Symantec VIP certificate upload to the Okta portal fails with error: The certificate was not accepted by Symantec VIP Service.

book

Article ID: 242398

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

Uploading the Symantec VIP certificate to the Okta portal fails with error: The certificate was not accepted by Symantec VIP Service. This certificate is required when integrating Symantec VIP MFA with Okta.

Cause

The Okta certificate trust store does not contain the VIP certificate issuing CA. 

Resolution

Request from Okta support to add the VIP Organizational Root CA G1 to the trust store in your Okta tenant. 

Optionally, the root CA can be added to an existing VIP .P12 certificate using OpenSSL.

OpenSSL commands:

> openssl pkcs12 -in VIPcertificate.p12 -out clientcert.pem -nodes -clcerts
> openssl x509 -in trusted_ca.cer -inform DER -out trusted_ca.pem
> openssl x509 -in root_ca.cer -inform DER -out root_ca.pem
> cat clientcert.pem trusted_ca.pem root_ca.pem >> clientcertchain.pem
> openssl pkcs12 -export -in clientcertchain.pem -out VIPclientcertchain.pfx

Upload the VIPclientcertchain.pfx certificate into the Okta portal.