Managing Certificates

Use Certificates to create and manage digital certificates.

Certificate management tasks include the following:

  • Creating a certificate
  • Viewing certificate details
  • Editing a certificate's details
  • Editing a certificate's rules
  • Renewing a certificate to create a new certificate version
  • Viewing associations
  • Moving a certificate to a different compartment
  • Deleting a certificate

Every certificate has one or more certificate versions. As such, certificate management also includes the following tasks specific to certificate versions:

  • Viewing certificate version bundles
  • Making a certificate version the current version of a certificate
  • Revoking a certificate version
  • Deleting a certificate version

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be granted security access in a policy (IAM)  by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don't have permission or are unauthorized, verify with your administrator what type of access you have and which compartment  you should work in.

The following policy gives permission to the example group CertificateAdmins to manage certificates and CA bundles. Specifically, the policy gives permission to list any resources included in the aggregate resource-type certificate-authority-family (without access to any confidential information). The policy also gives permission to the example group to work with the resource-type certificate-authority-delegate. (The example group can use any CA in the compartment to sign a certificate, but does not have the ability to create, update, or delete CAs). Lastly, the policy gives permission to the group to do anything with any resources included in the aggregate resource-type leaf-certificate-family. Access is limited to resources in the specified example compartments.

Allow group CertificateAdmins to inspect certificate-authority-family in compartment ABC
Allow group CertificateAdmins to use certificate-authority-delegate in compartment ABC
Allow group CertificateAdmins to manage leaf-certificate-family in compartment ABC

These statements provide the minimum access needed to complete administrative tasks with certificates, as described later in this topic.

You might want to provide access to a group to work with certificates while restricting their ability to create, update, or delete any certificate-related resources. The following policy gives permission to the example group CertificateUsers to read and update certificates and CA bundles. The policy also gives permission to the group to renew certificates. Access is limited to resources in the specified example compartments.

Allow group CertificateUsers to use leaf-certificate-family in compartment DEF
Allow group CertificateUsers to use certificate-authority-delegate in compartment DEF
Allow group CertificateUsers to manage certificate-associations in compartment DEF
Allow group CertificateUsers to inspect certificate-authority-associations in compartment DEF
Allow group CertificateUsers to manage cabundle-associations in compartment DEF

For more information about permissions or if you need to write more or less restrictive policies, see Details for the Certificates Service. If you're new to policies, see Getting Started with Policies and Common Policies.

Using the Console

Creating a Certificate

Use the Console to create a certificate.

There are multiple ways to create a certificate. You can use the Certificates service to issue a certificate, or you can import a certificate issued by a third-party certificate authority (CA). For steps to import a certificate, see Importing a Certificate.

There are also multiple ways to manage a certificate that impact the creation process. When you issue a certificate, you can generate and manage the private key internally by using the same CA to handle everything. Or, you can generate a certificate signing request (CSR) and private key on the server where you plan to install the certificate, and then submit that CSR to a CA to issue a certificate, all while managing the private key externally. This task describes how to issue a certificate that you plan to manage internally. For steps to issue a certificate that you manage externally with a third-party CA, see Creating a Certificate to Manage Externally.

  1. Open the navigation menu and click Identity & Security.
  2. Under Certificates, click Certificates.
  3. Click Create Certificate.
  4. Click Compartment, and then choose the compartment where you want to create the certificate. The certificate can exist in the same compartment as the CA or a different one.
  5. Under Certificate Type, to issue a certificate from a Certificates service CA that will also manage the certificate, click Issued by internal CA.
  6. Click Name, and then enter a display name for the certificate. Avoid entering confidential information.
  7. (Optional) Click Description, and then enter a description to help identify the certificate. Avoid entering confidential information.
  8. (Optional) To apply tags, click Show Tagging Options. For more information about tags, see Resource Tags.
  9. Click Next.
  10. Provide Subject Information. Subject information includes at least a common name to identify the owner of the certificate. Depending on the certificate's intended use, the subject might identify a person, organization, or computer endpoint. Subject information can optionally include DNS names or IP addresses as subject alternative names by which the certificate bearer is also known. You can use wildcards to issue a certificate for multiple domain or subdomain names.
  11. (Optional) To add multiple subject alternative names, click + Another Subject Alternative Name, choose the type of address, and then enter the name. When you are ready, click Next.
  12. Click Certificate Profile Type, and then choose from the following certificate profiles based on the certificate's intended use:
    • TLS Server or Client: Presented by a server or client for TLS/SSL connections.
    • TLS Server: Presented by a server for TLS/SSL connections.
    • TLS Client: Presented by a client during TLS/SSL connections.
    • TLS Code Sign: Presented by a program to validate its signature.
  13. To change the CA that issues the certificate, click Issuer Certificate Authority, and then choose a CA. If needed, click Change Compartment, and then choose a different compartment if the CA is in a different compartment from the one you selected for the certificate.
  14. (Optional) Click Not Valid Before, and then enter a date before which the certificate cannot be used to validate the identity of its bearer. If you don't specify a date, then the certificate validity period begins immediately. (Values are rounded up to the nearest second.)
  15. If needed, click Not Valid After, and then change the date after which the certificate is no longer valid proof of the identity of its bearer. (You must specify a date at least one day later than the starting date of the validity period. The date must not exceed the expiration of the issuing CA. You also cannot specify a date beyond December 31, 2037. Values are rounded up to the nearest second.) Typically, certificates are used for the entirety of the period that they are valid unless something happens to require revocation.
  16. If you plan to manage this certificate by using the Certificates service instead of managing it externally, click Key Algorithm, and then choose the algorithm and key length combination that you need for the certificate key pair from the following options:
    • RSA2048: Rivest-Shamir-Adleman (RSA) 2048-bit key
    • RSA4096: RSA 4096-bit key
    • ECDSA_P256: Elliptic curve cryptography digital signature algorithm (ECDSA) key with a P256 curve ID
    • ECDSA_P384: ECDSA key with a P384 curve ID

      When you are ready, click Next.

  17. (Optional) Click Show Additional Fields, and then click Signature Algorithm to choose from one of the following signing algorithms, depending on the key:
    • SHA256_WITH_RSA: Rivest-Shamir-Adleman (RSA) key with a SHA-256 hash function
    • SHA384_WITH_RSA: RSA key with a SHA-384 hash function
    • SHA512_WITH_RSA: RSA key with a SHA-512 hash function
    • SHA256_WITH_ECDSA: Elliptic curve cryptography digital signature algorithm (ECDSA) key with a SHA-256 hash function
    • SHA384_WITH_ECDSA: ECDSA key with a SHA-384 hash function
    • SHA512_WITH_ECDSA: ECDSA key with a SHA-512 hash function

      When you are ready, click Next.

  18. When you are ready, click Next.
  19. To configure automatic renewal of the certificate to avoid disruption in its use, specify the following information:
    • Renewal Interval (Days): how frequently the certificate is renewed
    • Advance Renewal Period (Days): the number of days before the certificate expiration that renewal happens
    When you are done, click Next.
  20. Verify that the information is correct, and then click Create Certificate.
    It can take a while to create certificate-related resources.
Creating a Certificate to Manage Externally

Use the Console to create a certificate.

There are multiple ways to create a certificate. You can use the Certificates service to issue a certificate, or you can import a certificate issued by a third-party certificate authority (CA). For steps to import a certificate, see Importing a Certificate.

There are also multiple ways to manage a certificate that impact the creation process. When you issue a certificate, you can generate and manage the private key internally by using the same CA to handle everything. Or, you can generate a certificate signing request (CSR) and private key on the server where you plan to install the certificate, and then submit that CSR to a CA to issue a certificate, all while managing the private key externally. This task describes how to issue a certificate with a private key that you manage externally. For steps to issue a certificate that you manage internally with a Certificates service CA, see Creating a Certificate.

  1. Open the navigation menu and click Identity & Security.
  2. Under Certificates, click Certificates.
  3. Click Create Certificate.
  4. Click Compartment, and then choose the compartment where you want to create the certificate. The certificate can exist in the same compartment as the CA or a different one.
  5. Under Certificate Type, to issue a certificate from a Certificates service CA that will be managed by an external, third-party CA, click Issued by internal CA, managed externally.
  6. Click Name, and then enter a display name for the certificate. Avoid entering confidential information.
  7. (Optional) Click Description, and then enter a description to help identify the certificate. Avoid entering confidential information.
  8. (Optional) To apply tags, click Show Tagging Options. For more information about tags, see Resource Tags.
  9. Click Next.
  10. For certificates that a third-party CA will manage, you do not need to provide subject information. Instead, click Next again.
  11. To change the CA that issues the certificate, click Issuer Certificate Authority, and then choose a CA. If needed, click Change Compartment, and then choose a different compartment if the CA is in a different compartment from the one you selected for the certificate.
  12. (Optional) Click Not Valid Before, and then enter a date before which the certificate cannot be used to validate the identity of its bearer. If you don't specify a date, then the certificate validity period begins immediately. (Values are rounded up to the nearest second.)
  13. If needed, click Not Valid After, and then change the date after which the certificate is no longer valid proof of the identity of its bearer. (You must specify a date at least one day later than the starting date of the validity period. The date must not exceed the expiration of the issuing CA. You also cannot specify a date beyond December 31, 2037. Values are rounded up to the nearest second.) Typically, certificates are used for the entirety of the period that they are valid unless something happens to require revocation.
  14. Under Certificate Signing Request, provide certificate contents by doing one of the following:
    • Click Upload File, and then click Select One to upload the certificate as a file in PEM format.
    • Click Paste Content, and then click the text box to paste the certificate contents directly.

      When you are ready, click Next.

  15. You cannot configure automatic renewal for certificates that the Certificates service does not manage. Click Next to continue.
  16. Verify that the information is correct, and then click Create Certificate.
Importing a Certificate

Use the Console to import a certificate.

There are multiple ways to create a certificate. You can use the Certificates service to issue a certificate, or you can import a certificate issued by a third-party certificate authority (CA). This task describes how to import a certificate that you plan to manage by using the Certificates service.

Note

The Certificates service supports the import of certificates with the following key sizes:
  • RSA2048
  • RSA4096
  • ECDSA_P256
  • ECDSA_P384

For steps to issue a certificate that you issue and manage internally with the Certificates service, see Creating a Certificate. For steps to issue a certificate that you manage externally with a third-party CA, see Creating a Certificate to Manage Externally.

  1. Open the navigation menu and click Identity & Security.
  2. Under Certificates, click Certificates.
  3. Click Create Certificate.
  4. Click Compartment, and then choose the compartment where you want to create the certificate. The certificate can exist in the same compartment as the CA or a different one.
  5. Under Certificate Type, to import a certificate that will be managed by a Certificates service CA, click Imported.
  6. Click Name, and then enter a display name for the certificate. Avoid entering confidential information.
  7. (Optional) Click Description, and then enter a description to help identify the certificate. Avoid entering confidential information.
  8. (Optional) To apply tags, click Show Tagging Options. For more information about tags, see Resource Tags.
  9. Click Next.
  10. For imported certificates, you do not need to provide subject information. Instead, click Next again.
  11. Under Certificate, provide the certificate by doing one of the following:
    • Click Upload File, and then click Select One to upload the certificate as a PEM file.
    • Click Paste Content, and then click the text box that follows to paste the certificate contents directly.
  12. Under Certificate Chain, provide the certificate chain for the imported certificate by doing one of the following:
    • Click Upload File, and then click Select One to upload the certificate chain as a PEM file.
    • Click Paste Content, and then click the text box that follows to paste all the certificates in the chain directly.
  13. Under Private Key, provide the private key from the certificate key pair by doing one of the following:
    • Click Upload File, and then click Select One to upload the private key as a PEM file.
    • Click Paste Content, and then click the text box that follows to paste the private key directly.
  14. (Optional) Click Private Key PEM Passphrase, and then provide the passphrase for the private key.
  15. You cannot configure automatic renewal for certificates that the Certificates service does not manage. Click Next to continue.
  16. Verify that the information is correct, and then click Create Certificate.
    It can take a while to create certificate-related resources.
Viewing Certificate Details

Use the Console to view certificate details.

Viewing certificate details can help you understand the current overall state of a certificate and help you decide what you might want to do with the certificate.

  1. Open the navigation menu and click Identity & Security.
  2. Under Certificates, click Certificates.
  3. From the list of certificates in the compartment, click the name of the certificate that you want to view.

    To find a certificate in a different compartment, under List Scope, choose a different compartment.

  4. The console displays the following information:
    • OCID: The unique, Oracle-assigned ID of the certificate.
    • Compartment: The unique, Oracle-assigned ID of the compartment that contains the certificate.
    • Key Algorithm: The encryption algorithm of the certificate key pair.
    • Certificate Profile Type: The certificate profile that you used to create the certificate, which indicates its use.
    • Certificate Type: The certificate type, which indicates how it was issued.
    • Created: The date and time when you initially created the certificate.
    • Date of Expiry of Current Version: The date and time when the version marked as the current version is no longer valid.
    • Issuer Certificate Authority: The name of the certificate authority (CA) that issued the certificate.
Editing a Certificate

Use the Console to edit a certificate.

From the Console, the only certificate property that you can edit is the certificate description. To update a certificate version, you renew the certificate to create a new certificate version or you make an existing certificate version the current certificate version.

  1. Open the navigation menu and click Identity & Security.
  2. Under Certificates, click Certificates.
  3. From the list of certificates in the compartment, click the name of the certificate that you want to update.

    To find a certificate in a different compartment, under List Scope, choose a different compartment.

  4. Click Edit Certificate.
  5. Update the existing description, and then click Edit. (Avoid entering confidential information.)
Editing Certificate Rules

Use the Console to edit a certificate's rules.

You can edit a certificate's renewal rule to change its automatic renewal process at any time. A renewal rule consists of a renewal interval and a renewal period. You configure a renewal rule for a certificate, but the renewal interval is calculated against the current certificate version's expiration date. Any previous changes to the renewal rule must be complete and the certificate must be in an Active state before you can edit the renewal rule again.

  1. Open the navigation menu and click Identity & Security.
  2. Under Certificates, click Certificates.
  3. From the list of certificates in the compartment, click the name of the certificate with the renewal rule that you want to update.

    To find a certificate in a different compartment, under List Scope, choose a different compartment.

  4. Under Resources, click Rules, and then click Edit Renewal Rule.
  5. Enter a new value for either or both of the following settings:
    • Renewal Interval (Days): The frequency with which the certificate is automatically renewed. Specify a number of days no less than 1 and no more than 1 day prior to the expiration date of the current certificate version. You cannot specify an interval that allows the certificate to expire before it is renewed.
    • Advance Renewal Period (Days): The period in advance of the certificate expiration when the certificate is renewed. Specifying a renewal period ensures that the renewal is complete before the certificate expires.

    If you change the renewal interval to a period of time shorter than the renewal period, the service automatically updates the renewal period accordingly.

  6. Click Submit.
Renewing a Certificate

Use the Console to renew a certificate that you both issued internally and manage internally.

Renewing a certificate creates a new certificate version. A new certificate version has new certificate contents and a new validity period. The length of the new certificate version's validity period is derived from the validity period of the certificate you specified when you initially created the certificate.

You can renew certificates that you issue internally and then also manage internally. You cannot renew imported certificates and certificates with a private key that you manage externally. For imported certificates and certificates with a private key that you manage externally, the service cannot automatically renew the certificate, but you can update the certificate with a new PEM signed by the issuing third-party CA.

Older certificate versions are not automatically deleted when you create new certificate versions. You might need to periodically delete certificate versions to avoid reaching service limits. If you reach service limits for certificates or certificate versions in a certificate, you cannot create new certificate versions, including through automatic renewal.

  1. Open the navigation menu and click Identity & Security.
  2. Under Certificates, click Certificates.
  3. From the list of certificates in the compartment, click the name of the certificate that you want to update.

    To find a certificate in a different compartment, under List Scope, choose a different compartment.

  4. Under Versions, click Renew Certificate.
  5. If you want the certificate to be valid immediately (and replace the existing certificate version as the current version), leave Not Valid Before blank. If you want the new certificate version to become valid at a later date, click Not Valid Before and specify the date.
  6. Click Not Valid After and specify the date after which the certificate is no longer valid. When a certificate expires, unless it is configured with automatic renewal to create a new certificate version, it can no longer be used.
  7. For imported certificates only, you must also provide a new certificate signing request (CSR) by doing one of the following:
    • Click Upload File, and then click Select One to upload the CSR as a PEM file.
    • Click Paste Content, and then click the text box that follows to paste the PEM file contents directly.
  8. (Optional) By default, renewing a certificate makes it the current certificate version. To create the certificate version without putting it directly into active use, select the Set to Pending check box.
  9. Click Renew Certificate.
Viewing Certificate Associations

Use the Console to view certificate associations.

Associations let you see which resources in the tenancy are currently using this certificate.

  1. Open the navigation menu and click Identity & Security.
  2. Under Certificates, click Certificates.
  3. From the list of certificates in the compartment, click the name of the certificate for which you want to view associations.

    To find a certificate in a different compartment, under List Scope, choose a different compartment.

  4. Under Resources, click Associations.
Moving a Certificate

Use the Console to move a certificate from one compartment to another.

  1. Open the navigation menu and click Identity & Security.
  2. Under Certificates, click Certificates.
  3. From the list of certificates in the compartment, click the name of the certificate that you want to move.

    To find a certificate in a different compartment, under List Scope, choose a different compartment.

  4. Click Move Resource.
  5. Under Choose New Compartment, choose the destination compartment from the list.
  6. When you are ready, click Move Resource.

If there are alarms monitoring the certificate, update the alarms to reference the new compartment. For more information, see To update an alarm after moving a resource.

Deleting a Certificate

Use the Console to delete a certificate.

You can only delete a certificate version with a rotation state of 'deprecated.' In order for there to be a deprecated version, there must exist a current version. Unless you want to delete a certificate entirely, you must maintain at least one version of the certificate. Furthermore, the certificate cannot have any associations. You must delete all associations before you can delete the certificate.

When you delete a certificate, the certificate is not immediately deleted. By default, a certificate is permanently deleted 30 days after you schedule it for deletion. At minimum, 1 day must elapse before the certificate is permanently deleted.

  1. Open the navigation menu and click Identity & Security.
  2. Under Certificates, click Certificates.
  3. From the list of certificates in the compartment, click the name of the certificate that you want to delete.

    To find a certificate in a different compartment, under List Scope, choose a different compartment.

  4. Click Delete.
  5. Confirm the deletion by entering the certificate name.
  6. Click Select deletion date, and then choose the date when you want to delete the certificate permanently.
  7. Click Delete Certificate.
Viewing a Certificate Version Bundle

Use the Console to view a certificate version bundle.

  1. Open the navigation menu and click Identity & Security.
  2. Under Certificates, click Certificates.
  3. From the list of certificates in the compartment, click the name of the certificate with the certificate version bundle that you want to view.

    To find a certificate in a different compartment, under List Scope, choose a different compartment.

  4. Under Versions, locate the certificate version with the bundle that you want to view, and then click the Actions icon (three dots) for that certificate version.
  5. In the Actions menu, click View Content.
    The Console displays the contents of the bundle, which include all the certificates in the bundle. You can either Copy or Download the contents. You cannot use the Console to view or download the private key. If you want to view the private key, you must view the certificate version bundle by using the CLI. For more information, see Viewing a Certificate Version's Contents (Including the Private Key).
  6. When you are finished, click Close.
Making a Certificate Version Current

Use the Console to make a certificate version the current version.

A certificate version that’s marked as anything other than 'deprecated' can be marked as 'current' to return it to active use. You cannot make a certificate version that is marked as 'deprecated' the current certificate version.

  1. Open the navigation menu and click Identity & Security.
  2. Under Certificates, click Certificates.
  3. From the list of certificates in the compartment, click the name of the certificate with the certificate version that you want to actively use by making it current.

    To find a certificate in a different compartment, under List Scope, choose a different compartment.

  4. Under Resources, click Versions.
  5. Under Versions, locate the certificate version with the bundle that you want to make current, and then click the Actions icon (three dots) for that certificate version.
  6. In the Actions menu, click Make Current.
  7. Confirm the promotion by clicking Make Current.
Revoking a Certificate Version

Use the Console to revoke a certificate version.

A CA revokes a certificate version when the certificate version becomes invalid before the end of its validity period. A certificate version might become invalid if the name of its owner changes, if the relationship or association between a certificate subject and the issuing CA changes, or if the private key of the certificate is compromised or suspected to be compromised. Revocations are immediate and you cannot reverse them.

  1. Open the navigation menu and click Identity & Security.
  2. Under Certificates, click Certificates.
  3. From the list of certificates in the compartment, click the name of the certificate with the certificate version that you want to revoke.

    To find a certificate in a different compartment, under List Scope, choose a different compartment.

  4. Under Versions, find the certificate version that you want to revoke.
  5. In the Actions menu (three dots) for the certificate version, click Revoke Version.
  6. Click Revocation Reason, and then choose the reason why you are revoking the certificate version.
  7. To confirm the revocation, click the text box and enter the certificate version number.
  8. Click Revoke Version.
Deleting a Certificate Version

Use the Console to delete a certificate version.

You can only delete a certificate version with a rotation state of "deprecated." In order for there to be a deprecated version, there must exist a current version. Unless you want to delete a certificate entirely, you must maintain at least one version of the certificate. When you delete a certificate version, the version is not immediately deleted. By default, a certificate version is permanently deleted 30 days after you schedule it for deletion. At minimum, 1 day must elapse before the certificate version is permanently deleted.

  1. Open the navigation menu and click Identity & Security.
  2. Under Certificates, click Certificates.
  3. From the list of certificates in the compartment, click the name of the certificate with the certificate version that you want to delete.

    To find a certificate in a different compartment, under List Scope, choose a different compartment.

  4. Under Versions, find the certificate version that you want to delete.
  5. In the Actions menu (three dots) for the certificate version, click Delete Version.
  6. Confirm the deletion by entering the certificate version number.
  7. Click Select Deletion Date, and then choose the date when you want to delete the certificate version permanently.
  8. Click Delete Version.

Using the Command Line Interface (CLI)

For Certificates, you must use version 3.2.1 of the CLI or later. For information about using the CLI, see Command Line Interface (CLI). For a complete list of flags and options available for CLI commands, see the Command Line Reference.

Some of the following commands require complex input. For example, updating a certificate's renewal rules requires providing the renewal rule in JSON format. You can see the expected format of the input by opening a command prompt and running the command with the --generate-full-command-json-input option. For example, to generate the JSON for updating the renewal rules for a certificate (that you issued and manage internally), run the following command:

oci certs-mgmt certificate update-certificate-managed-internally --generate-full-command-json-input

In the output, the following shows how to input the renewal rules specifically:

{
  "certificateRules": [
    [
      {
        "advanceRenewalPeriod": "string",
        "renewalInterval": "string",
        "ruleType": "CERTIFICATE_RENEWAL_RULE"
      }
    ]
  ]
}
Creating a Certificate

Use the CLI to create a certificate issued by the Certificates service.

Open a command prompt and run oci certs-mgmt certificate create-certificate-issued-by-internal-ca to create a certificate issued by the Certificates service:

oci certs-mgmt certificate create-certificate-issued-by-internal-ca --certificate-profile-type <certificate_usage_profile> --compartment-id <compartment_OCID> --issuer-certificate-authority-id <issuing_CA_OCID> --name <certificate_name> --subject <subject_information>

For example:

oci certs-mgmt certificate create-certificate-issued-by-internal-ca --certificate-profile-type TLS_SERVER_OR_CLIENT --compartment-id ocid1.compartment.oc1..<unique_id> --issuer-certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --name internalCert --subject file://certsubject.json
Creating a Certificate to Manage Externally

Use the CLI to create a certificate with a private key that you manage externally.

Open a command prompt and run oci certs-mgmt certificate create-certificate-managed-externally-issued-by-internal-ca to create a certificate with a private key that you plan to manage externally:

oci certs-mgmt certificate create-certificate-managed-externally-issued-by-internal-ca --compartment-id <compartment_OCID> --issuer-certificate-authority-id <issuing_CA_OCID> --name <certificate_name> --csr-pem <certificate_signing_request_file>

For example:

oci certs-mgmt certificate create-certificate-managed-externally-issued-by-internal-ca --compartment-id ocid1.compartment.oc1..<unique_id> --issuer-certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --name externalCert --csr-pem file://externalcert.pem
Importing a Certificate

Use the CLI to import a certificate.

Open a command prompt and run oci certs-mgmt certificate create-by-importing-config to import a certificate issued by a third-party certificate authority (CA) that you plan to manage by using the Certificates service:

Note

The Certificates service supports the import of certificates with the following key sizes:
  • RSA2048
  • RSA4096
  • ECDSA_P256
  • ECDSA_P384
oci certs-mgmt certificate create-by-importing-config --compartment-id <compartment_OCID> --cert-chain-pem <certificate_chain_contents_file> --cert-pem <certificate_contents_file> --name <certificate_name> --private-key-pem <private_key_file>

For example:

oci certs-mgmt certificate create-by-importing-config --compartment-id ocid1.compartment.oc1..<unique_id> --cert-chain-pem file://certchain.pem --cert-pem file://leafcert.pem --name importedCert --private-key-pem file://privatekey.pem
Listing Certificates

Use the CLI to list certificates.

Open a command prompt and run oci certs-mgmt certificate list to list certificates. You can list all certificates or certificates that meet certain criteria. To list certificates in a particular compartment:

oci certs-mgmt certificate list --compartment-id <compartment_OCID>

For example:

oci certs-mgmt certificate list --compartment-id ocid1.compartment.oc1..<unique_id>

Or, to list certificates that match a specific lifecycle state:

oci certs-mgmt certificate list --lifecycle-state <certificate_lifecycle_state>

For example:

oci certs-mgmt certificate list --lifecycle-state ACTIVE
Listing Certificate Versions

Use the CLI to list certificate versions.

Open a command prompt and run oci certs-mgmt certificate-version list to list certificate versions for a given certificate.

oci certs-mgmt certificate-version list --certificate-id <certificate_OCID>

For example:

oci certs-mgmt certificate-version list --certificate-id ocid1.certificate.oc1.<region>.<unique_ID>
Viewing Certificate Details

Use the CLI to view a certificate's details.

Open a command prompt and run oci certs-mgmt certificate get to view a certificate's details to see its current overall state:

oci certs-mgmt certificate get --certificate-id <certificate_OCID>

For example:

oci certs-mgmt certificate get --certificate-id ocid1.certificate.oc1.<region>.<unique_ID>
Viewing Certificate Version Details

Use the CLI to view certificate version details.

Open a command prompt and run oci certs-mgmt certificate-version get to view a certificate version's details.

oci certs-mgmt certificate-version get --certificate-id <certificate_OCID> --version-number <version_number>

For example:

oci certs-mgmt certificate-version get --certificate-id ocid1.certificate.oc1.<region>.<unique_ID> --version-number 3
Editing a Certificate

Use the CLI to edit a certificate.

This topic describes how to update a certificate's description. You can also update a certificate's rules. For information about using the CLI to update a certificate's rules, see Editing Certificate Rules.

If you issued and manage the certificate internally, you can also update a certificate's version number. For information about updating a certificate version number, see Making a Certificate Version Current. For information about updating a certificate's contents to create a new version number, see Renewing a Certificate.

To update the description of any certificate, open a command prompt and run oci certs-mgmt certificate update:

oci certs-mgmt certificate update --certificate-id <certificate_OCID> --description <new_description>

For example:

oci certs-mgmt certificate update --certificate-id ocid1.certificate.oc1.<region>.<unique_ID> --description "new certificate description"
Editing Certificate Rules

Use the CLI to edit a certificate's rules to change its automatic renewal process.

The command you use to update a certificate's renewal rule depends on how you created the certificate. Furthermore, any previous changes to the renewal rule must be complete and the certificate must be in an Active state before you can edit the renewal rule again.

To change the renewal rule for a certificate that you issued and manage internally, open a command prompt and run oci certs-mgmt certificate update-certificate-managed-internally:

Note

When specifying the advance renewal period and renewal interval, use the format P<number>D, replacing the number variable with the desired number of days. Also, although you configure a renewal rule for a certificate, the renewal interval is calculated against the current certificate version's expiration date.
oci certs-mgmt certificate update-certificate-managed-internally --certificate-id <certificate_OCID> --certificate-rules <renewal_rule_JSON>

For example:

oci certs-mgmt certificate update-certificate-managed-internally --certificate-id ocid1.certificate.oc1.<region>.<unique_ID> --certificate-rules file://renewalrule.json

To change the renewal rule for a certificate that you issued internally, but has a private key that you manage externally, open a command prompt and run oci certs-mgmt certificate update-certificate-managed-externally:

oci certs-mgmt certificate update-certificate-managed-externally --certificate-id <certificate_OCID> --csr-pem <certificate_signing_request> --certificate-rules <renewal_rule_JSON>

For example:

oci certs-mgmt certificate update-certificate-managed-externally --certificate-id ocid1.certificate.oc1.<region>.<unique_ID> --csr-pem file://externalcert.pem --certificate-rules file://renewalrule.json

To change the renewal rule for a certificate that you imported, open a command prompt and run oci certs-mgmt certificate update-certificate-by-importing-config-details:

oci certs-mgmt certificate update-certificate-by-importing-config-details --certificate-id <certificate_OCID> --cert-chain-pem <certificate_chain_contents_file> --certificate-pem <certificate_contents_file> --private-key-pem <private_key_file> --certificate-rules <renewal_rule_JSON>

For example:

oci certs-mgmt certificate update-certificate-by-importing-config-details --certificate-id ocid1.certificate.oc1.<region>.<unique_ID> --cert-chain-pem file://certchain.pem --cert-pem file://leafcert.pem --private-key-pem file://privatekey.pem --certificate-rules file://renewalrule.json
Renewing a Certificate

Use the CLI to renew a certificate to create a new certificate version with new certificate contents and a new validity period.

Note

You can only renew a certificate that you both issued and internally and manage internally. For imported certificates and certificates with a private key that you manage externally, the service cannot automatically renew the certificate, but you can update the certificate with a new PEM signed by the issuing third-party CA.

Open a command prompt and run oci certs-mgmt certificate update-certificate-managed-internally to renew a certificate:

oci certs-mgmt certificate update-certificate-managed-internally --certificate-id  --validity <version_validity_period_JSON>

For example:

oci certs-mgmt certificate update-certificate-managed-internally --certificate-id ocid1.certificate.oc1.<region>.<unique_ID> --validity file://validity.json
Viewing Associations

Use the CLI to view certificate, certificate authority (CA), and CA bundle associations.

To see what certificate, CA, and CA bundle associations exist in a given compartment, open a command prompt and run oci certs-mgmt association list:

oci certs-mgmt association list --compartment-id <compartment_OCID>

For example:

oci certs-mgmt association list --compartment-id ocid1.compartment.oc1..<unique_id>

To view the details of a specific association, open a command prompt and run oci certs-mgmt association get

oci certs-mgmt association get --association-id <association_OCID>

For example:

oci certs-mgmt association get --association-id ocid1.certificatesassociation.oc1.<region>.<unique_id>
Moving a Certificate

Use the CLI to move a certificate from one compartment to another.

Open a command prompt and run oci certs-mgmt certificate change-compartment to move a certificate from one compartment to another:

oci certs-mgmt certificate change-compartment --certificate-id <certificate_OCID> --compartment-id <new_compartment_OCID>

For example:

oci certs-mgmt certificate change-compartment --certificate-id ocid1.certificate.oc1.<region>.<unique_ID> --compartment-id ocid1.compartment.oc1..<unique_id>
Deleting a Certificate

Use the CLI to delete a certificate.

Open a command prompt and run oci certs-mgmt certificate schedule-deletion to schedule a certificate for deletion:

Note

If you do not indicate when to delete the certificate, by default, a certificate is automatically scheduled for deletion in 30 days. At minimum, 1 day must elapse before a certificate is permanently deleted.
oci certs-mgmt certificate schedule-deletion --certificate-id <certificate_OCID> --time-of-deletion <RFC_3339_timestamp>

For example:

oci certs-mgmt certificate schedule-deletion --certificate-id ocid1.certificate.oc1.<region>.<unique_ID> --time-of-deletion 2022-01-01T00:00:00+00:00

Open a command prompt and run oci certs-mgmt certificate cancel-deletion to cancel the scheduled deletion of a certificate:

oci certs-mgmt certificate cancel-deletion --certificate-id <certificate_OCID>

For example:

oci certs-mgmt certificate cancel-deletion --certificate-id ocid1.certificate.oc1.<region>.<unique_ID>
Listing Certificate Version Bundles

Use the CLI to list details certificate versions so you can view version contents.

Open a command prompt and run oci certificates certificate-bundle-version list to list the details for certificate versions so you can view the certificate and certificate chain for a certificate version:

oci certificates certificate-bundle-version list --certificate-id <certificate_OCID>

For example:

oci certificates certificate-bundle-version list --certificate-id ocid1.certificate.oc1.<region>.<unique_ID>
Viewing a Certificate Version's Contents (Including the Private Key)

Use the CLI to view a certificate version's certificate, certificate chain, and details.

To view the certificate and certificate chain for a certificate version, open a command prompt and run oci certificates certificate-bundle get:

oci certificates certificate-bundle get --certificate-id <certificate_OCID> --version-number <certificate_version_number>

For example:

oci certificates certificate-bundle get --certificate-id ocid1.certificate.oc1.<region>.<unique_ID> --version-number 1

To view the private key along with the rest of the certificate version's contents, open a command prompt and run oci certificates certificate-bundle get:

oci certificates certificate-bundle get --certificate-id <certificate_OCID> --bundle-type <bundle_type>

For example:

oci certificates certificate-bundle get --certificate-id ocid1.certificate.oc1.<region>.<unique_ID> --bundle-type CERTIFICATE_CONTENT_WITH_PRIVATE_KEY
Making a Certificate Version Current

Use the CLI to make a certificate version the current version, putting it into active use.

To make a certificate version the current version, open a command prompt and run oci certs-mgmt certificate update:

oci certs-mgmt certificate update --certificate-id <certificate_OCID> --current-version-number <version_number_to_make_current> --stage <rotation_state>

For example:

oci certs-mgmt certificate update --certificate-id ocid1.certificate.oc1.<region>.<unique_ID> --current-version-number 3 --stage CURRENT
Revoking a Certificate Version

Use the CLI to revoke a certificate version.

Open a command prompt and run oci certs-mgmt certificate-version revoke to revoke a certificate version:

oci certs-mgmt certificate-version revoke --certificate-id <certificate_OCID> --version-number <certificate_version_number>

For example:

oci certs-mgmt certificate-version revoke --certificate-id ocid1.certificate.oc1.<region>.<unique_ID> --version-number 2
Deleting a Certificate Version

Use the CLI to delete a certificate version.

To schedule the deletion of a certificate version, open a command prompt and run oci certs-mgmt certificate-version schedule-deletion:

oci certs-mgmt certificate-version schedule-deletion --certificate-id <certificate_OCID> --version-number <certificate_version_number>

For example:

oci certs-mgmt certificate-version schedule-deletion --certificate-id ocid1.certificate.oc1.<region>.<unique_ID> --version-number 2

To cancel the deletion of a certificate version, open a command prompt and run oci certs-mgmt certificate-version cancel-deletion:

oci certs-mgmt certificate-version cancel-deletion --certificate-id <certificate_OCID> --version-number <certificate_version_number>

For example:

oci certs-mgmt certificate-version cancel-deletion --certificate-id ocid1.certificate.oc1.<region>.<unique_ID> --version-number 2

Using the API