In addition to Oracle Key Vault-generated certificates, you can manage third-party certificates.
You can rotate Oracle Key Vault-generated certificates by using the Oracle Key Vault management console.
Related Topics
Parent topic: Managing Certificates
The certificate rotation process captures all certificates in the Oracle Key Vault server. It does not capture third-party certificates.
A certificate in Oracle Key Vault lasts 730 days. If you do not rotate the certificate (both server and endpoint certificates), then the endpoints that use the certificate cannot connect to the Oracle Key Vault server. When this happens, you must re-enroll the endpoint. To avoid this scenario, you can configure an alert to remind you to rotate the certificate before the 730-day limit is up. The rotation process handles the rotation for all certificates in one operation. You can find how much time the Oracle Key Vault server certificate has before it expires by checking the OKV Server Certificate Expiration setting on the Configure Alerts page in the Oracle Key Vault management console. To find the expiry time of the endpoints' certificates, you must to navigate to the Endpoints page and check the Certificate Expires field.
If you have a high availability configuration, then Oracle Key Vault automatically synchronizes the certificates in both systems. You do not have to perform any extra configuration.
Related Topics
Parent topic: Rotating Certificates
Oracle Key Vault provides advice on the best ways to rotate certificates.
Parent topic: Rotating Certificates
Related Topics
Parent topic: Rotating Certificates
Parent topic: Rotating Certificates
Oracle Key Vault enables you to install a certificate signed by a third-party CA for more secure connections. Users can upload certificates signed by a third-party Certificate Authority (CA) to Key Vault to prove their identity, encrypt the communication channel, and protect the data that is exchanged
To install a third-party certificate you must generate a certificate request, get it signed by a Certificate Authority (CA), and upload the signed certificate back to Oracle Key Vault.
Parent topic: Managing Certificates
When you request the certificate, you have the option to suppress warning messages from the browser, that appear when the browser detects a mismatch between the attributes of the server certificate and the attributes of the login session to the Oracle Key Vault management console. See Step 4 of the download certificate request to do this.
To generate an Oracle Key Vault certificate request:
Parent topic: Third Party Certificates
After you download the Oracle Key Vault certificate.csr
file, you may use any out-of-band method to get it signed by a CA of your choice.
You may then upload the signed certificate back to Oracle Key Vault using the management console.
Parent topic: Third Party Certificates
To upload the signed certificate back to Oracle Key Vault:
Parent topic: Third Party Certificates
You must perform additional steps when you use third-party certificates in the following situations:
High Availability
If you want to use a third-party certificate in a high availability configuration, you must install it on the primary and standby servers first, and then pair them.
RESTful Services
Whenever you install a third-party certificate you must re-download the RESTful software utility in order to use the new certificate.
Restore data from a backup
If you install a third-party certificate, perform a backup, and then restore another Key Vault appliance from that backup, you will have to re-install the third-party certificate on the new appliance in order to use it. The restore process does not copy the third-party certificate.
Parent topic: Third Party Certificates