Obtain the Root CA Certificate from Oracle Identity Cloud Service

When you setup Service Providers and Identity Providers for Federated SSO, you need to download the metadata file and the signing and encryption certificates. However, these certificates are not self-signed and are issued by a root certificate. Hence, for a proper setup and function, you need to get the root certificate and install it at the Federation partner. Follow the procedure below to obtain the root certificate.

To obtain the root CA certificate:

1. In the Identity Cloud Service console, expand the Navigation Drawer, click Settings, and then click Default Settings.
2. Turn on the switch under Access Signing Certificate to enable clients to access the tenant signing certificate without logging in to Oracle Identity Cloud Service.
3. Click Save to save the default settings.
4. Refer to the REST API document for the detailed installation of cURL.
5. Use this URL https://tenant-base-url/admin/v1/SigningCert/jwk as the endpoint.
6. Execute the following cURL command to save the root certification file:

   curl -k -i -H "Accept: application/scim+json,application/json" --request GET "https://tenant-base-url/admin/v1/SigningCert/jwk"

   After you execute the command, the following code is returned:

   
   Description of the illustration root_certificate.png

7. Open a Notepad and paste the key in the following manner:

   -----BEGIN CERTIFICATE-----
   [Paste the highlighted key here]
   -----END CERTIFICATE-----

   For example (abbreviated):

   -----BEGIN CERTIFICATE-----

   "MIIDdDCCAlygAwIBAgIGAVw4Ns68MA0GCS......./VaWgoMQ6J9t9CLarai"

   -----END CERTIFICATE-----

8. Save this file as your root certification file.