Uploading the Symantec VIP certificate to the Okta portal fails with error: The certificate was not accepted by Symantec VIP Service. This certificate is required when integrating Symantec VIP MFA with Okta.

The Okta certificate trust store does not contain the VIP certificate issuing CA. 

Request from Okta support to add the VIP Organizational Root CA G1 to the trust store in your Okta tenant. 

Optionally, the root CA can be added to an existing VIP .P12 certificate using OpenSSL.

OpenSSL commands:

> openssl pkcs12 -in VIPcertificate.p12 -out clientcert.pem -nodes -clcerts
> openssl x509 -in trusted_ca.cer -inform DER -out trusted_ca.pem
> openssl x509 -in root_ca.cer -inform DER -out root_ca.pem
> cat clientcert.pem trusted_ca.pem root_ca.pem >> clientcertchain.pem
> openssl pkcs12 -export -in clientcertchain.pem -out VIPclientcertchain.pfx

Upload the VIPclientcertchain.pfx certificate into the Okta portal.