15 Managing Certificates
In addition to Oracle Key Vault-generated certificates, you can manage third-party certificates.
- Rotating Certificates
You can rotate both Oracle Key Vault-generated certificates or third-party certificates. - Managing Console Certificates
You can use the Oracle Key Vault management console to manage console certificates.
15.1 Rotating Certificates
You can rotate both Oracle Key Vault-generated certificates or third-party certificates.
- About Rotating Certificates
The certificate rotation process captures all certificates in the Oracle Key Vault server. This operation does not rotate the console certificates. - Advice for Managing Certificate Rotations
Oracle Key Vault provides advice on the best ways to rotate certificates. - Rotating All Certificates
You can use the Oracle Key Vault management console to rotate certificates. - Checking the Certificate Rotation Status
You can use the Oracle Key Vault management console to check the status of a certificate rotation.
Related Topics
Parent topic: Managing Certificates
15.1.1 About Rotating Certificates
The certificate rotation process captures all certificates in the Oracle Key Vault server. This operation does not rotate the console certificates.
A certificate in Oracle Key Vault lasts 730 days. If you do not rotate the certificate (both server and endpoint certificates), then the endpoints that use the certificate cannot connect to the Oracle Key Vault server. When this happens, you must re-enroll the endpoint. To avoid this scenario, you can configure an alert to remind you to rotate the certificate before the 730-day limit is up. The rotation process handles the rotation for all certificates in one operation. You can find how much time the Oracle Key Vault server certificate has before it expires by checking the OKV Server Certificate Expiration setting on the Configure Alerts page in the Oracle Key Vault management console. To find the expiry time of the endpoints' certificates, you must to navigate to the Endpoints page and check the Certificate Expires field.
In addition to standalone environments, you can rotate certificates in primary-standby and multi-master cluster environments. In both, Oracle Key Vault automatically synchronizes the certificates in both systems in a primary-standby configuration, and in all nodes in a multi-master cluster configuration. You do not have to perform any extra configuration.
Related Topics
Parent topic: Rotating Certificates
15.1.2 Advice for Managing Certificate Rotations
Oracle Key Vault provides advice on the best ways to rotate certificates.
- Do not initiate a certificate rotation while a node addition is in progress.
- Do not try node operations (such as adding or disabling nodes) while a certificate rotation is in process.
- You cannot initiate certificate rotation unless all nodes in the cluster are active. You can check if a node is active by checking the Cluster Monitoring page. (Click the Cluster tab, and then select Monitoring from the left navigation bar.)
- In a primary-standby configuration, do not perform certificate rotation if the primary database is in read-only restricted mode. Only initiate a certificate rotation when both servers in the configuration are active and synchronized with each other.
- If you are performing certificate rotation on a system that was upgraded from a previous release, ensure that you upgrade the endpoints as well. Endpoints whose software has not been upgraded will not receive updated credentials.
- You cannot perform a certificate rotation while a backup operation or a restore operation is in progress.
- Before performing a certificate rotation, back up the Oracle Key Vault system.
Parent topic: Rotating Certificates
15.1.3 Rotating All Certificates
You can use the Oracle Key Vault management console to rotate certificates.
Related Topics
Parent topic: Rotating Certificates
15.1.4 Checking the Certificate Rotation Status
You can use the Oracle Key Vault management console to check the status of a certificate rotation.
Parent topic: Rotating Certificates
15.2 Managing Console Certificates
You can use the Oracle Key Vault management console to manage console certificates.
- About Managing Console Certificates
Oracle Key Vault enables you to install a certificate signed by a Certificate Authority (CA) for more secure connections. - Step 1: Download the Certificate Request
When you request the console certificate, you can suppress warning messages. - Step 2: Have the Certificate Signed
After you download the Oracle Key Vaultcertificate.csr
file, you can have it signed. - Step 3: Upload the Signed Certificate to Oracle Key Vault
In addition to uploading the signed certificate, you can optionally choose to deactivate and re-activate the certificate. - Console Certificates in Special Use Case Scenarios
Depending on the situation, you must perform additional steps when you use console certificates.
Parent topic: Managing Certificates
15.2.1 About Managing Console Certificates
Oracle Key Vault enables you to install a certificate signed by a Certificate Authority (CA) for more secure connections.
You can upload upload a certificate that was signed by a third-party CA to Oracle Key Vault to prove its identity, encrypt the communication channel, and protect the data that is exchanged throughout the Oracle Key Vault system.
To install a console certificate, you must generate a certificate request, get it signed by a CA, and then upload the signed certificate back to Oracle Key Vault.
Parent topic: Managing Console Certificates
15.2.2 Step 1: Download the Certificate Request
When you request the console certificate, you can suppress warning messages.
Parent topic: Managing Console Certificates
15.2.3 Step 2: Have the Certificate Signed
After you download the Oracle Key Vault certificate.csr
file, you can have it signed.
To have the certificate signed, you can use any out-of-band method to have it signed by a CA of your choice.
Afterward, you can then upload the signed certificate back to Oracle Key Vault using the management console.
Parent topic: Managing Console Certificates
15.2.4 Step 3: Upload the Signed Certificate to Oracle Key Vault
In addition to uploading the signed certificate, you can optionally choose to deactivate and re-activate the certificate.
Parent topic: Managing Console Certificates
15.2.5 Console Certificates in Special Use Case Scenarios
Depending on the situation, you must perform additional steps when you use console certificates.
-
Primary-standby environments: If you want to use a console certificate in a primary-standby configuration, then you must install it on the primary and standby servers first, and then pair them.
-
RESTful services: When you install a console certificate, you must download the RESTful software utility again before you can use the new certificate.
-
Restored data from a backup: If you install a console certificate, perform a backup, and then restore another Oracle Key Vault appliance from that backup, you must re-install the console certificate on the new server before you can use it. The restore process does not copy the console certificate.
Parent topic: Managing Console Certificates