Overview of Certificates
Oracle Cloud Infrastructure Certificates provides organizations with certificate issuance, storage, and management capabilities, including revocation and automatic renewal. If you have a third-party certificate authority (CA) that you already use, you can import certificates issued by that CA for use in an Oracle Cloud Infrastructure tenancy. Integration with Oracle Cloud Infrastructure Load Balancer lets you seamlessly associate a TLS certificate issued or managed by Certificates with resources that need certificates.
The Certificates service lets you create and manage the following resources:
- Certificate authorities (CAs)
- CA bundles
You can use the Certificates service to exercise the following lifecycle management features for CAs, certificates, and CA bundles, helping you to control these resources and access to them:
- Create CAs (including root or subordinate CAs), certificates, or CA bundles
- Import certificates issued externally by a third-party CA
- Update CA, certificate, or CA bundle metadata
- Renew CAs or certificates, or update CA bundles, with new certificate contents
- Delete CAs, certificates, or CA bundles when you no longer need them
- Configure rules regarding how long the CAs and certificates issued by a CA are valid
- Configure rules to automatically renew certificates
- Specify which version of a CA, certificate, or certificate bundle is current
- Revoke a CA or certificate version if it has been compromised and you no longer want to use it
- Tag CAs, certificates, or CA bundles with custom metadata
Regarding the use of certificate-related resources, you can do the following:
- View bundles for CAs, certificates, and CA bundles
- Associate certificates with one or more supported Oracle Cloud Infrastructure resources, such as Load Balancer
Integration with Oracle Cloud Infrastructure Identity and Access Management (IAM) lets you control who and what services can access which CAs, certificates, and CA bundles and what they can do with those resources. Oracle Cloud Infrastructure Audit integration gives you a way to monitor certificate usage. Audit tracks administrative actions on CAs, certificates, and CA bundles.
Integration with Cloud Guard lets you detect areas of security weakness related to the configuration of Certificates resources and potentially risky activity. Cloud Guard integration also provides you with recommended steps for the remediation of any issues detected. For more information, see Integrating Cloud Guard with Other Services: Certificates Service.
Understand key concepts and components of the Certificates service.
- A certificate is a digital document that confirms its subject is the owner of the public key in the certificate. A certificate is also known as an end-entity or leaf certificate. An end-entity certificate is any certificate that cannot be used to sign other certificates. For instance, TLS/SSL server and client certificates, email certificates, code signing certificates, and qualified certificates are all end-entity certificates.
- CERTIFICATE AUTHORITIES
- A certificate authority (CA) issues certificates and subordinate CAs. CAs exist to certify the ownership of a public key in a given certificate. A CA certificate authenticates the CA signature on the certificates that the CA issues. CAs exist in a hierarchy where the CA at the top is known as the root CA and any CA that exists within the hierarchy is a subordinate CA.
- A CA hierarchy establishes a chain of trust (or certification path) in which each entity signs the entity below it in the chain. The root CA is self-signed. For a certificate to be trusted, the root CA must be a trusted root CA according to the endpoint performing the validation.
- CA BUNDLES
- A bundle includes the root and intermediate certificates (also known as the contents of the bundle), the properties of the certificate (and certificate version), and user-provided contextual metadata for the certificate. A CA bundle can include a single CA or multiple CAs, including those not managed by the Certificates service. The Certificates service supports certificate content in PEM format.
- CERTIFICATE CHAINS
- A certificate chain is the list of certificates from the end-entity certificate to the root certificate. The service does not support mixed certificate chains in which certificates use different key algorithm families, such as using RSA keys in some certificates and ECDSA keys in others. We recommend using different CA chains for different key algorithm families.
- CERTIFICATE REVOCATION LISTS
- A certificate revocation list (CRL) is issued by a CA and contains all CAs and certificates that the issuing CA has revoked prior to their expiration dates. Revocation invalidates a certificate so it can no longer be trusted.
Regions and Availability Domains
The Certificates service is available in all Oracle Cloud Infrastructure commercial regions. See About Regions and Availability Domains for the list of available regions, along with associated locations, region identifiers, region keys, and availability domains.
Most types of Oracle Cloud Infrastructure resources have a unique, Oracle-assigned identifier called an Oracle Cloud ID (OCID). For information about the OCID format and other ways to identify your resources, see Resource Identifiers.
Ways to Access Oracle Cloud Infrastructure
You can access Oracle Cloud Infrastructure using the Console (a browser-based interface) or the REST API. Instructions for the Console and API are included in topics throughout this guide. For a list of available SDKs, see SDKs and the CLI.
To access the Console, you must use a supported browser. To go to the Console sign-in page, open the navigation menu at the top of this page and click Infrastructure Console. You are prompted to enter your cloud tenant, your user name, and your password.
For a list of available SDKs, see SDKs and the CLI. For general information about using the APIs, see REST API documentation.
For general information about using the API, see REST APIs.
Authentication and Authorization
Each service in Oracle Cloud Infrastructure integrates with IAM for authentication and authorization, for all interfaces (the Console, SDK or CLI, and REST API).
An administrator in your organization needs to set up groups , compartments , and policies that control which users can access which services, which resources, and the type of access. For example, the policies control who can create new users, create and manage the cloud network, launch instances, create buckets, download objects, etc. For more information, see Getting Started with Policies. For specific details about writing policies for each of the different services, see Policy Reference.
If you’re a regular user (not an administrator) who needs to use the Oracle Cloud Infrastructure resources that your company owns, contact your administrator to set up a user ID for you. The administrator can confirm which compartment or compartments you should be using.
Limits on Certificates Resources
See Service Limits for a list of applicable limits and instructions for requesting a limit increase. To set compartment-specific limits on a resource or resource family, administrators can use compartment quotas.