Create a custom domain with Cloudflare
On This Page
This page covers the steps to quickly set up a custom domain using CloudFlare. To use a custom domain with Okta, you need to have access to its DNS settings, and you need to create a TLS certificate. Cloudflare makes this easy.
Already set everything up using the manual steps on the previous pages? Move on to the Next steps page.
Note: Sign up for Cloudflare (opens new window) if you don't have an account.
Sign in to Cloudflare and select +Add Site. It's best if you point an entire domain at Cloudflare. For example,
example.com. The free plan is good enough for these steps.
After transferring your domain, you need to create an origin CA certificate:
Select the SSL/TLS app, and then click Origin Server.
Click Create Certificate to open the Origin Certificate Installation dialog box.
Select Let Cloudflare generate a private key and a CSR.
Change Certificate Validity to 1 year (Okta rejects certificates with a 15-year expiration), and then click Next.
Copy the Origin Certificate to a
tls.certfile on your hard drive, and then copy the Private key to
In Okta, go to Customization > Domain Name > Edit > Get Started.
Enter a subdomain name (for example:
id.example.com) and click Next. You are prompted to verify domain ownership.
In Cloudflare, add the specified
TXTrecord using the DNS > + Add record option.
In Okta, select Verify > Next.
In the Certificate box, copy/paste the contents of
Note: On a Mac you can use
cat tls.cert | pbcopyin a terminal to copy the file to your clipboard.
Paste the contents of
private.keyin the Private key box. Click Next.
You are prompted to add a CNAME record (opens new window). Add this to your Cloudflare DNS, and then click Finish.
https://<id.domain.name>resolves in your browser before you continue.
Note: When you first try this, it's possible that your network caches DNS entries, and you won't be able to get to
id.example.com. As a workaround, you can tether with your phone, then graph the IP address and add it as an entry to your
The OpenID Connect specification requires a
./well-known/openid-configuration endpoint with metadata about your app's endpoints. You should be able to see yours at:
You might notice that it has your Okta
dev-* domain, rather than your custom domain name.
You need to update your Authorization Server to use your custom domain to fix this:
- Sign in to your Okta account and go to API > Authorization Servers.
- Select the default Custom Authorization Server, and then click Edit.
- Change the Issuer to use Custom URL.
./well-known/openid-configurationagain. It should now display your custom domain.