13 Managing Certificates

In addition to Oracle Key Vault-generated certificates, you can manage third-party certificates.

• Rotating Certificates
  
• Third Party Certificates
  

13.1 Rotating Certificates

You can rotate Oracle Key Vault-generated certificates by using the Oracle Key Vault management console.

• About Rotating Certificates
  
• Advice for Managing Certificate Rotations
  
• Rotating All Certificates
  
• Checking the Certificate Rotation Status
  

13.1.1 About Rotating Certificates

The certificate rotation process captures all certificates in the Oracle Key Vault server. It does not capture third-party certificates.

A certificate in Oracle Key Vault lasts 730 days. If you do not rotate the certificate (both server and endpoint certificates), then the endpoints that use the certificate cannot connect to the Oracle Key Vault server. When this happens, you must re-enroll the endpoint. To avoid this scenario, you can configure an alert to remind you to rotate the certificate before the 730-day limit is up. The rotation process handles the rotation for all certificates in one operation. You can find how much time the Oracle Key Vault server certificate has before it expires by checking the OKV Server Certificate Expiration setting on the Configure Alerts page in the Oracle Key Vault management console. To find the expiry time of the endpoints' certificates, you must to navigate to the Endpoints page and check the Certificate Expires field.

If you have a high availability configuration, then Oracle Key Vault automatically synchronizes the certificates in both systems. You do not have to perform any extra configuration.

13.1.2 Advice for Managing Certificate Rotations

Oracle Key Vault provides advice on the best ways to rotate certificates.

• In a primary-standby configuration, do not perform certificate rotation if the primary database is in read-only restricted mode. Only initiate a certificate rotation when both servers in the configuration are active and synchronized with each other.
• If you are performing certificate rotation on a system that was upgraded from a previous release, ensure that you upgrade the endpoints as well. Endpoints whose software has not been upgraded will not receive updated credentials.
• You cannot perform a certificate rotation while a backup operation or a restore operation is in progress.
• Before performing a certificate rotation, back up the Oracle Key Vault system.
• In order for the certificate rotation process to fully complete, you must delete and re-enroll all endpoints that are not in the Enrolled state. If you no longer need the endpoint, then you only need to delete it.
• If a given endpoint does not receive its rotated certificates due to network or other issues, or is in the "Suspended" state, re-enenroll the endpoint, or delete it if you no longer need it. This will allow the certificate rotation process to continue on to completion. You can find the current certificate rotation status by going to the Endpoints page and looking for Common Name of Certificate Issuer.

13.1.3 Rotating All Certificates

You can use the Oracle Key Vault management console to rotate certificates.

Before you begin the rotation process, check the endpoint software version and ensure that it uses the current version of the Oracle Key Vault release 12.2 software. You must use the current version of Oracle Key Vault release 12.2 if you want to use the automatic rotation feature. If you are using an earlier Oracle Key Vault release 12.2 patch, then the endpoint cannot receive the updated credentials.

1. Log in to Oracle Key Vault management console as a user who has the System Administrator role.
2. Select the System tab.
3. Select Manage System Certificate.
4. In the Manage System Certificate page, click Generate System Certificate.
5. In the confirmation dialog box, select OK.
   This creates a new CA certificate, but does not enable it. At this stage, endpoints can still use their old credentials to connect using the previous certificate. The Old Certificate area shows the details of the currently active CA. The New Certificate area shows that the certificate has been rotated and displays its common name. If you want to cancel the rotation process, click Abort to cancel the process and clean up the new CA directory that was generated.
6. Click Activate Certificate.
   Clicking Activate Certificate begins the process of putting the new Oracle Key Vault CA into use. When it completes, the endpoints should be able to connect to the Oracle Key Vault server using either the new or the old Oracle Key Vault CA. This process may take a few minutes to complete. You cannot cancel the rotation process after you click Activate Certificate.
7. In the confirmation dialog box, click OK.
   A message appears saying that the automatic certificate update of the endpoints is in progress. In the background, Oracle Key Vault starts regenerating certificates for its endpoints, for a few endpoints at a time (so that not all endpoints are updated at once). To check if the credentials for an endpoint have been updated, click the Check Endpoint Progress button. The Endpoints page appears. If, for a given endpoint, the Common Name of Certificate Issuer field shows the common name of the old CA, the new credentials have not yet been generated. However, if, for existing endpoints, the field shows Updating to Current Certificate Issuer, the process has begun. Endpoints should be able to retrieve updated credentials a few minutes after this status has changed.
   After the new credentials have been generated for a given endpoint, when the endpoint next makes a connection to the Oracle Key Vault server, the new credentials for the certificate are sent to the endpoint. After an endpoint has received its updated credentials from the Oracle Key Vault server, it must try to connect to the Oracle Key Vault server to let the server know that it has successfully received the credentials. When the endpoint succeeds in this, the value in the Common Name of Certificate Issuer field for that endpoint on the Endpoints page should reflect the common name of the new Oracle Key Vault CA certificate.

After all the endpoints have been updated to using the new CA, the Oracle Key Vault server begins the process of fully rotating its own server certificates in the background. The process can be deemed to be complete when the Manage Server Certificate page no longer shows two certificates listed, but only a single one reflecting the new CA certificate. The OKV Server Expiration Date field in the System Settings page should reflect the expiration time of the new CA certificate as well.

After you complete the rotation, you should configure an alert for the next time the new certificate should be rotated. To configure the alert, in the Configure Alerts page, select the check box after OKV Server Certificate Expiration.

13.1.4 Checking the Certificate Rotation Status

You can use the Oracle Key Vault management console to check the status of a certificate rotation.

1. Log in to Oracle Key Vault management console as a user who has the System Administrator role.
2. Select the Endpoints tab.
3. Select Endpoints.
   On the Endpoints page, you can see a status of the rotation process (Updating to current certificate issuer) in the Endpoints page. When it is complete, it will show the name of the common name of the new Oracle Key Vault CA.
   If there are errors with the certificate rotation of an endpoint, then Oracle recommends that you re-enroll the endpoint.

13.2 Third Party Certificates

Oracle Key Vault enables you to install a certificate signed by a third-party CA for more secure connections. Users can upload certificates signed by a third-party Certificate Authority (CA) to Key Vault to prove their identity, encrypt the communication channel, and protect the data that is exchanged

To install a third-party certificate you must generate a certificate request, get it signed by a Certificate Authority (CA), and upload the signed certificate back to Oracle Key Vault.

• Download Certificate Request
  
• Getting Certificate Signed
  
• Upload Signed Certificate to Oracle Key Vault
  
• Notes on Using Third-Party Certificates
  

13.2.1 Download Certificate Request

When you request the certificate, you have the option to suppress warning messages from the browser, that appear when the browser detects a mismatch between the attributes of the server certificate and the attributes of the login session to the Oracle Key Vault management console. See Step 4 of the download certificate request to do this.

To generate an Oracle Key Vault certificate request:

1. Click the System tab, then Console Certificate from the System menu to bring up the Console Certificate page.
2. Click Generate Certificate Request on the top right to bring up the Generate Certificate Request page.

   Figure 13-1 Generate Certificate Request Page

   
   Description of "Figure 13-1 Generate Certificate Request Page"
3. The first field on this page, Common Name, is automatically populated with the host name of the Oracle Key Vault server. If you want to change this, click Change. This will bring you to the System Settings page where you can change the host name in the Network pane.
4. Check the box to the left of text Suppress warnings for IP based URL access if you want to suppress browser warnings for server IP address changes.
5. Enter the required fields marked with an asterisk, Organization Name and Country/Region. You must enter values for these fields in order to proceed without errors. You may enter values in the reset of the optional fields as needed.
6. Then click Submit and Download to the top right. This will bring up a directory window, where you can save the certificate.csr file. Select a directory and save the file.

13.2.2 Getting Certificate Signed

After you download the Oracle Key Vault certificate.csr file, you may use any out-of-band method to get it signed by a CA of your choice.

You may then upload the signed certificate back to Oracle Key Vault using the management console.

13.2.3 Upload Signed Certificate to Oracle Key Vault

To upload the signed certificate back to Oracle Key Vault:

1. Click the System tab and up click Console Certificate in the left System menu to bring up the Console Certificate page.
2. Click Upload Certificate to the top right to bring up the Upload Certificate page.
3. Click Choose File which will bring up a directory window on your local system. Navigate to the directory where you stored the signed certificate and select it. When you are done, you will see the filename to the right of text Choose File.
4. Finally click Upload to the top right. If the certificate is installed with no errors, you will see its details appear in a new Uploaded Certificate Details panel just below Console Certificate.
5. You can deactivate the certificate by clicking Deactivate to the top right of the Uploaded Certificate Details section.
6. When you deactivate the certificate the Deactivate button will be replaced by an Apply Certificate button. Click this button to re-activate the certificate.

13.2.4 Notes on Using Third-Party Certificates

You must perform additional steps when you use third-party certificates in the following situations:

• High Availability

  If you want to use a third-party certificate in a high availability configuration, you must install it on the primary and standby servers first, and then pair them.

• RESTful Services

  Whenever you install a third-party certificate you must re-download the RESTful software utility in order to use the new certificate.

• Restore data from a backup

  If you install a third-party certificate, perform a backup, and then restore another Key Vault appliance from that backup, you will have to re-install the third-party certificate on the new appliance in order to use it. The restore process does not copy the third-party certificate.