Dark Light

Obtaining the Okta Root CA from OIE

Home / Blog / Obtaining the Okta Root CA from OIE

Published: Jan 18, 2023 / By Andrew Doering


With Okta’s OIE platform, you are now able to distribute Certificate Authorities directly from Okta. However, when deploying the CA that Okta provides, you end up with just the intermediary, and you are missing the root. The methods below allow you to obtain the Root CA. As far as I can tell, there is no documentation on how to obtain this certificate from the support sites on Okta. So hopefully this helps a few people out there if they have a need for this.

Obtaining the Root CA ID

  1. Login to the Admin Dashboard
  2. In the same browser session, duplicate or open a new tab
  3. Go to: https://<org-admin>.okta.com/api/v1/certificateAuthorities?type=ROOT
  4. Grab the “id” from the text that is displayed on screen.

Downloading the Root CA

We will use the ID that was taken in the previous step to obtain the certificate.

  1. Using the same session, open up a new tab
  2. Go to the following address: https://<org-admin>.okta.com/api/v1/certificateAuthorities/<id from process>/cert
  3. This should download a cert file

The Cert file that is downloaded, should be the root CA which should allow you to complete the trust chain from the intermediary that Okta allows from the web GUI.

Then it would be up to your individual MDM or distribution means to deploy the certificate to devices or end users.