diff --git a/cmd/keymaster/main.go b/cmd/keymaster/main.go
index 3183ed62..f9fad937 100644
--- a/cmd/keymaster/main.go
+++ b/cmd/keymaster/main.go
@@ -362,6 +362,7 @@ func setupCerts(
 
 		}
 	}
+	logger.Debugf(1, "SetupCerts: authenticaiton Complete")
 	if err := signers.Wait(); err != nil {
 		return err
 	}
diff --git a/cmd/keymasterd/2fa_okta.go b/cmd/keymasterd/2fa_okta.go
index b3777607..06907f10 100644
--- a/cmd/keymasterd/2fa_okta.go
+++ b/cmd/keymasterd/2fa_okta.go
@@ -101,6 +101,7 @@ func (state *RuntimeState) oktaPushStartHandler(w http.ResponseWriter, r *http.R
 		state.writeFailureResponse(w, r, http.StatusInternalServerError, "Failure when validating OKTA push")
 		return
 	}
+	logger.Debugf(2, "oktaPushStartHandler: after validating push response=%+v", pushResponse)
 	switch pushResponse {
 	case okta.PushResponseWaiting:
 		w.WriteHeader(http.StatusOK)
diff --git a/lib/authenticators/okta/impl.go b/lib/authenticators/okta/impl.go
index e3a3ac1e..6a58bee0 100644
--- a/lib/authenticators/okta/impl.go
+++ b/lib/authenticators/okta/impl.go
@@ -202,6 +202,7 @@ func (pa *PasswordAuthenticator) validateUserPush(username string) (PushResponse
 	if userResponse == nil {
 		return PushResponseRejected, nil
 	}
+	pa.logger.Debugf(2, "oktaAuthenticator: validsteUserPush: after getting userResponse=%+v", userResponse)
 	for _, factor := range userResponse.Embedded.Factor {
 		if !(factor.FactorType == "push" && factor.VendorName == "OKTA") {
 			continue
diff --git a/lib/client/twofa/pushtoken/pushtoken.go b/lib/client/twofa/pushtoken/pushtoken.go
index 6aa31a28..a38f5a8d 100644
--- a/lib/client/twofa/pushtoken/pushtoken.go
+++ b/lib/client/twofa/pushtoken/pushtoken.go
@@ -2,6 +2,7 @@ package pushtoken
 
 import (
 	"bufio"
+	"crypto/x509"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -20,6 +21,11 @@ import (
 
 const vipCheckTimeoutSecs = 180
 
+func debugLogCert(messageSuffix string, cert *x509.Certificate, logger log.DebugLogger) {
+	logger.Debugf(2, "%s.issuer=%+v", messageSuffix, cert.Issuer)
+	logger.Debugf(2, "%s.subject=%+v", messageSuffix, cert.Subject)
+}
+
 func startGenericPush(client *http.Client,
 	baseURL string,
 	pushType string,
@@ -42,6 +48,14 @@ func startGenericPush(client *http.Client,
 		return err
 	}
 	defer pushStartResp.Body.Close()
+
+	if pushStartResp.TLS != nil {
+		debugLogCert("startGenericPush peeerCerts[0]", pushStartResp.TLS.PeerCertificates[0], logger)
+		if pushStartResp.TLS.VerifiedChains != nil {
+			debugLogCert("startGenericPush verifiedcerts[0]", pushStartResp.TLS.VerifiedChains[0][0], logger)
+		}
+	}
+
 	// since we dont care about content we just consume it all.
 	io.Copy(ioutil.Discard, pushStartResp.Body)
 	if pushStartResp.StatusCode != 200 {