Need support on LOgging to Okta with Smart Card

[Sridhar Raju Sagi]

Hi Team,

I am trying to login into Okta cloud with Smart Card Authentication.

Error i am getting is "Certificate Verification failed" when i check the logs on okta it says

"Invalid Issuer CRL"

I created a Windows Active directory and CA (Windows Certification Authority) server in internal network.

I created domain Level certificate and a user certificate in my local CA and uploaded the Chain File to the user in okta and imported the user certificate into Smart Card.

Then i opened the okta cloud url in browser and selected PIV option and it asked me to select the certificate uploaded into my smart card and then it requested for pin and entered, but unable to login.  

I created a A record on my public DNS and pointed to my internal server also so that the URL embedded in the chain file resolves to my CA Server FQDN in internal network and gets verified.

Can any one help me  whether i am trying to do incorrect way so am failing to login to okta with smart card?

Your help is greatly appreciated.

Regards,

Sridhar

[Douglas E Engert]

Sounds like okta does not trust the the CRL signer.

Certificates on a PIV are signed be the GOV, and the CRL would have to be signed by the same CA.

Are you issuing your own certificates and writing to PIV cards?
If so did you tell your CA to issue CRLs and how often?

https://help.okta.com/en/prod/Content/Topics/Access-Gateway/cert-chain-operations.htm#Manage
talks about "Manage CRL settings" Does it setting for lifetime of CRL match what the CA is doing?

> --
> To unsubscribe from this group, send email to piv-test-card...@list.nist.gov
> Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/piv-test-cards <https://groups.google.com/a/list.nist.gov/d/forum/piv-test-cards>
> ---
> To unsubscribe from this group and stop receiving emails from it, send an email to piv-test-card...@list.nist.gov <mailto:piv-test-card...@list.nist.gov>.

--

Douglas E. Engert <DEEn...@gmail.com>