Managing Certificate Authorities

Use Certificates to create and manage the certificate authorities that issue digital certificates.

Certificate authority (CA) management tasks include the following:

  • Creating a CA
  • Viewing CA details
  • Editing CA details
  • Editing the certificate revocation list (CRL)
  • Issuing a subordinate CA
  • Viewing associations
  • Editing CA rules
  • Renewing a CA to create a new CA version
  • Moving a CA to a different compartment
  • Deleting a CA

Every CA has one or more CA versions. As such, CA management also includes the following tasks specific to CA versions:

  • Viewing CA version bundles
  • Making a CA version the current version of a CA
  • Revoking a CA version (supported for subordinate CAs only)
  • Deleting a CA version

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be granted security access in a policy (IAM)  by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don't have permission or are unauthorized, verify with your administrator what type of access you have and which compartment  you should work in.

For some operations, the Certificates service also requires resources to have security access not granted by policies that cover users or groups. This section describes how to authorize users as well as resources that must act on other resources.

Step 1: Create a Dynamic Group

Before you configure a policy for working with CAs, you must first create a dynamic group with the following matching rule:
resource.type='certificateauthority'

This matching rule defines a dynamic group that includes all CAs as members. You need this dynamic group in order to authorize CAs to make API calls against other services, as needed. CAs typically need permission to access Oracle Cloud Infrastructure Vault and Oracle Cloud Infrastructure Object Storage resources. For more information about dynamic groups, see Managing Dynamic Groups.

Step 2: Create a Policy for the Dynamic Group

After creating the dynamic group, you create a policy for the dynamic group. In the following policy, the dynamic group has the example name CertificateAuthority-DG. The policy gives members of the dynamic group permission to use Vault keys and to do anything with Object Storage objects in the specified example compartments. This type of policy is referred to as a resource principal policy because it authorizes a resource as a principal actor that can act on other resources.

Allow dynamic-group CertificateAuthority-DG to use keys in compartment DEF
Allow dynamic-group CertificateAuthority-DG to manage objects in compartment XYZ

Step 3: Add a Policy for Administrators

You also need a policy to authorize administrators to access resources. The following policy gives permission to the example group CertificateAuthorityAdmins to do anything with any resources included in the aggregate resource-type certificate-authority-family and to work with required Vault and Object Storage resources in the specified example compartments, as needed. This includes the permissions needed to specify the encryption key for the CA.

Allow group CertificateAuthorityAdmins to manage certificate-authority-family in compartment ABC
Allow group CertificateAuthorityAdmins to read keys in compartment DEF
Allow group CertificateAuthorityAdmins to use key-delegate in compartment DEF
Allow group CertificateAuthorityAdmins to read buckets in compartment XYZ
Allow group CertificateAuthorityAdmins to read vaults in compartment DEF

Together, these statements provide the minimum access needed to complete administrative tasks with certificate authorities, as described later in this topic. For more information about permissions or if you need to write less restrictive policies, see Details for the Certificates Service. If you're new to policies, see Getting Started with Policies and Common Policies.

Using the Console

Creating a Certificate Authority

Use the Console to create a certificate authority (CA).

Creating a CA requires you to have access to an existing hardware-protected, asymmetric encryption key from the Oracle Cloud Infrastructure Vault service. For more information, see Overview of Vault.

You cannot create a subordinate CA unless you already have a root CA.

When you create a CA with a certificate revocation list (CRL), you can specify an Object Storage bucket where you want to store the CRL. The bucket must already exist at the time you create the CA. The bucket must also be a dedicated bucket that you do not use for any other purpose or to store the CRL of any other CA.

You can use the Certificates service to create a root CA or a subordinate CA.

  1. Open the navigation menu and click Identity & Security.
  2. Under Certificates, click Certificate Authorities.
  3. Click Create Certificate Authority.
  4. Click Compartment, and then choose the compartment where you want to create the CA.
  5. Under Certificate Authority Type, choose the type of CA from the following options:
    • Root Certificate Authority: the CA at the top of the hierarchy in a chain of CAs.
    • Subordinate Certificate Authority: any CA that is not the root CA in a hierarchy containing other CAs.
  6. Click Name, and then enter a display name for the CA. (This name helps you identify the CA for administrative purposes, but does not appear as part of the CA certificate.) Avoid entering confidential information.
  7. (Optional) Click Description, and then enter a description to help identify the CA. (This description helps you identify the CA, but does not appear as part of the CA certificate.) Avoid entering confidential information.
  8. (Optional) To apply tags, click Show Tagging Options. For more information about tags, see Resource Tags.
  9. Click Next.
  10. Provide Subject Information. Subject information includes at least a common name to identify the owner of the CA certificate. Depending on the certificate's intended use, the subject might identify a person, organization, or computer endpoint. The format of the subject information must conform to RFC 5280 standards. You can use wildcards to issue a certificate for multiple domain or subdomain names. When you are ready, click Next.
  11. Provide Authority Configuration information. Optionally, click Not Valid Before, and then specify the UTC time and date when you want to begin using the CA. If you do not specify a date, then the CA validity period begins immediately.
  12. Click Not Valid After, and then specify the date after which the CA can no longer used to issue or validate subordinate CAs or certificates. (You must specify a date at least one day later than the starting date of the validity period. You cannot specify a date beyond December 31, 2037. Values are rounded up to the nearest second.)
  13. If this is a subordinate CA, click Issuer Certificate Authority, and then specify a parent CA to issue this CA. If this is a root CA, continue to the next step instead.
  14. Click Vault, and then choose the vault that contains the encryption key that you want to use for the CA certificate. If needed, click Change Compartment to specify a different compartment.
  15. Click Key, and then choose the key in the vault that you want to use. The list includes only the asymmetric keys in the vault because Certificates only supports asymmetric keys. You can choose from Rivest-Shamir-Adleman (RSA) keys that are 2048 bits or 4096 bits. Or, you can choose from elliptic curve cryptography digital signature algorithm (ECDSA) keys that have an elliptic curve ID of NIST_P384. Specifically, the list includes only these types of asymmetric keys that are protected by a hardware security module (HSM). Certificates does not support the use of software-protected keys.
  16. Click Signing Algorithm, and then choose from one of the following, depending on the key algorithm family:
    • SHA256_WITH_RSA: RSA key with a SHA-256 hash function
    • SHA384_WITH_RSA: RSA key with a SHA-384 hash function
    • SHA512_WITH_RSA: RSA key with a SHA-512 hash function
    • SHA256_WITH_ECDSA: ECDSA key with a SHA-256 hash function
    • SHA384_WITH_ECDSA: ECDSA key with a SHA-384 hash function
    • SHA512_WITH_ECDSA: ECDSA key with a SHA-512 hash function

      When you are ready, click Next.

  17. Configure the Expiry Rule. Click Maximum Validity Duration for Certificates (Days), and then specify the maximum number of days that a certificate issued by this CA can be valid. We strongly recommend a validity period of no more than 90 days.
  18. Click Maximum Validity Duration for Subordinate CA (Days), and then specify the maximum number of days that a CA issued by this CA can be valid to issue other CAs or certificates. When you are ready, click Next.
  19. On the Revocation Configuration page, if you don't want to configure a certificate revocation list (CRL), select the Skip Revocation check box. If you do want to configure certificate revocation, clear the check box, and then specify a dedicated Object Storage Bucket where you will store the CRL. If needed, click Change Compartment to find a bucket in a different compartment.
  20. Click Object Name Format, and then specify the object name. You can include curly braces in the object name to indicate where the service can insert the issuing CA version number. This helps prevent the overwriting of an existing CRL whenever you create a new CA version. For more information about object names, see Object Names.
  21. (Optional) Click Custom Formatted URLs, and then provide the URL that you want to use with APIs to access the object. This URL is named in certificates as the CRL distribution point (CDP). You can include curly braces in the URL to indicate where the service can insert the issuing CA version number. By doing this, you can avoid overwriting an existing CDP whenever you create a new CA version. (You can specify an HTTPS URL only if there are no circular dependencies in the verification of the HTTPS chain.) Then, click Next.
  22. (Optional) If you want to provide an additional CDP, click + Another URL, and then provide another URL where users can access the CRL.
  23. Confirm that the information is correct, and then click Create Certificate Authority.
    It can take a while to create certificate-related resources.
Viewing Certificate Authority Details

Use the Console to view certificate authority (CA) details.

Viewing CA details can help you understand the current overall state of a CA and help you decide what you might want to do with it.

  1. Open the navigation menu and click Identity & Security.
  2. Under Certificates, click Certificate Authorities.
  3. From the list of CAs in the compartment, click the name of the CA that you want to view.

    To find a CA in a different compartment, under List Scope, choose a different compartment.

  4. The console displays the following information:
    • OCID: The unique, Oracle-assigned ID of the CA.
    • Key OCID: The unique, Oracle-assigned ID of the key pair that you specified when you created the CA.
    • Created: The date and time when you initially created the certificate.
    • Signature Algorithm: The signature algorithm of the CA certificate key.
    • Certificate Authority Type: Whether the CA is a root CA or a subordinate CA.
    • Compartment: The unique, Oracle-assigned ID of the compartment that contains the certificate.
    • Date of Expiry of Current Version: The date and time when the version marked as the current version is no longer valid.
Editing a Certificate Authority

Use the Console to edit a CA.

You can update any CA properties besides the name and OCID, but you can't update all properties by using the Console. You can only update the CA description by using the Console. If you want to update the current version number, you must do that separately from updates to any other properties. Making a version the current version puts it into active use and involves more than other property changes.

  1. Open the navigation menu and click Identity & Security.
  2. Under Certificates, click Certificate Authorities.
  3. From the list of CAs in the compartment, click the name of the CA that you want to update.

    To find a CA in a different compartment, under List Scope, choose a different compartment.

  4. Click Edit Certificate Authority.
  5. Update the existing description, and then click Edit. (Avoid entering confidential information.)
Editing a Certificate Revocation List

Use the Console to edit a certificate revocation list (CRL).

You can edit information about where the CRL is stored or the custom formatted URL configured as the CRL distribution point (CDP).

  1. Open the navigation menu and click Identity & Security.
  2. Under Certificates, click Certificate Authorities.
  3. From the list of CAs in the compartment, click the name of the CA with the CRL that you want to edit.

    To find a CA in a different compartment, under List Scope, choose a different compartment.

  4. Click Edit Revocation Configuration.
  5. Do one or more of the following:
    • Click Object Storage Bucket, and then specify the bucket that stores the CRL. If needed, click Change Compartment to find a bucket in a different compartment.
    • Click Object Name Format, and then specify the object name. You can include curly braces in the object name to indicate where the service can insert the issuing CA version number. This helps prevent the overwriting of an existing CRL whenever you create a new CA version. For more information about object names, see Object Names.
    • Click Custom Formatted URLs, and then provide the URL that you want to use with APIs to access the object. This URL is named in certificates as the CRL distribution point (CDP). You can include curly braces in the URL to indicate where the service can insert the issuing CA version number. By doing this, you can avoid overwriting an existing CDP whenever you create a new CA version. (You can specify an HTTPS URL only if there are no circular dependencies in the verification of the HTTPS chain.)
  6. When you are ready, click Submit.
Issuing a Subordinate Certificate Authority

Use the Console to issue a subordinate certificate authority (CA).

Creating a CA requires you to have access to an existing hardware-protected, asymmetric encryption key from the Oracle Cloud Infrastructure Vault service. For more information, see Overview of Vault.

You cannot create a subordinate CA unless you already have a root CA.

When you create a CA with a certificate revocation list (CRL), you can specify an Object Storage bucket where you want to store the CRL. The bucket must already exist at the time you create the CA.

You can issue a subordinate CA from any other CA as long as you do not exceed the total allowable number of CAs in the tenancy.

  1. Open the navigation menu and click Identity & Security.
  2. Under Certificates, click Certificate Authorities.
  3. From the list of CAs in the compartment, click the name of the CA from which you want to issue a subordinate CA.

    To find a CA in a different compartment, under List Scope, choose a different compartment.

  4. Under Resources, click Subordinate Certificate Authorities.
  5. Click Issue Subordinate Certificate Authority.
  6. Click Compartment, and then choose the compartment where you want to create the CA.
  7. Click Name, and then enter a display name for the CA. (This name helps you identify the CA for administrative purposes, but does not appear as part of the CA certificate.) Avoid entering confidential information.
  8. (Optional) Click Description, and then enter a description to help identify the CA. (This description helps you identify the CA, but does not appear as part of the CA certificate.) Avoid entering confidential information.
  9. (Optional) To apply tags, click Show Tagging Options. For more information about tags, see Resource Tags.
  10. Click Next.
  11. Provide Subject Information. Subject information includes at least a common name to identify the owner of the CA certificate. Depending on the certificate's intended use, the subject might identify a person, organization, or computer endpoint. You can use wildcards to issue a certificate for multiple domain or subdomain names. When you are ready, click Next.
  12. Provide Authority Configuration information. Optionally, click Not Valid Before, and then specify the UTC time and date when you want to begin using the CA. If you do not specify a date, then the CA validity period begins immediately.
  13. Click Not Valid After, and then specify the date after which the CA can no longer used to issue or validate subordinate CAs or certificates. (You must specify a date at least one day later than the starting date of the validity period. You cannot specify a date beyond December 31, 2037. Values are rounded up to the nearest second.)
  14. Click Vault, and then choose the vault that contains the encryption key that you want to use for the CA certificate. If needed, click Change Compartment to specify a different compartment.
  15. Click Key, and then choose the key in the vault that you want to use. The list includes only asymmetric keys in the vault because Certificates only supports asymmetric keys. Furthermore, the list only includes keys from the same key algorithm family of the key that the parent CA uses.
  16. Click Signing Algorithm, and then choose from one of the following, depending on the key algorithm family:
    • SHA256_WITH_RSA: Rivest-Shamir-Adleman (RSA) key with a SHA-256 hash function
    • SHA384_WITH_RSA: RSA key with a SHA-384 hash function
    • SHA512_WITH_RSA: RSA key with a SHA-512 hash function
    • SHA256_WITH_ECDSA: Elliptic curve cryptography digital signature algorithm (ECDSA) key with a SHA-256 hash function
    • SHA384_WITH_ECDSA: ECDSA key with a SHA-384 hash function
    • SHA512_WITH_ECDSA: ECDSA key with a SHA-512 hash function

      When you are ready, click Next.

  17. Configure the Expiry Rule. Click Maximum Validity Duration for Certificates (Days), and then specify the maximum number of days that a certificate issued by this CA can be valid. We strongly recommend a validity period of no more than 90 days.
  18. Click Maximum Validity Duration for Subordinate CA (Days), and then specify the maximum number of days that a CA issued by this CA can be valid to issue other CAs or certificates. When you are ready, click Next.
  19. On the Revocation Configuration page, if you don't want to configure a certificate revocation list (CRL), select the Skip Revocation check box. If you do want to configure certificate revocation, clear the check box, and then specify an Object Storage Bucket where you will store the CRL. If needed, click Change Compartment to find a bucket in a different compartment.
  20. Click Object Name Format, and then specify the object name. You can include curly braces in the object name to indicate where the service can insert the issuing CA version number. This helps prevent the overwriting of an existing CRL whenever you create a new CA version. For more information about object names, see Object Names.
  21. (Optional) Click Custom Formatted URLs, and then provide the URL that you want to use with APIs to access the object. This URL is named in certificates as the CRL distribution point (CDP). You can include curly braces in the URL to indicate where the service can insert the issuing CA version number. By doing this, you can avoid overwriting an existing CDP whenever you create a new CA version. (You can specify an HTTPS URL only if there are no circular dependencies in the verification of the HTTPS chain.) Then, click Next.
  22. (Optional) If you want to provide an additional CDP, click + Another URL, and then provide another URL where users can access the CRL.
  23. When you are ready, click Next.
  24. Confirm that the information is correct, and then click Create Certificate Authority.
    It can take a while to create certificate-related resources.
Viewing Certificate Authority Associations

Use the Console to view certificate authority (CA) associations.

Associations let you see which resources in the tenancy are currently using certificates issued by this CA.

  1. Open the navigation menu and click Identity & Security.
  2. Under Certificates, click Certificate Authorities.
  3. From the list of CAs in the compartment, click the name of the CA for which you want to view associations.

    To find a CA in a different compartment, under List Scope, choose a different compartment.

  4. Under Resources, click Associations.
Editing Certificate Authority Rules

Use the Console to edit the rules for a certificate authority (CA).

You can edit a CA's expiry rule to change the maximum amount of time that a certificate or subordinate CA issued by the CA is valid. Changes apply only to new certificates and new subordinate CAs that you issue after making the changes. Any previous changes to the expiry rule must be complete and the CA must be in an Active state before you can edit the expiry rule again.

  1. Open the navigation menu and click Identity & Security.
  2. Under Certificates, click Certificate Authorities.
  3. From the list of CAs in the compartment, click the name of the CA with the expiry rule that you want to update.

    To find a CA in a different compartment, under List Scope, choose a different compartment.

  4. Under Resources, click Rules, and then click Edit Expiry Rule.
  5. Enter a new value for either or both of the following settings:
    • Maximum Validity Duration for Certificates (Days): The maximum number of days that a certificate issued by this CA can be valid. We strongly recommend a validity period of no more than 90 days.
    • Maximum Validity Duration for Subordinate CA (Days): The maximum number of days that a CA issued by this CA can be valid to issue other CAs or certificates.
  6. Click Submit.
Renewing a Certificate Authority

Use the Console to renew a CA.

Renew a CA to create a new CA version. CA renewals happen manually when you are ready. You cannot automatically renew a CA according to renewal rules.

  1. Open the navigation menu and click Identity & Security.
  2. Under Certificates, click Certificate Authorities.
  3. From the list of CAs in the compartment, click the name of the CA for which you want to create a new version.

    To find a CA in a different compartment, under List Scope, choose a different compartment.

  4. Under Resources, click Versions.
  5. Click Renew Certificate Authority.
  6. (Optional) Click Not Valid Before, and then specify the date when you want to begin using the new CA version. If you do not specify a date, then the new CA is valid immediately, although you also need to make it the current version to begin using it.
  7. Click Not Valid After, and then specify the date after which the CA can no longer used to issue or validate subordinate CAs or certificates.
  8. If you want to make the new CA version the current version, clear the Set to Pending check box. To make the new CA version the current version later, leave the check box selected.
  9. When you are ready, click Renew Certificate Authority.
Moving a Certificate Authority

Use the Console to move a certificate authority (CA) from one compartment to another.

  1. Open the navigation menu and click Identity & Security.
  2. Under Certificates, click Certificate Authorities.
  3. From the list of CAs in the compartment, click the name of the CA that you want to move.

    To find a CA in a different compartment, under List Scope, choose a different compartment.

  4. Click Move Resource.
  5. Under Choose New Compartment, choose the destination compartment from the list.
  6. When you are ready, click Move Resource.

If there are alarms monitoring the CA, update the alarms to reference the new compartment. For more information, see To update an alarm after moving a resource.

Deleting a Certificate Authority

Use the Console to delete a CA.

You can only delete a CA version with a rotation state of "deprecated." In order for there to be a deprecated version, there must exist a current version and a previous version. Unless you want to delete a CA entirely, you must maintain at least one version of the CA. Furthermore, the CA cannot have any associations, current issued certificates, or subordinate CAs. You must delete all associations as well as certificates and subordinate CAs issued by a given parent CA before you can delete the parent CA.

When you delete a CA, the deletion does not happen immediately. By default, a CA is permanently deleted 30 days after you schedule it for deletion. At minimum, the CA continues to exist for another 7 days.

  1. Open the navigation menu and click Identity & Security.
  2. Under Certificates, click Certificate Authorities.
  3. From the list of CAs in the compartment, click the name of the CA that you want to delete.

    To find a CA in a different compartment, under List Scope, choose a different compartment.

  4. Click Delete.
  5. Confirm the deletion by entering the CA name.
  6. Click Select deletion date, and then choose the date when you want to delete the CA permanently.
  7. Click Delete Certificate Authority.
Viewing Certificate Authority Version Bundles

Use the Console to view the CA bundle for a certificate authority (CA) version.

You can view the root and intermediate certificates that comprise the contents of a particular CA version.

  1. Open the navigation menu and click Identity & Security.
  2. Under Certificates, click Certificate Authorities.
  3. From the list of CAs in the compartment, click the name of the CA with the CA version for which you want to view the CA bundle.

    To find a CA in a different compartment, under List Scope, choose a different compartment.

  4. Under Resources, click Versions.
  5. Under Versions, locate the CA version with the bundle that you want to view, and then click the Actions icon (three dots) for that CA version.
  6. In the Actions menu, click View Content.
    The Console displays the contents of the bundle, which include all the certificates in the bundle. You can either Copy or Download the contents of the bundle.
  7. When you are finished, click Close.
Making a Certificate Authority Version Current

Use the Console to make a certificate authority (CA) version the current version.

A CA version that’s marked as anything other than 'deprecated' can be marked as 'current' to return it to active use. You cannot make a CA version that is marked as 'deprecated' the current CA version.

  1. Open the navigation menu and click Identity & Security.
  2. Under Certificates, click Certificate Authorities.
  3. From the list of CAs in the compartment, click the name of the CA with the CA version that you want to actively use by making it current.

    To find a CA in a different compartment, under List Scope, choose a different compartment.

  4. Under Resources, click Versions.
  5. Under Versions, locate the CA version with the bundle that you want to make current, and then click the Actions icon (three dots) for that certificate version.
  6. In the Actions menu, click Make Current.
  7. Confirm the promotion by clicking Make Current.
Revoking a Certificate Authority Version

Use the Console to revoke a certificate authority (CA) version.

A CA revokes a CA version when the certificate for a CA version becomes invalid before the end of its validity period. The certificate for a CA version might become invalid if the name of its owner changes, if the relationship or association between a certificate subject and the issuing CA changes, or if the private key of the certificate is compromised or suspected to be compromised. Revocations are immediate and you cannot reverse them.

You cannot revoke a CA version for a root CA.

  1. Open the navigation menu and click Identity & Security.
  2. Under Certificates, click Certificate Authorities.
  3. From the list of CAs in the compartment, click the name of the CA with the CA version that you want to revoke.

    To find a CA in a different compartment, under List Scope, choose a different compartment.

  4. Under Resources, click Versions.
  5. Under Versions, find the CA version that you want to revoke.
  6. In the Actions menu (three dots) for the CA version, click Revoke Version.
  7. Click Revocation Reason, and then choose the reason why you are revoking the certificate version.
  8. To confirm the revocation, click the text box and enter the CA version number.
  9. Click Revoke Version.
Deleting a Certificate Authority Version

Use the Console to delete a CA version.

You can only delete a CA version with a rotation state of "deprecated." In order for there to be a deprecated version, there must exist a current version and a previous version. Unless you want to delete a CA entirely, you must maintain at least one version of the CA. When you delete a CA version, the deletion does not happen immediately. By default, a CA is permanently deleted 30 days after you schedule it for deletion. At minimum, the CA continues to exist for another 7 days.

  1. Open the navigation menu and click Identity & Security.
  2. Under Certificates, click Certificate Authorities.
  3. From the list of CAs in the compartment, click the name of the CA with the CA version that you want to delete.

    To find a CA in a different compartment, under List Scope, choose a different compartment.

  4. Under Resources, click Versions.
  5. Locate the deprecated CA version that you want to delete, and then click Delete Version. Confirm the deletion by entering the version number.
  6. Click Select deletion date, and then choose the date when you want to delete the CA version permanently.
  7. Click Delete Version.

Using the Command Line Interface (CLI)

For Certificates, you must use version 3.2.1 of the CLI or later. For information about using the CLI, see Command Line Interface (CLI). For a complete list of flags and options available for CLI commands, see the Command Line Reference.

Some of the following commands require complex input. For example, updating the revocation configuration of a certificate authority (CA) requires providing the revocation configuration details in JSON format. You can see the expected format of the input by opening a command prompt and running the command with the --generate-full-command-json-input option. For example, to generate the JSON for updating the revocation configuration for a certificate authority (that you issued and manage internally), run the following command:

oci certs-mgmt certificate-authority update-subordinate-ca-issued-by-internal-ca --generate-full-command-json-input

In the output, the following shows how to input the revocation details specifically:

{
  "customFormattedUrls": [
    "string",
    "string"
  ],
  "objectStorageConfig": {
    "objectStorageBucketName": "string",
    "objectStorageNamespace": "string",
    "objectStorageObjectNameFormat": "string"
  }
}
Creating a Certificate Authority

Use the CLI to create a certificate authority (CA).

The command you use depends on whether you want to create a root CA or a subordinate CA. You cannot create a subordinate CA unless you already have a root CA.

Note

Creating a CA requires you to have access to an existing hardware-protected, asymmetric encryption key from the Oracle Cloud Infrastructure Vault service. For more information, see Overview of Vault.

To create a root CA, open a command prompt and run oci certs-mgmt certificate-authority create-root-ca-by-generating-config-details:

oci certs-mgmt certificate-authority create-root-ca-by-generating-config-details --compartment-id <compartment_OCID> --name <CA_display_name> --subject <certificate_subject_information> --kms-key-id <Vault_encryption_key_OCID>

For example:

oci certs-mgmt certificate-authority create-root-ca-by-generating-config-details --compartment-id ocid1.compartment.oc1..<unique_id> --name myNewCA --subject file://casubject.json --kms-key-id ocid1.key.oc1.<region>.<unique_id>

To create a subordinate CA, open a command prompt and run oci certs-mgmt certificate-authority create-subordinate-ca-issued-by-internal-ca:

oci certs-mgmt certificate-authority create-subordinate-ca-issued-by-internal-ca --compartment-id <compartment_OCID> --issuer-certificate-authority-id <parent_CA_OCID> --name <CA_display_name> --subject <certificate_subject_information> --kms-key-id <Vault_encryption_key_OCID>

For example:

oci certs-mgmt certificate-authority create-subordinate-ca-issued-by-internal-ca --compartment-id ocid1.compartment.oc1..<unique_id> --issuer-certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --name mySubCA --subject file://casubject.json --kms-key-id ocid1.key.oc1.<region>.<unique_id>
Listing Certificate Authorities

Use the CLI to list certificate authorities (CAs).

Open a command prompt and run oci certs-mgmt certificate-authority list to list certificates. You can list all CAs or CAs that meet certain criteria. To list CAs in a particular compartment:

oci certs-mgmt certificate-authority list --compartment-id <compartment_OCID>

For example:

oci certs-mgmt certificate-authority list --compartment-id ocid1.compartment.oc1..<unique_id>

Or, to list CAs that match a specific lifecycle state:

oci certs-mgmt certificate-authority list --lifecycle-state <CA_lifecycle_state>

For example:

oci certs-mgmt certificate-authority list --lifecycle-state ACTIVE
Listing Certificate Authority Versions

Use the CLI to list certificate authority (CA) versions.

Open a command prompt and run oci certs-mgmt certificate-authority-version list to list versions for a given CA.

oci certs-mgmt certificate-authority-version list --certificate-authority-id <CA_OCID>

For example:

oci certs-mgmt certificate-authority-version list --certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id>
Viewing Certificate Authority Details

Use the CLI to view certificate authority (CA) details.

Open a command prompt and run oci certs-mgmt certificate-authority get to view a CA's details.

oci certs-mgmt certificate-authority get --certificate-authority-id <CA_OCID>

For example:

oci certs-mgmt certificate-authority get --certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id>
Viewing Certificate Authority Version Details

Use the CLI to view certificate authority (CA) version details.

Open a command prompt and run oci certs-mgmt certificate-authority-version get to view a CA version's details.

oci certs-mgmt certificate-authority-version get --certificate-authority-id <CA_OCID> --version-number <version_number>

For example:

oci certs-mgmt certificate-authority-version get --certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --version-number 2
Editing a Certificate Authority

Use the CLI to edit a certificate authority (CA).

This topic describes how to edit a CA's description. You can also update a CA's rules and revocation configuration. For information about using the CLI to update a CA's rules, see Editing Certificate Authority Rules. For information about using the CLI to update a CA's revocation configuration, see Editing a Certificate Revocation List.

Furthermore, the command you use to update a CA depends on whether it is a root CA or a subordinate CA.

To edit the description of a root CA, open a command prompt and run oci certs-mgmt certificate-authority update-root-ca-by-generating-config-details:

oci certs-mgmt certificate-authority update-root-ca-by-generating-config-details --certificate-authority-id <CA_OCID> --description <new_description>

For example:

oci certs-mgmt certificate-authority update-root-ca-by-generating-config-details --certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --description "my root CA"

To edit the description of a subordinate CA, open a command prompt and run oci certs-mgmt certificate-authority update-subordinate-ca-issued-by-internal-ca:

oci certs-mgmt certificate-authority update-subordinate-ca-issued-by-internal-ca --certificate-authority-id <CA_OCID> --description <new_description>

For example:

oci certs-mgmt certificate-authority update-subordinate-ca-issued-by-internal-ca --certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --description "my subordinate CA"
Editing a Certificate Revocation List

Use the CLI to edit the revocation configuration of a certificate authority (CA).

You can edit where the certificate revocation list (CRL) is stored and the custom formatted URL configured as the CRL distribution point (CDP). The command you use depends on whether the CA is a root CA or a subordinate CA.

To edit the revocation configuration of a root CA, open a command prompt and run oci certs-mgmt certificate-authority update-root-ca-by-generating-config-details

oci certs-mgmt certificate-authority update-root-ca-by-generating-config-details --certificate-authority-id <CA_OCID> --certificate-revocation-list-details <CDP_URL_and_CDP_object_storage>

For example:

oci certs-mgmt certificate-authority update-root-ca-by-generating-config-details --certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --certificate-revocation-list-details file://revocationconfig.json

To edit the revocation configuration of a subordinate CA, open a command prompt and run oci certs-mgmt certificate-authority update-subordinate-ca-issued-by-internal-ca:

oci certs-mgmt certificate-authority update-subordinate-ca-issued-by-internal-ca --certificate-authority-id <CA_OCID> --certificate-revocation-list-details <CDP_URL_and_CDP_object_storage>

For example:

oci certs-mgmt certificate-authority update-subordinate-ca-issued-by-internal-ca --certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --certificate-revocation-list-details file://revocationconfig.json
Viewing Associations

Use the CLI to view certificate, certificate authority (CA), and CA bundle associations.

To see what certificate, CA, and CA bundle associations exist in a given compartment, open a command prompt and run oci certs-mgmt association list:

oci certs-mgmt association list --compartment-id <compartment_OCID>

For example:

oci certs-mgmt association list --compartment-id ocid1.compartment.oc1..<unique_id>

To view the details of a specific association, open a command prompt and run oci certs-mgmt association get

oci certs-mgmt association get --association-id <association_OCID>

For example:

oci certs-mgmt association get --association-id ocid1.certificatesassociation.oc1.<region>.<unique_id>
Editing Certificate Authority Rules

Use the CLI to edit the expiry rules for a certificate authority (CA) to change the maximum amount of time that a certificate or subordinate CA issued by the CA is valid.

The command you use to update a CA's expiry rule depends on whether it is a root CA or a subordinate CA.

Note

Changes apply only to new certificates and new subordinate CAs that you issue after making the changes. Any previous changes to the expiry rule must be complete and the CA must be in an Active state before you can edit the expiry rule again.

To edit the expiry rules for a root CA, open a command prompt and run oci certs-mgmt certificate-authority update-root-ca-by-generating-config-details:

oci certs-mgmt certificate-authority update-root-ca-by-generating-config-details --certificate-authority-id <CA_OCID> --certificate-authority-rules <CA_expiry_rules>

For example:

oci certs-mgmt certificate-authority update-root-ca-by-generating-config-details --certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --certificate-authority-rules file://expiryrules.json

To edit the expiry rules for a subordinate CA, open a command prompt and run oci certs-mgmt certificate-authority update-subordinate-ca-issued-by-internal-ca:

oci certs-mgmt certificate-authority update-subordinate-ca-issued-by-internal-ca --certificate-authority-id <CA_OCID> --certificate-authority-rules <CA_expiry_rules>

For example:

oci certs-mgmt certificate-authority update-subordinate-ca-issued-by-internal-ca --certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --certificate-authority-rules file://expiryrules.json
Renewing a Certificate Authority

Use the CLI to renew a CA to create a new CA version.

The command you use to renew a CA depends on whether the CA is a root CA or a subordinate CA.

To renew a root CA, open a command prompt and run oci certs-mgmt certificate-authority update-root-ca-by-generating-config-details:

oci certs-mgmt certificate-authority update-root-ca-by-generating-config-details --certificate-authority-id <CA_OCID> --validity <version_validity_period_JSON>

For example:

oci certs-mgmt certificate-authority update-root-ca-by-generating-config-details --certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --validity file://validity.json

To renew a subordinate CA, open a command prompt and run oci certs-mgmt certificate-authority update-subordinate-ca-issued-by-internal-ca:

oci certs-mgmt certificate-authority update-subordinate-ca-issued-by-internal-ca --certificate-authority-id <CA_OCID> --validity <version_validity_period_JSON>

For example:

oci certs-mgmt certificate-authority update-subordinate-ca-issued-by-internal-ca --certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --validity file://validity.json
Moving a Certificate Authority

Use the CLI to move a certificate authority (CA) from one compartment to another.

Open a command prompt and run oci certs-mgmt certificate-authority change-compartment to move a CA from one compartment to another:

oci certs-mgmt certificate-authority change-compartment --certificate-authority-id <CA_OCID> --compartment-id <new_compartment_OCID>

For example:

oci certs-mgmt certificate-authority change-compartment --certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --compartment-id ocid1.compartment.oc1..<unique_id>
Deleting a Certificate Authority

Use the CLI to delete a certificate authority (CA).

You can only delete a CA version with a rotation state of "deprecated." In order for there to be a deprecated version, there must exist a current version and a previous version. Unless you want to delete a CA entirely, you must maintain at least one version of the CA. Furthermore, the CA cannot have any current issued certificates or subordinate CAs. You must delete all certificates and subordinate CAs issued by a given parent CA before you delete the parent CA.

Note

If you do not indicate when to delete the CA, by default, a CA is permanently deleted 30 days after you schedule it for deletion. At minimum, the CA continues to exist for another 7 days.

To schedule the deletion of a CA, open a command prompt and run oci certs-mgmt certificate-authority schedule-deletion:

oci certs-mgmt certificate-authority schedule-deletion --certificate-authority-id <CA_OCID> --time-of-deletion <RFC_3339_timestamp>

For example:

oci certs-mgmt certificate-authority schedule-deletion --certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --time-of-deletion 2022-01-01T00:00:00+00:00

To cancel the deletion of a CA, open a command prompt and run oci certs-mgmt certificate-authority cancel-deletion:

oci certs-mgmt certificate-authority cancel-deletion --certificate-authority-id <CA_OCID>

For example:

oci certs-mgmt certificate-authority cancel-deletion ocid1.certificateauthority.oc1.<region>.<unique_id>
Listing Certificate Authority Version Bundles

Use the CLI to list details about certificate authority (CA) versions so you can view version contents.

Open a command prompt and run oci certificates certificate-authority-bundle-version list to list the details for CA versions so you can view the root and intermediate certificates for a CA version:

oci certificates certificate-authority-bundle-version list --certificate-authority-id <CA_OCID>

For example:

oci certificates certificate-authority-bundle-version list --certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id>
Viewing Certificate Authority Version Contents

Use the CLI to view the certificate, certificate chain, and details for a certificate authority (CA) version.

Open a command prompt and run oci certificates certificate-authority-bundle get to view the root and intermediate certificates for a CA version:

oci certificates certificate-authority-bundle get --certificate-authority-id <CA_OCID> --version-number <CA_version_number>

For example:

oci certificates certificate-authority-bundle get --certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --version-number 3
Making a Certificate Authority Version Current

Use the CLI to make a certificate authority (CA) version the current version.

The command you use to make a CA version the current version depends on whether the CA is a root CA or a subordinate CA.

Note

A CA version that’s marked as anything other than 'deprecated' can be marked as 'current' to return it to active use. You cannot make a CA version that is marked as 'deprecated' the current CA version.

For a root CA, open a command prompt and run oci certs-mgmt certificate-authority update-root-ca-by-generating-config-details to make a CA version the current version:

oci certs-mgmt certificate-authority update-root-ca-by-generating-config-details --certificate-authority-id <CA_OCID> --stage <rotation_state>

For example:

oci certs-mgmt certificate-authority update-root-ca-by-generating-config-details --certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --stage CURRENT

For a subordinate CA, open a command prompt and run oci certs-mgmt certificate-authority update-subordinate-ca-issued-by-internal-ca to make a CA version the current version:

oci certs-mgmt certificate-authority update-subordinate-ca-issued-by-internal-ca --certificate-authority-id <CA_OCID> --stage <rotation_state>

For example:

oci certs-mgmt certificate-authority update-subordinate-ca-issued-by-internal-ca --certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --stage CURRENT
Revoking a Certificate Authority Version

Use the CLI to revoke a certificate authority (CA) version.

Open a command prompt and run oci certs-mgmt certificate-authority-version revoke to revoke a CA version:

Note

You cannot revoke a CA version for a root CA.
oci certs-mgmt certificate-authority-version revoke --certificate-authority-id <CA_OCID> --version-number <CA_version_number>

For example:

oci certs-mgmt certificate-authority-version revoke --certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --version-number 3
Deleting a Certificate Authority Version

Use the CLI to delete a certificate authority (CA) version.

You can only delete a CA version with a rotation state of "deprecated." In order for there to be a deprecated version, there must exist a current version and a previous version. Unless you want to delete a CA entirely, you must maintain at least one version of the CA. When you delete a CA version, the deletion does not happen immediately. By default, a CA is permanently deleted 30 days after you schedule it for deletion. At minimum, the CA continues to exist for another 7 days.

Note

If you do not indicate when to delete the CA, by default, a CA is permanently deleted 30 days after you schedule it for deletion. At minimum, the CA continues to exist for another 7 days.

To schedule a CA version for deletion, open a command prompt and run oci certs-mgmt certificate-authority-version schedule-deletion:

oci certs-mgmt certificate-authority-version schedule-deletion --certificate-authority-id <CA_OCID> --version-number <CA_version_number> --time-of-deletion <RFC_3339_timestamp>

For example:

oci certs-mgmt certificate-authority-version schedule-deletion --certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --version-number 3 --time-of-deletion 2022-01-01T00:00:00+00:00

To cancel the deletion of a CA version number, open a command prompt and run oci certs-mgmt certificate-authority-version cancel-deletion

oci certs-mgmt certificate-authority-version cancel-deletion --certificate-authority-id <CA_OCID> --version-number <CA_version_number>

For example:

oci certs-mgmt certificate-authority-version cancel-deletion --certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --version-number 3

Using the API