1. Administrator's Guide
  2. Managing Console Certificates

20 Managing Console Certificates

You can use the Oracle Key Vault management console to manage console certificates.

20.1 About Managing Console Certificates

Oracle Key Vault enables you to install a certificate signed by a Certificate Authority (CA) for more secure connections.

You can upload a certificate that was signed by a third-party CA to Oracle Key Vault to prove its identity, encrypt the communication channel, and protect the data that is exchanged throughout the Oracle Key Vault system.

To install a console certificate, you must generate a certificate request, get it signed by a CA, and then upload the signed certificate back to Oracle Key Vault.

Parent topic: Managing Console Certificates

20.2 Step 1: Download the Certificate Request

When you request the console certificate, you can suppress warning messages.

These warning messages appear when the browser detects a mismatch between the attributes of the server certificate and the attributes of the login session to the Oracle Key Vault management console.
  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the Certificates area, click Console Certificate.
  4. In the Console Certificate page, click Generate Certificate Request.
  5. If you need to change the host name of the Oracle Key Vault server, which appears next to Common Name, then click Change.
    The Network Details window appears, where you can change the Host Name setting. Click Save afterward.

    Note:

    If you do not want to change the hostname of the Oracle Key Vault server but still want to use fully qualified domain name (FQDN), you can add the FQDN to the SAN field. Additionally, you can also support two FQDNs for the Oracle Key Vault server one by changing the hostname and the other by adding to the SAN field.
  6. Check the box to the left of text Suppress warnings for IP based URL access if you want to suppress browser warnings for server IP address changes.
  7. Enter the required fields marked with an asterisk, Organization Name and Country / Region.
    You must enter values for these fields in order to proceed without errors. You may enter values in the rest of the optional fields as needed.
  8. Click Submit and Download to the top right.
    A directory window appears, where you can save the certificate.csr file. Select a directory and save the file to a secure location.

    Note:

    In the event that multiple Certificate Signing Requests are generated concurrently, you can verify which is the most recently generated Certificate Signing Request by reloading the Generate Certificate Request page and verifying that the information in the table matches with the correct certificate.csr file. If a table isn't populated on the reload of the page, this means that there is a corrupted certificate.csr file. To resolve this, generate a new certificate.csr file by following the steps outlined above Step 1: Download the Certificate Request.

Parent topic: Managing Console Certificates

20.3 Step 2: Have the Certificate Signed

After you download the Oracle Key Vault certificate.csr file, you can have it signed.

  • Use any out-of-band method to have the certificate.csr file signed by a CA of your choice.
Afterward, you can upload the signed certificate back to Oracle Key Vault using the management console.

Parent topic: Managing Console Certificates

20.4 Step 3: Upload the Signed Certificate to Oracle Key Vault

In addition to uploading the signed certificate, you can optionally choose to deactivate and re-activate the certificate.

  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, and then Settings from the left navigation bar.
  3. In the Certificates area, click Console Certificate.
  4. Click Upload Certificate at the top right to display the Upload Certificate page.
  5. Select Choose File to display a directory window on your local system.
  6. Navigate to the directory where you stored the signed certificate and select it. When you are done, you will see the file name to the right of text Choose File.
    After you select the certificate, you will see the file name to the right of Choose File.
  7. Click Upload.
    If the certificate is installed with no errors, then you will see its details appear in a new Uploaded Certificate Details panel just below Console Certificate.
At this stage, if you need to, you can deactivate the certificate by clicking Deactivate on the top right of the Uploaded Certificate Details section. When you deactivate the certificate, the Deactivate button is replaced by an Apply Certificate button. You can click this button to re-activate the certificate.

Note:

After having deactivated the certificate, you will be able to reactivate it only until the point that a new certificate request is generated. You must upload a new signed certificate (generated from the new certificate request) rather than reactivating the old certificate in this scenario.

Parent topic: Managing Console Certificates

20.5 Console Certificates in Special Use Case Scenarios

Depending on the situation, you must perform additional steps when you use console certificates.

  • Primary-standby environments: If you want to use a console certificate in a primary-standby configuration, then you must install it on the primary and standby servers first, and then pair them.

  • Restored data from a backup: If you install a console certificate, perform a backup, and then restore another Oracle Key Vault appliance from that backup, you must re-install the console certificate on the new server before you can use it. The restore process does not copy the console certificate.

Parent topic: Managing Console Certificates