diff --git a/builtin/credential/cert/backend_test.go b/builtin/credential/cert/backend_test.go
index 062fc156b..4365df477 100644
--- a/builtin/credential/cert/backend_test.go
+++ b/builtin/credential/cert/backend_test.go
@@ -456,6 +456,21 @@ func TestBackend_PermittedDNSDomainsIntermediateCA(t *testing.T) {
 	if secret.Auth == nil || secret.Auth.ClientToken == "" {
 		t.Fatalf("expected a successful authentication")
 	}
+
+	// testing pathLoginRenew for cert auth
+	oldAccessor := secret.Auth.Accessor
+	newClient.SetToken(client.Token())
+	secret, err = newClient.Logical().Write("auth/token/renew-accessor", map[string]interface{}{
+		"accessor":  secret.Auth.Accessor,
+		"increment": 3600,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if secret.Auth == nil || secret.Auth.ClientToken != "" || secret.Auth.LeaseDuration != 3600 || secret.Auth.Accessor != oldAccessor {
+		t.Fatalf("unexpected accessor renewal")
+	}
 }
 
 func TestBackend_MetadataBasedACLPolicy(t *testing.T) {
diff --git a/builtin/credential/cert/path_login.go b/builtin/credential/cert/path_login.go
index dd70e739b..d2902b88e 100644
--- a/builtin/credential/cert/path_login.go
+++ b/builtin/credential/cert/path_login.go
@@ -236,7 +236,7 @@ func (b *backend) verifyCredentials(ctx context.Context, req *logical.Request, d
 	var certName string
 	if req.Auth != nil { // It's a renewal, use the saved certName
 		certName = req.Auth.Metadata["cert_name"]
-	} else {
+	} else if d != nil { // d is nil if handleAuthRenew call the authRenew
 		certName = d.Get("name").(string)
 	}
 
diff --git a/builtin/credential/okta/path_login.go b/builtin/credential/okta/path_login.go
index c6b18f02d..0f8967576 100644
--- a/builtin/credential/okta/path_login.go
+++ b/builtin/credential/okta/path_login.go
@@ -143,7 +143,11 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
 func (b *backend) pathLoginRenew(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
 	username := req.Auth.Metadata["username"]
 	password := req.Auth.InternalData["password"].(string)
-	nonce := d.Get("nonce").(string)
+
+	var nonce string
+	if d != nil {
+		nonce = d.Get("nonce").(string)
+	}
 
 	cfg, err := b.getConfig(ctx, req)
 	if err != nil {
diff --git a/changelog/18011.txt b/changelog/18011.txt
new file mode 100644
index 000000000..ed2251046
--- /dev/null
+++ b/changelog/18011.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+auth/okta: fix a panic for AuthRenew in Okta
+```