Custom URL: Change from own TLS to LetsEncrypt?

The documentation for using a custom URL for Okta seems to imply that there are two options, either:

  • Own TLS certificate
  • “Okta-managed certificate” (as in LetsEncrypt automatically updated certificate from Okta)

Currently we have a subdomain setup with own TLS certificate but I’d like to migrate to the Okta-managed version.

How would I go about doing that? Do I just remove the sub-domain / custom URL and then re-create it?

Thats how I did it in my org, yeah.

Cool, thanks @andrea

Did it impact any of your applications / services?

Because when I go to delete the domain it says:

Okta will continue to host a sign-in page at the standard Okta domain for your organization. The issuer mode of Identity Providers, Authorization Servers, and OIDC apps will be set back to the standard Okta domain for your organization.

So I figure I might have to check applications/servers and re-auth them or adjust settings for them?

Ahh, you’re right, my servers were modified. I had a couple set to specifically use my Custom or Okta domain (not using Dynamic Issuer), but now it looks like they’re all updated to support Dynamic Issue. So my apps all still work, its just now that my servers work for both domains instead of just one or the other. Same goes for apps that were configured to use the Org Authorization Server. The Issuer on the Sign On tab is set to Dynamic for all of them so that they continue to work with either domain.

Updating the IdPs seems simple enough as well, since its just a dropdown in there, but it seems I didn’t notice/rarely use my test IdPs so I haven’t done the update yet.

Cool, thanks @andrea

I went ahead and removed the custom domain then recreated it, and selected the Okta-managed LetsEncrypt one.

I then had to add one more TXT value to the DNS for the domain, and after 5 minutes it was verified.

I went through all the applications and it seems everything is working correctly without needing to change anything.

1 Like