Okta-pki
14 operations, identified by eventType in the audit log.
| eventType | Description |
|---|---|
| pki.ca.add | Triggered when an admin creates an Okta CA (ROOT or Intermediate certs) or uploads a 3rd party certificate chain. You can use the event to audit the Okta CA or 3rd party certificate authority status change. When triggered, the Okta CA or 3rd party certificate authority will appear in the Admin Console. |
| pki.ca.delete | Triggered when an admin deletes a 3rd party certificate chain. You can use the event to audit the 3rd party certificate authority status change. When triggered, the 3rd party certificate authority is no longer available to the org. |
| pki.ca.expiration.warn | Warn about approaching third-party CA certificate expiration. Monitor certificate expiration timelines to proactively rotate third-party CA certificates and avoid FastPass authentication failures when strict enforcement begins. Fires at 6-month, 3-month, and 1-month intervals before the enforcement deadline. The target resource identifies the specific certificate. Use outcome.reason to filter by urgency interval (EXPIRING_6_MONTHS, EXPIRING_3_MONTHS, EXPIRING_1_MONTH). |
| pki.ca.renew | Triggered when one or more certificates that belong to a certificate authority are renewed. Use to audit certificate renewals that belong to a certificate authority. You can also use it as a notification to download the renewed certificates. When triggered, this event includes the old certificates and the new certificate replacements. |
| pki.cert.bind | Triggered when a certificate is bound to a device. You can use the event to audit certificate device binding relationship. When triggered, the device appears in the Admin Console as managed device. |
| pki.cert.crl_download_failure | A failure outcome indicates that there was an issue downloading the Certificate Revocation List (CRL) from the URL specified in the certificate and may require action to address it. When an administrator observes a pki.cert.lifecycle.crl_download_failure event with a failure outcome they should ensure that the CRL endpoint is up and running properly and has not been changed by the issuing Certificate Authority (CA). When fired, this event will include the URL of the CRL that is having an issue along with a corresponding HTTP error code. |
| pki.cert.issue | Device Trust certificate issuance. |
| pki.cert.lifecycle.activate | Triggered when a certificate marked as hold is removed from the CRL or when renewed Okta CA certificates marked as inactive are activated. You can use the event to audit certificate lifecycle change. When an admin activates/unsuspends a device, the certificate associated with the device is activated when used in the next Okta Verify flow. Additionally when an admin or activation job activates an inactive certificate it can then be used to issue client certificates in SCEP. |
| pki.cert.lifecycle.delete | Triggered when a certificate is deleted as a result of an admin deleting the binding device. You can use the event to audit certificate lifecycle change. When triggered, the certificate no longer appears in the Admin Console. |
| pki.cert.lifecycle.hold | Triggered when a certificate is temporarily on hold and appears on CRL. You can use the event to audit certificate lifecycle change. A certificate on hold can be activated after it is removed from CRL. |
| pki.cert.lifecycle.revoke | Triggered when a certificate is revoked and appears on CRL. You can use the event to audit certificate lifecycle change. Once revoked, a certificates can not be activated. |
| pki.cert.lifecycle.suspend | Triggered when a certificate is suspended as a result of an admin deactivating the binding device. You can use the event to audit certificate lifecycle change. When triggered, the certificate can not be used to send the management hint. |
| pki.cert.renew | Triggered when a Device Trust certificate is renewed. |
| pki.cert.revoke | Device Trust certificate revocation. |
pki.ca.add
#Description
Triggered when an admin creates an Okta CA (ROOT or Intermediate certs) or uploads a 3rd party certificate chain. You can use the event to audit the Okta CA or 3rd party certificate authority status change. When triggered, the Okta CA or 3rd party certificate authority will appear in the Admin Console.
Only generated on Okta Identity Engine (OIE) orgs, not Classic Engine (Okta Classic) orgs.Fields #
Name Description actor.idUnique ID of the actor performing the event. actor.typeType of actor: User, Client, System, PublicClientApp, etc. actor.alternateIdUsername or email of the actor. actor.displayNameDisplay name of the actor. target[].idID of each target object (user, group, application, ...). target[].typeType of each target object. target[].alternateIdUsername or email of each target object. outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. outcome.reasonHuman-readable reason for the outcome. client.ipAddressIP address of the client. client.userAgent.rawUserAgentRaw user agent string. client.geographicalContext.countryCountry of origin for the request. securityContext.isProxyWhether the request came through a proxy or anonymizer. authenticationContext.externalSessionIdSession ID correlating events in one user session. transaction.idTransaction ID correlating multiple log entries for one action. References #
pki.ca.delete
#Description
Triggered when an admin deletes a 3rd party certificate chain. You can use the event to audit the 3rd party certificate authority status change. When triggered, the 3rd party certificate authority is no longer available to the org.
Only generated on Okta Identity Engine (OIE) orgs, not Classic Engine (Okta Classic) orgs.Fields #
Name Description actor.idUnique ID of the actor performing the event. actor.typeType of actor: User, Client, System, PublicClientApp, etc. actor.alternateIdUsername or email of the actor. actor.displayNameDisplay name of the actor. target[].idID of each target object (user, group, application, ...). target[].typeType of each target object. target[].alternateIdUsername or email of each target object. outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. outcome.reasonHuman-readable reason for the outcome. client.ipAddressIP address of the client. client.userAgent.rawUserAgentRaw user agent string. client.geographicalContext.countryCountry of origin for the request. securityContext.isProxyWhether the request came through a proxy or anonymizer. authenticationContext.externalSessionIdSession ID correlating events in one user session. transaction.idTransaction ID correlating multiple log entries for one action. References #
pki.ca.expiration.warn
#Description
Warn about approaching third-party CA certificate expiration. Monitor certificate expiration timelines to proactively rotate third-party CA certificates and avoid FastPass authentication failures when strict enforcement begins. Fires at 6-month, 3-month, and 1-month intervals before the enforcement deadline. The target resource identifies the specific certificate. Use outcome.reason to filter by urgency interval (EXPIRING_6_MONTHS, EXPIRING_3_MONTHS, EXPIRING_1_MONTH).
Only generated on Okta Identity Engine (OIE) orgs, not Classic Engine (Okta Classic) orgs.Fields #
Name Description actor.idUnique ID of the actor performing the event. actor.typeType of actor: User, Client, System, PublicClientApp, etc. actor.alternateIdUsername or email of the actor. actor.displayNameDisplay name of the actor. target[].idID of each target object (user, group, application, ...). target[].typeType of each target object. target[].alternateIdUsername or email of each target object. outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. outcome.reasonHuman-readable reason for the outcome. client.ipAddressIP address of the client. client.userAgent.rawUserAgentRaw user agent string. client.geographicalContext.countryCountry of origin for the request. securityContext.isProxyWhether the request came through a proxy or anonymizer. authenticationContext.externalSessionIdSession ID correlating events in one user session. transaction.idTransaction ID correlating multiple log entries for one action. References #
pki.ca.renew
#Description
Triggered when one or more certificates that belong to a certificate authority are renewed. Use to audit certificate renewals that belong to a certificate authority. You can also use it as a notification to download the renewed certificates. When triggered, this event includes the old certificates and the new certificate replacements.
Only generated on Okta Identity Engine (OIE) orgs, not Classic Engine (Okta Classic) orgs.Fields #
Name Description actor.idUnique ID of the actor performing the event. actor.typeType of actor: User, Client, System, PublicClientApp, etc. actor.alternateIdUsername or email of the actor. actor.displayNameDisplay name of the actor. target[].idID of each target object (user, group, application, ...). target[].typeType of each target object. target[].alternateIdUsername or email of each target object. outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. outcome.reasonHuman-readable reason for the outcome. client.ipAddressIP address of the client. client.userAgent.rawUserAgentRaw user agent string. client.geographicalContext.countryCountry of origin for the request. securityContext.isProxyWhether the request came through a proxy or anonymizer. authenticationContext.externalSessionIdSession ID correlating events in one user session. transaction.idTransaction ID correlating multiple log entries for one action. References #
pki.cert.bind
#Description
Triggered when a certificate is bound to a device. You can use the event to audit certificate device binding relationship. When triggered, the device appears in the Admin Console as managed device.
Only generated on Okta Identity Engine (OIE) orgs, not Classic Engine (Okta Classic) orgs.Fields #
Name Description actor.idUnique ID of the actor performing the event. actor.typeType of actor: User, Client, System, PublicClientApp, etc. actor.alternateIdUsername or email of the actor. actor.displayNameDisplay name of the actor. target[].idID of each target object (user, group, application, ...). target[].typeType of each target object. target[].alternateIdUsername or email of each target object. outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. outcome.reasonHuman-readable reason for the outcome. client.ipAddressIP address of the client. client.userAgent.rawUserAgentRaw user agent string. client.geographicalContext.countryCountry of origin for the request. securityContext.isProxyWhether the request came through a proxy or anonymizer. authenticationContext.externalSessionIdSession ID correlating events in one user session. transaction.idTransaction ID correlating multiple log entries for one action. References #
pki.cert.crl_download_failure
#Description
A failure outcome indicates that there was an issue downloading the Certificate Revocation List (CRL) from the URL specified in the certificate and may require action to address it. When an administrator observes a pki.cert.lifecycle.crl_download_failure event with a failure outcome they should ensure that the CRL endpoint is up and running properly and has not been changed by the issuing Certificate Authority (CA). When fired, this event will include the URL of the CRL that is having an issue along with a corresponding HTTP error code.
Only generated on Okta Identity Engine (OIE) orgs, not Classic Engine (Okta Classic) orgs.Fields #
Name Description actor.idUnique ID of the actor performing the event. actor.typeType of actor: User, Client, System, PublicClientApp, etc. actor.alternateIdUsername or email of the actor. actor.displayNameDisplay name of the actor. target[].idID of each target object (user, group, application, ...). target[].typeType of each target object. target[].alternateIdUsername or email of each target object. outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. outcome.reasonHuman-readable reason for the outcome. client.ipAddressIP address of the client. client.userAgent.rawUserAgentRaw user agent string. client.geographicalContext.countryCountry of origin for the request. securityContext.isProxyWhether the request came through a proxy or anonymizer. authenticationContext.externalSessionIdSession ID correlating events in one user session. transaction.idTransaction ID correlating multiple log entries for one action. References #
pki.cert.issue
#Description
Device Trust certificate issuance.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: pki.cert.issue https://developer.okta.com/docs/reference/api/event-types/#pki-cert-issue
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
pki.cert.lifecycle.activate
#Description
Triggered when a certificate marked as hold is removed from the CRL or when renewed Okta CA certificates marked as inactive are activated. You can use the event to audit certificate lifecycle change. When an admin activates/unsuspends a device, the certificate associated with the device is activated when used in the next Okta Verify flow. Additionally when an admin or activation job activates an inactive certificate it can then be used to issue client certificates in SCEP.
Only generated on Okta Identity Engine (OIE) orgs, not Classic Engine (Okta Classic) orgs.Fields #
Name Description actor.idUnique ID of the actor performing the event. actor.typeType of actor: User, Client, System, PublicClientApp, etc. actor.alternateIdUsername or email of the actor. actor.displayNameDisplay name of the actor. target[].idID of each target object (user, group, application, ...). target[].typeType of each target object. target[].alternateIdUsername or email of each target object. outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. outcome.reasonHuman-readable reason for the outcome. client.ipAddressIP address of the client. client.userAgent.rawUserAgentRaw user agent string. client.geographicalContext.countryCountry of origin for the request. securityContext.isProxyWhether the request came through a proxy or anonymizer. authenticationContext.externalSessionIdSession ID correlating events in one user session. transaction.idTransaction ID correlating multiple log entries for one action. References #
pki.cert.lifecycle.delete
#Description
Triggered when a certificate is deleted as a result of an admin deleting the binding device. You can use the event to audit certificate lifecycle change. When triggered, the certificate no longer appears in the Admin Console.
Only generated on Okta Identity Engine (OIE) orgs, not Classic Engine (Okta Classic) orgs.Fields #
Name Description actor.idUnique ID of the actor performing the event. actor.typeType of actor: User, Client, System, PublicClientApp, etc. actor.alternateIdUsername or email of the actor. actor.displayNameDisplay name of the actor. target[].idID of each target object (user, group, application, ...). target[].typeType of each target object. target[].alternateIdUsername or email of each target object. outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. outcome.reasonHuman-readable reason for the outcome. client.ipAddressIP address of the client. client.userAgent.rawUserAgentRaw user agent string. client.geographicalContext.countryCountry of origin for the request. securityContext.isProxyWhether the request came through a proxy or anonymizer. authenticationContext.externalSessionIdSession ID correlating events in one user session. transaction.idTransaction ID correlating multiple log entries for one action. References #
pki.cert.lifecycle.hold
#Description
Triggered when a certificate is temporarily on hold and appears on CRL. You can use the event to audit certificate lifecycle change. A certificate on hold can be activated after it is removed from CRL.
Only generated on Okta Identity Engine (OIE) orgs, not Classic Engine (Okta Classic) orgs.Fields #
Name Description actor.idUnique ID of the actor performing the event. actor.typeType of actor: User, Client, System, PublicClientApp, etc. actor.alternateIdUsername or email of the actor. actor.displayNameDisplay name of the actor. target[].idID of each target object (user, group, application, ...). target[].typeType of each target object. target[].alternateIdUsername or email of each target object. outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. outcome.reasonHuman-readable reason for the outcome. client.ipAddressIP address of the client. client.userAgent.rawUserAgentRaw user agent string. client.geographicalContext.countryCountry of origin for the request. securityContext.isProxyWhether the request came through a proxy or anonymizer. authenticationContext.externalSessionIdSession ID correlating events in one user session. transaction.idTransaction ID correlating multiple log entries for one action. References #
pki.cert.lifecycle.revoke
#Description
Triggered when a certificate is revoked and appears on CRL. You can use the event to audit certificate lifecycle change. Once revoked, a certificates can not be activated.
Only generated on Okta Identity Engine (OIE) orgs, not Classic Engine (Okta Classic) orgs.Fields #
Name Description actor.idUnique ID of the actor performing the event. actor.typeType of actor: User, Client, System, PublicClientApp, etc. actor.alternateIdUsername or email of the actor. actor.displayNameDisplay name of the actor. target[].idID of each target object (user, group, application, ...). target[].typeType of each target object. target[].alternateIdUsername or email of each target object. outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. outcome.reasonHuman-readable reason for the outcome. client.ipAddressIP address of the client. client.userAgent.rawUserAgentRaw user agent string. client.geographicalContext.countryCountry of origin for the request. securityContext.isProxyWhether the request came through a proxy or anonymizer. authenticationContext.externalSessionIdSession ID correlating events in one user session. transaction.idTransaction ID correlating multiple log entries for one action. References #
pki.cert.lifecycle.suspend
#Description
Triggered when a certificate is suspended as a result of an admin deactivating the binding device. You can use the event to audit certificate lifecycle change. When triggered, the certificate can not be used to send the management hint.
Only generated on Okta Identity Engine (OIE) orgs, not Classic Engine (Okta Classic) orgs.Fields #
Name Description actor.idUnique ID of the actor performing the event. actor.typeType of actor: User, Client, System, PublicClientApp, etc. actor.alternateIdUsername or email of the actor. actor.displayNameDisplay name of the actor. target[].idID of each target object (user, group, application, ...). target[].typeType of each target object. target[].alternateIdUsername or email of each target object. outcome.resultResult: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. outcome.reasonHuman-readable reason for the outcome. client.ipAddressIP address of the client. client.userAgent.rawUserAgentRaw user agent string. client.geographicalContext.countryCountry of origin for the request. securityContext.isProxyWhether the request came through a proxy or anonymizer. authenticationContext.externalSessionIdSession ID correlating events in one user session. transaction.idTransaction ID correlating multiple log entries for one action. References #
pki.cert.renew
#Description
Triggered when a Device Trust certificate is renewed.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: pki.cert.renew https://developer.okta.com/docs/reference/api/event-types/#pki-cert-renew
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/
pki.cert.revoke
#Description
Device Trust certificate revocation.
Fields #
| Name | Description |
|---|---|
actor.id | Unique ID of the actor performing the event. |
actor.type | Type of actor: User, Client, System, PublicClientApp, etc. |
actor.alternateId | Username or email of the actor. |
actor.displayName | Display name of the actor. |
target[].id | ID of each target object (user, group, application, ...). |
target[].type | Type of each target object. |
target[].alternateId | Username or email of each target object. |
outcome.result | Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. |
outcome.reason | Human-readable reason for the outcome. |
client.ipAddress | IP address of the client. |
client.userAgent.rawUserAgent | Raw user agent string. |
client.geographicalContext.country | Country of origin for the request. |
securityContext.isProxy | Whether the request came through a proxy or anonymizer. |
authenticationContext.externalSessionId | Session ID correlating events in one user session. |
transaction.id | Transaction ID correlating multiple log entries for one action. |
References #
- Okta Event Types Catalog: pki.cert.revoke https://developer.okta.com/docs/reference/api/event-types/#pki-cert-revoke
- Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/