This site requires JavaScript to be enabled
External Customer KB > General > PKI Certificates and Device Trust
PKI Certificates and Device Trust
Article: KB0010664 Published: 02/06/2023 Last modified: 02/06/2023

A PKI certificate is a file issued by OneLogin and installed in a user's browser. Whenever that user signs into OneLogin with their username and password, OneLogin validates that the PKI certificate installed in their browser matches the one registered to them in OneLogin.

Requiring Certificates

Security policies control the users who are required to authenticate with PKI certificates. You can apply a security policy to all users, to groups, or to individual users.

Note: End users must have an email address registered to their account to use OneLogin PKI based certificates.

  1. Sign into OneLogin as an admin. Go to Security > Policies and select a user policy to update or click New User Policy to create a new one.

  2. On the MFA tab, toggle on Device Trust Required.

    New User Policy - MFA

    Warning: Once this setting is saved, users assigned to this policy (including admins) can only sign in to OneLogin if a PKI certificate is installed on their device. This means that you may become locked out, requiring a call to OneLogin support.

  3. You can choose between installing certificates in a user's browser manually or allowing users to install them the next time they sign into OneLogin by selecting Allow self-installation. Users who require a certificate are prompted to install one after they authenticate OneLogin but before they sign into any applications.

  4. Select how long you want certificates to stay valid before they expire. You can choose 1, 2, or 5 years.

Creating and Downloading Certificates

If you choose not to allow self-installations, you need to manually create and install certificates for your users.

  1. Go to Users > Users and select the user.

  2. Select Download PKI Cert under the More Actions menu.

    More Actions - Download PKI Cert

  3. A certificate password dialogue appears.

    Certificate Password

    • If this is the first time you're downloading this certificate, create a new password to enter here and click Download. Make sure to keep this password in your records, as it will be required to re-download the certificate again.
    • If you are re-downloading this certificate to replace a lost or expired certificate, enter the password you previously created.

      Note: When you generate a new certificate, any previous certificates are no longer valid. They are not revoked from existing installations, but cannot be used in new installations.

  4. Install the certificate on the user's device, or distribute the certificate to them with a safe distribution method and instruct them to install it on their device. Windows and Mac OS X operating systems handle certificate installation themselves. For Linux, you must use browser-specific certificate installation processes.

    Ensure that you or the user deletes the certificate file from their hard drive after the certificate is installed. Certificates should be handled with care, just like a physical authentication token such a USB key.

Browser Compatibility

OneLogin's certificates support Chrome, Firefox, and Safari. Windows and Mac OS have certificate management built into the OS, while browsers on Linux must deal with the certificates themselves.

  Chrome Firefox Safari
Linux Built-in Built-in  
Windows Certificate Manager Certificate Manager  
Mac OS X Keychain Keychain Keychain
Apple iOS     Keychain

Note: On Apple iOS devices, apps using Safari View Controller can download OneLogin Protect PKI certificates, but apps using their own web view can't.



Expand/Collapse Comments
Was this helpful?