to confirm with your MDM provider whether uploading the new CA is necessary.
What happens if my CA is automatically activated after 6 months?
The CA will activate automatically, but any MDM that has not been updated may block new device certificates from being issued.
What errors will I see if I don’t update my MDM solution?
You may see errors in your MDM or Okta related to certificate issuance failures. Contact your Okta administrator or support team for further troubleshooting steps.
Resolution
Review and complete the procedures in the Okta Certificate Authority (CA) Renewal and Activation Guide. 