15Certificates and Keys

This chapter contains the following:

Overview of Certificates

Certificates establish keys for the encryption and decryption of data that Oracle Cloud applications exchange with other applications. Use the Certificates page in the Security Console functional area to work with certificates in either of two formats, PGP and X.509.

For each format, a certificate consists of a public key and a private key. The Certificates page displays one record for each certificate. Each record reports these values:

  • Type: For a PGP certificate, "Public Key" is the only type. For an X.509 certificate, the type is either "Self-Signed Certificate" or "Trusted Certificate" (one signed by a certificate authority).

  • Private Key: A check mark indicates that the certificate's private key is present. For either certificate format, the private key is present for your own certificates (those you generate in the Security Console). The private key is absent when a certificate belongs to an external source and you import it through the Security Console.

  • Status: For a PGP certificate, the only value is "Not Applicable." (A PGP certificate has no status.) For an X.509 certificate, the status is derived from the certificate.

Click the Actions menu to take an appropriate action for a certificate. Actions include:

  • Generate PGP or X.509 certificates.

  • Generate signing requests to transform X.509 certificates from self-signed to trusted.

  • Export or import PGP or X.509 certificates.

  • Delete certificates.

Types of Certificates

For a PGP or X.509 certificate, one operation creates both the public and private keys. From the Certificates page, select the Generate option. In a Generate page, select the certificate format, then enter values appropriate for the format.

For a PGP certificate, these values include:

  • An alias (name) and passphrase to identify the certificate uniquely.

  • The type of generated key: DSA or RSA.

  • Key length: 512, 1024, or 2048.

  • Encryption algorithm option for key generation: AES128, AES256

For an X.509 certificate, these values include:

  • An alias (name) and private key password to identify the certificate uniquely.

  • A common name, which is an element of the "distinguished name" for the certificate. The common name identifies the entity for which the certificate is being created, in its communications with other web entities. It must match the name of the entity presenting the certificate. The maximum length is 64 characters.

  • Optionally, other identifying values: Organization, Organization Unit, Locality, State/Province, and Country. These are also elements of the distinguished name for the certificate, although the Security Console doesn't perform any validation on these values.

  • An algorithm by which keys are generated, MD5 or SHA1.

  • A key length.

  • A validity period, in days. This period is preset to a value established on the General Administration page. You can enter a new value to override the preset value.

Sign a X.509 Certificate

You can generate a request for a certificate authority (CA) to sign a self-signed X.509 certificate, to make it a trusted certificate. (This process doesn't apply to PGP certificates.)

  1. Select Generate Certificate Signing Request. This option is available in either of two menus:

    • One menu opens in the Certificates page, from the row for a self-signed X.509 certificate.

    • The other menu is the Actions menu in the details page for that certificate.

  2. Provide the private key password for the certificate, then select a file location.

  3. Save the request file. Its default name is [alias]_CSR.csr.

You are expected to follow a process established by your organization to forward the file to a CA. You would import the trusted certificate returned in response.

Import and Export X.509 Certificates

For an X.509 certificate, you import or export a complete certificate in a single operation.

To export:

  1. From the Certificates page, select the menu available in the row for the certificate you want to export. Or open the details page for that certificate and select its Actions menu.

  2. In either menu, select Export, then Certificate.

  3. Select a location for the export file. By default, this file is called [alias].cer.

To import, use either of two procedures. Select the one appropriate for what you want to do:

  • The first procedure replaces a self-signed certificate with a trusted version (one signed by a CA) of the same certificate. (A prerequisite is that you have received a response to a signing request.)

    1. In the Certificates page, locate the row for the self-signed certificate, and open its menu. Or, open the details page for the certificate, and select its Actions menu. In either menu, select Import.

    2. Enter the private key password for the certificate.

    3. Browse for and select the file returned by a CA in response to a signing request, and click the Import button.

    In the Certificates page, the type value for the certificate changes from self-signed to trusted.

  • The second procedure imports a new X.509 certificate. You can import a .cer file, or you can import a keystore that contains one or more certificates.

    1. In the Certificates page, click the Import button. An Import page opens.

    2. Select X.509, then choose whether you're importing a certificate or a keystore.

    3. Enter identifying values, which depend on what you have chosen to import. In either case, enter an alias (which, if you're importing a .cer file, need not match its alias). For a keystore, you must also provide a keystore password and a private key password.

    4. Browse for and select the import file.

    5. Select Import and Close.

Import and Export PGP Certificates

For a PGP certificate, you export the public and private keys for a certificate in separate operations. You can import only public keys. (The assumption is that you will import keys from external sources, who wouldn't provide their private keys to you.)

To export:

  1. From the Certificates page, select the menu available in the row for the certificate you want to export. Or open the details page for that certificate and select its Actions menu.

  2. In either menu, select Export, then Public Key or Private Key.

  3. If you selected Private Key, provide its passphrase. (The public key doesn't require one.)

  4. Select a location for the export file. By default, this file is called [alias]_pub.asc or [alias]_priv.asc.

To import a new PGP public key:

  1. On the Certificates page, select the Import button.

  2. In the Import page, select PGP and specify an alias (which need not match the alias of the file you're importing).

  3. Browse for the public-key file, then select Import and Close.

The Certificates page displays a record for the imported certificate, with the Private Key cell unchecked.

Use a distinct import procedure if you need to replace the public key for a certificate you have already imported, and don't want to change the name of the certificate:

  1. In the Certificates page, locate the row for the certificate whose public key you have imported, and open its menu. Or, open the details page for the certificate, and select its Actions menu. In either menu, select Import.

  2. Browse for the public-key file, then select Import.

Delete Certificates

You can delete both PGP and X.509 certificates:

  1. In the Certificates page, select the menu available in the row for the certificate you want to delete. Or, in the details page for that certificate, select the Actions menu.

  2. In either menu, select Delete.

  3. Respond to a warning message. If the certificate's private key is present, you must enter the passphrase (for a PGP certificate) or private key password (for an X.509 certificate) as you respond to the warning. Either value would have been created as your organization generated the certificate.