1. Administrator's Guide
  2. Managing Service Certificates

19 Managing Service Certificates

This chapter explains about Oracle Key Vault-generated certificates, you can learn how to manage self-signed and third-party certificates.

19.1 Overview of Oracle Key Vault Certificates

Oracle Key Vault uses certificates for various purposes including endpoint authentication, server authentication, and securing the communication channels using the TLS protocol.

The TLS protocol protects communication between the Oracle Key Vault server or node, and the endpoints. The TLS protocol also protects the back channel communication between the Oracle Key Vault nodes in the cluster deployment or Oracle Key Vault servers in the primary-standby deployment. The TLS certificates used by endpoints and the Oracle Key Vault servers or cluster-nodes are issued by the Oracle Key Vault itself using its CA certificate. The Oracle Key Vault’s CA certificate may be a self-signed Root CA or an intermediate CA.

Oracle Key Vault generates the TLS certificates with the exception of the intermediate CA certificate.

CA Certificate

The CA certificate is a self-signed Root CA or an intermediate CA certificate that the Oracle Key Vault uses to issue endpoint certificates, as well as server or node certificates. The self-signed Root CA certificate is generated at the time of Oracle Key Vault installation. Customers can choose to replace it with an intermediate CA certificate that is signed by the organization's own internal CA or a third-party CA post-installation or post-upgrade. The CA certificate is the same for all nodes in a multi-master cluster deployment and for both the primary and standby servers of a primary-standby deployment. The CA certificate is different from the console certificates.

If you do not rotate the CA certificate before it expires, none of the endpoints can communicate with the Oracle Key Vault server or any node of the Oracle Key Vault cluster and all the endpoints will face a downtime. In the cluster deployment none of the Oracle Key Vault nodes will be able to communicate with each other and in case of primary-standby, the communication between primary and standby servers will breakdown.

Note:

The CA Certificate must be rotated before it expires to prevent outage to endpoints. Start the CA certificate rotation several weeks in advance of CA certificate expiry to prevent outage to the Oracle Key Vault deployment and endpoints.

Rotating CA certificates also rotates the server or node certificates and endpoint certificates.

Server and Node Certificate

Server or Node Certificate is the TLS certificate of the Oracle Key Vault server or a cluster node. While in a standalone or primary-standby deployment, Oracle Key Vault uses server certificates to communicate with its endpoints. In a multi-master deployment of Oracle Key Vault, each cluster node has its own node certificate. Oracle Key Vault cluster nodes use node certificates to communicate with each other and with the endpoints.

These certificates are referred to as server certificates for standalone and primary-standby systems and as node certificates in multi-master cluster configurations. The Oracle Key Vault CA certificate is used to issue these certificates.

Rotate the server or node certificate before they expire as described in section Managing Server Certificates and Node Certificates Rotation. The CA and endpoint certificates are not rotated when server or node certificates are rotated.

Note:

Rotating the node certificate in a multi-master cluster deployment is a per-node operation.

If the server certificate is not rotated in a standalone deployment before it expires, none of the endpoints can communicate to the Oracle Key Vault server and all the endpoints will face a downtime. If you do not rotate the server certificate in a primary-standby deployment before it expires, then none of the endpoints can communicate to the primary server and all the endpoints face a downtime.

If you do not rotate the node certificate in cluster deployment before it expires, the endpoints use the other nodes for the endpoint operations like fetching a key. However, the inter-node communication will be impacted and operations like creating a new endpoint or creating a new wallet will be impacted.

Note:

If all of the node certificates in the cluster deployment have expired, endpoints cannot communicate with any node in the multi-master cluster.

Endpoint Certificate

Each endpoint is issued a unique endpoint TLS certificate that is used to authenticate the endpoint with the Oracle Key Vault. The Oracle Key Vault Certificate Authority (CA) certificate is used to issue the endpoint certificates. Rotate an endpoint's certificate before it expires as described in section Rotating Endpoint Certificates . The CA or server or node certificates are not rotated when endpoint certificates are rotated.

If an endpoint is not rotated before its certificate expires, the endpoint experiences downtime and is required to be re-enrolled.

Related Topics

Parent topic: Managing Service Certificates

19.2 Certificates Validity Period

You can set the validity periods for Oracle Key Vault certificates to meet the security, compliance, and operational requirements.

Parent topic: Managing Service Certificates

19.2.1 About Certificates Validity Period

Compliance and best security practices have different requirements for certificate validity depending upon the purpose and use of the certificate.

For simplicity, up until Oracle Key Vault release version 21.3 all the three certificates, the Oracle Key Vault CA, server or node, and endpoint certificate, including the self-signed Root CA certificate, are rotated together. However, the server or node, endpoint, and CA certificates can have different validity periods. Generally, the validity period requirements for the endpoint and server or node certificates are different than that of the CA certificate. You can configure the validity periods of the self-signed Root CA, the server or node certificates and the endpoint certificates independently with different values. You can rotate the server or node certificates independent of the CA certificate rotation. Starting in Oracle Key Vault release 21.5, you can rotate the endpoint certificate independently of the CA and server or node certificates.

The default and the range of the validity periods of the TLS certificates in Oracle Key Vault are described below.

Table 19-1 Certificates Validity Period

Certificate Default Validity (out of the box) Minimum Validity Maximum Validity

Self-Signed Root CA

1095 days or 3 years

 365 days or 1 year

3650 days or 10 years
Intermediate CA Defined by signing CA Defined by signing CA Defined by signing CA

Server/Node Certificate

365 days or 1 year

 365 days or 1 year

1095 days or 3 years

Endpoint Certificate

365 days or 1 year

 365 days or 1 year

1095 days or 3 years

The certificate validity period automatically determines the certificate expiry. Rotate the certificates before they expire.

You can set different validity periods for each type of certificate to meet your requirements.

Setting the validity period of certificates does not affect the validity period of existing certificates. The configured validity periods take effect when a new certificate is generated either during the certificate rotation or when you set up a new endpoint or cluster node.

The CA signing authority sets the validity period of the intermediate CA certificate.

Note:

For simplicity, until Oracle Key Vault release 21.4, all three types of certificates - self-signed Root CA certificate, server or node certificate, and the endpoint certificate had the same certificate validity period. The server or node certificates could not be rotated independently of the CA certificate rotation, nor could they be configured with different certificate validity periods. Until Oracle Key Vault release 21.5, the endpoint certificates could not be rotated independently of the CA certificate rotation.

Related Topics

Parent topic: Certificates Validity Period

19.2.2 Setting Validity Period of Self-Signed Root CA Certificate

You can configure the validity period for the self-signed Root certificate authority (CA) certificate from the Oracle Key Vault management console.

The CA certificate validity period governs the end date of the CA certificate. The end date of the CA certificate acts as an upper bound on the validity period of the server or node, and the endpoint certificates, when they are issued.
Setting the validity of self-signed Root CA certificate does not enable it, that is, switch it into use. You have to rotate the CA certificate to generate and enable a new self-signed Root CA with the set validity period as described in Rotating CA Certificate.

To set the validity period for the self-signed Root CA:
  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
    In a primary-standby environment, log in to the primary Oracle Key Vault server. In a multi-master cluster environment, log in to the node selected for CA certificate rotation in the cluster.
  2. Select the System tab, then Settings from the left navigation side bar.
  3. In the Certificates area, click Service Certificates.
  4. In the Service Certificates page, select Manage CA Certificate.
  5. In the CA Certificate Details page, select the Self-Signed Root CA option. The Self-Signed Root CA option is selected by default.
  6. Set the validity value in the Self-Signed Root CA Certificate Validity (in days) field. The default is 1095 days (3 years). You can set a maximum validity period of 3650 days (10 years) and a minimum validity period of 365 days (1 year).
  7. Click Save.

Parent topic: Certificates Validity Period

19.2.3 Configuring Certificate Validity Period for Server and Node Certificates

You can configure the validity period for server or node certificates in the Oracle Key Vault management console.

The certificate validity period takes effect the next time you rotate the server or node certificates. It will also be taken into account when you generate the server or node certificates as part of a CA certificate rotation, or when you add a new node to the cluster, to the node certificates for that new node. Irrespective of the value that the server or node certificate validity is set to, when the certificates are eventually generated, Oracle Key Vault ensures that their expiry date is less than that of the CA certificate.

  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
    In a multi-master cluster environment, you can log in to any node in the cluster.
  2. Select the System tab, then Settings from the left navigation side bar.
  3. In the Certificates area, select Service Certificates.
  4. Depending on your environment, perform the following:
    • In a standalone or primary-standby environment: In the Current Server Certificate area, select Manage Server Certificate.
    • In a multi-master cluster environment: In the Current Node Certificate area, select Manage Node Certificate.
  5. In the Server Certificate Validity (in days) or Node Certificate Validity (in days) field, enter a value between 365 days (the minimum and the default) and 1095 days for this setting.
  6. Click Save.

Parent topic: Certificates Validity Period

19.2.4 About Configuring Certificate Validity Period for Endpoint Certificates

You can set the validity period for the endpoint certificates in the Global Endpoint Configuration parameters.

The default value is 365 days (1 year). You can set a maximum validity period of 1095 days (3 years) and a minimum validity period of 365 days (1 year).

The certificate validity period takes effect the next time that an existing endpoint is rotated or re-enrolled, or when a new endpoint is added. Irrespective of the value that the endpoint certificate validity is set to, when the endpoint is eventually rotated, Oracle Key Vault ensures that the endpoint certificate expiry date is less than that of the CA certificate.

Related Topics

Parent topic: Certificates Validity Period

19.3 Monitoring Certificates Expiry

Proactively set alerts and monitor the expiry dates of the Oracle Key Vault certificates and rotate them before they expire.

Parent topic: Managing Service Certificates

19.3.1 Monitoring Certificates Expiry Using Certificate Expiration Alerts

Set expiration alerts as reminders to rotate the certificates before their expiration date.

Expiration of a certificate, especially the CA certificate, breaks the endpoint and Oracle Key Vault communication, and impacts the operations of one or more endpoints to the extent of stopping of endpoint operations completely. In addition, upgrades and communication between the Oracle Key Vault multi-master cluster nodes may also fail. Ensure that you rotate certificates much before their expiration date.

To avoid this scenario, Oracle recommends that you configure alerts as a reminder to rotate the certificates before they expire. There are separate alerts for endpoint certificate expiration, server or node certificate expiration, and CA certificate expiration.

If using an intermediate CA certificate, monitor the certificate expiry of the CA certificate trust chain independently. The intermediate CA certificate must be rotated before any of the certificates in its certificate trust chain expires. This prevents an outage to endpoints. Start the CA certificate rotation several weeks in advance of CA certificate expiry to prevent outage to the Oracle Key Vault deployment and endpoints .

Note:

  • If you are using an intermediate CA certificate, you must monitor the certificate expiry in the CA trust chain independently. The expiration of any certificate in the CA trust chain causes an outage to Oracle Key Vault.
  • You must promptly address the certification expiration alerts by rotating the certificates indicated by the alert. Depending upon your deployment, the rotation of the Oracle Key Vault CA certificate, in particular, may take a very long time (in the order of several days). Begin the CA certificate rotation process well before CA certificate expiry to avoid outages.

Related Topics

Parent topic: Monitoring Certificates Expiry

19.3.2 Finding the Expiration Date of Endpoint Certificates

You can find the expiration date of endpoint certificates in the Oracle Key Vault management console.

To find the expiration date of the endpoint certificates, navigate to the Endpoints page and check the Endpoint Certification Expiration field.
  1. Log in to the Oracle Key Vault management console.
    In a multi-master cluster environment, you can log in to any node in the cluster.
  2. Select the Endpoints tab.
  3. In the Endpoints table, check Endpoint Certification Expiration.

Related Topics

Parent topic: Monitoring Certificates Expiry

19.3.3 CA Certificate Expiration Date on Status Page

You can check the CA Certificate Expiration Date, which is the expiration date of the Oracle Key Vault CA certificate, from the Status page.

The CA Certificate Expiration Date field in the System Status page reflects the expiration date of the CA certificate. The CA Certificate Expiring In on the System Status page shows how many days are left to expire for the CA certificate.

To navigate to the System Status page, select the System tab.

  1. Log in to the Oracle Key Vault management console as a System Administrator.

    In a multi-master cluster environment, you can log in to any node in the cluster.

  2. Select the System tab and then Status from the left navigation side bar.
  3. Check the CA Certificate Expiration Date field.
  4. Check the CA Certificate Expiring in field.

Description of 218_ca_certificate_details_status_page.png follows
Description of the illustration 218_ca_certificate_details_status_page.png

Oracle Key Vault raises an alert for the CA certificate expiration when the CA Certificate Expiration Date falls within the alert threshold period. You can also monitor the CA Certificate Expiration Date over SNMP.

Related Topics

Parent topic: Monitoring Certificates Expiry

19.3.4 Server and Node Certificate Expiration on Status Page

You can check the Server Certificate Expiration Date (in a standalone or primary-standby environment) or the Node Certificate Expiration Date (in a multi-master cluster environment) from the Status page.

The Server Certificate Expiration Date field on the System Status reflects the expiration date of the server certificate. The Server Certificate Expiring In on the Status page shows how many days are left for the server certificate to expire.

In a multi-master cluster environment, these fields are called Node Certificate Expiration Date and Node Certificate Expiring In. The Node Certificate Expiration Date field reflects the expiration date of the node certificate, while Node Certificate Expiring In shows how many days are left for the node certificate to expire.

Note:

In a multi-master cluster environment, log into the node whose node certificate expiration date you wish to check. Different nodes can have different node certificate expiration dates.

To navigate to the Status page, select the System tab.

  1. Log in to the Oracle Key Vault management console as a System Administrator.
  2. Select the System tab and then Status from the left navigation side bar.
  3. Check the Server Certificate Expiration Date field. In a multi-master cluster environment, this field is Node Certificate Expiration Date.
  4. Check the Server Certificate Expiring in field. In a multi-master cluster environment, this field is Node Certificate Expiring In.

Description of 218_ca_certificate_details_status_page.png follows
Description of the illustration 218_ca_certificate_details_status_page.png

Oracle Key Vault raises an alert for the Server or Node certificate expiration, when the server or node certificate expiration date falls within the configured alert threshold period. You can also monitor the Server Certificate Expiration Date over SNMP.

Parent topic: Monitoring Certificates Expiry

19.3.5 Finding the Expiration Date of the CA Certificate

You can find how much time the Oracle Key Vault CA certificate has before it expires by navigating to the Service Certificates page.

  1. Log in to the Oracle Key Vault management console as the System Administrator.
    In a multi-master cluster environment, you can log in to any node in the cluster.
  2. Select the System tab, then Settings from the left navigation side bar.
  3. In the Certificates area, select Service Certificates.
  4. In the Current CA Certificate area, check the End Date setting to know when the CA certificate is expiring.
    The Expiring In setting shows the number of days left for the CA certificate to expire.

    Note:

    You can also check the CA certificate expiration date on the Oracle Key Vault System Status page.

    Description of 214_ca_certificate_and_node_certificate.png follows
    Description of the illustration 214_ca_certificate_and_node_certificate.png

Related Topics

Parent topic: Monitoring Certificates Expiry

19.3.6 Finding the Expiration Date of Server Certificates and Node Certificates

You can find the expiration date of server certificates and node certificates in the Oracle Key Vault management console.

Perform the following steps to review the end dates and time to expire of all the node certificates in the cluster:
  1. Log in to Oracle Key Vault management console as a user who has the System Administrator role.
    In a multi-master cluster environment, you can log in to any node in the cluster.
  2. Select the System tab, then Settings from the left navigation side bar.
  3. In the Certificates area, select Service Certificates.
  4. In a standalone or primary-standby environment:
    • Under Current Server Certificate, check the End Date setting to determine when the server certificate is expiring. The Expiring In setting also shows the number of days left for the server certificate expiry.
  5. In a multi-master cluster environment:
    • In the Current Node Certificate area, select Manage Node Certificate. Under Current Node Certificate, check the End Date setting. The Expiring In setting also shows the number of days left for the node certificate expiry.

    • You can view the end dates and time to expire of all the node certificates in the cluster in the Cluster Node Certificate Details area.

If a server or node certificate is expiring soon, then Oracle recommends that you rotate the certificate at the earliest.

Note:

You can also check the Server Certificates and Node Certificates expiration date on the Oracle Key Vault System Status page.

Related Topics

Parent topic: Monitoring Certificates Expiry

19.4 Managing CA Certificate Rotation

You can use the Oracle Key Vault management console to rotate the CA certificate before the certificate gets expired. The new CA certificate can be a self-signed Root CA certificate or an intermediate CA certificate.

Parent topic: Managing Service Certificates

19.4.1 Steps for Managing CA Certificate Rotation

A user with the System Administrator role can perform CA certificate rotation when the CA is expiring. The user can set up a new self-signed Root CA or an intermediate certificate and put the new certificate into use. The server or node certificates, and the endpoint certificates are also rotated as part of this process.

A user with System Administrator role can perform CA certificate rotation. The CA certificate rotation process involves the following steps:
  1. Set the validity of the self-signed Root CA certificate or set up an intermediate CA certificate.
  2. Choose the endpoint certificate rotation controls.
  3. Start CA certificate rotation.
    • In the case of a self-signed CA certificate rotation, Oracle Key Vault generates and puts into use a new self-signed CA certificate.
    • In the case of an intermediate CA certificate rotation, the intermediate CA certificate uploaded in an earlier step is put into use.
  4. Monitor the progress of automatic endpoint updates, as each endpoint is issued with new certificates by the new CA certificate.
  5. After all endpoints have been successfully rotated, Oracle Key Vault issues server or node certificate with the new CA certificate to complete the CA certificate rotation.
  6. Perform post-CA certificate rotation tasks.



    Note:

    Starting with Oracle Key Vault release 21.5, CA certificate rotation is now a single-step process, that is, Start CA Certificate Rotation. Previously, in Oracle Key Vault release 21.4 and earlier, CA certificate rotation was a two-step process, that is, Start CA Certificate Rotation, and Activate CA Certificate.
CA certificate rotation process is the same for standalone, primary-standby, and cluster environments. In the multi-master environment, Oracle recommends that you select one of the cluster nodes to drive the CA certificate rotation. Oracle Key Vault automatically synchronizes the certificates in both systems in a primary-standby configuration, and in all nodes in a multi-master cluster configuration. You do not have to perform any extra configuration.

Parent topic: Managing CA Certificate Rotation

19.4.2 Checking for Self-Signed Root CA or Intermediate CA Certificate

Oracle Key Vault uses either a self-signed root CA certificate or an intermediate CA certificate.

To check if the current Oracle Key Vault CA certificate is a self-signed root CA or an intermediate CA, check the Common Name and Certificate Issuer fields in the Service Certificates page. If they are similar, for example, both are CA, or start with OKV_CA_, then the current CA certificate is a self-signed root CA. Otherwise, the current CA certificate is an intermediate CA. Additionally, in the intermediate CA certificate, the Certificate Issuer field displays the common name of the trusted third party.
Check the Common Name and Certificate Issuer of the current CA certificate in the Oracle Key Vault management console.
  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
    In a multi-master cluster environment, you can log in to any node in the cluster.
  2. Select the System tab, then Settings from the left navigation side bar.
  3. In the Certificates area, select Service Certificates.
  4. In the Current CA Certificate area, check and compare the Common Name and Certificate Issuer fields. Help text is available for the Common Name field that indicates whether the CA certificate is a self-signed CA or an intermediate CA.

Related Topics

Parent topic: Managing CA Certificate Rotation

19.4.3 Setting the Key Length of the CA Certificate

You can select between the 2048-bits or 4096-bits key length values for the certificate authority (CA) certificate key length.

The CA certificate key length gets applied to the server certificates, node certificates, and endpoint certificates.
  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.

    In a primary-standby environment, log in to the primary Oracle Key Vault server. In a multi-master cluster environment, you can log in to any node in the cluster.

  2. Select the System tab, then Settings from the left navigation side bar.
  3. In the Certificates area, click Service Certificates.
  4. In the Service Certificates page, select Manage CA Certificate.
  5. In the CA Certificate Details page, select the Self-Signed Root CA option or Intermediate CA option.
  6. Choose the key length from the drop down menu. The default key length value is 2048.
  7. Click Save.

Parent topic: Managing CA Certificate Rotation

19.4.4 Setting the Validity of Self-Signed Root CA Certificate

You can set the number of days for the validity of a self-signed Root certificate authority (CA) certificate.

The CA certificate validity period acts as an upper limit on the validity period of the server certificates, node certificates and endpoint certificates.
  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
    In a primary-standby environment, log in to the primary Oracle Key Vault server. In a multi-master cluster environment, you can log in to any node in the cluster.
  2. Select the System tab, then Settings from the left navigation side bar.
  3. In the Certificates area, click Service Certificates.
  4. In the Service Certificates page, select Manage CA Certificate.
  5. In the CA Certificate Details page, select the Self-Signed Root CA option (this should be selected by default).
  6. Set the validity value in the Self-Signed Root CA Certificate Validity (in days) field.
    The default is 1095 days (3 years). You can set a maximum of 3650 days (10 years).
  7. Click Save.

    Go to section Rotating CA Certificate to generate and enable the self-signed root CA certificate.

Related Topics

Parent topic: Managing CA Certificate Rotation

19.4.5 Setting Up the Intermediate CA Certificate

Use the Oracle Key Vault management console to generate the certificate signing request for the intermediate CA certificate, and upload the intermediate CA certificate signed by a trusted third party.

Uploading the intermediate CA certificate does not enable it (that is, uploading the intermediate CA certificate does not put it into use). Perform the following steps to rotate the CA certificate and enable the uploaded intermediate CA certificate:

  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
    In a primary-standby environment, log in to the primary Oracle Key Vault server. In a multi-master cluster environment, log in to the node selected for CA certificate rotation in the cluster.
  2. Select the System tab, then Settings from the left navigation side bar.
  3. In the Certificates area, click Service Certificates.
  4. In the Service Certificates page, select Manage CA Certificate.
  5. Under CA Certificate Details, select the Intermediate CA option.
  6. Enter information about your organization in the following fields:
    • Organization Name
    • Country/Region
    • Organization Unit
    • City
    • State/Province
  7. Select Generate Certificate Request.
  8. In the dialog box that lets you know that the generation will take a few minutes, click OK.
  9. After Oracle Key Vault generates the certificate request, in the CA Certificate Details area, select Download Certificate Request to download the certificate request file.

    The certificate signing request file is named as follows:

    OKV_Intermediate_CA_Certificate.csr

    The Intermediate CA Certificate Signing Request Details area shows the details of certificate signing request.

    At this stage, the current CA certificate is still enabled in Oracle Key Vault. The Current Certificate area displays the details of the currently active CA. If you want to cancel the setup of the intermediate CA certificate, then click Abort.

    Description of 214_ca_download_certificate_request.png follows
    Description of the illustration 214_ca_download_certificate_request.png
  10. Have a trusted third party issue the intermediate CA certificate using the downloaded certificate signing request.
  11. Upload the intermediate CA certificate. In the CA Certificate Details area, select Choose File for Intermediate CA Certificate to find and select the intermediate CA certificate file, and then click Upload. In a multi-master cluster environment, you must upload the intermediate CA certificate on the same node where the certificate signing request was downloaded.
  12. Upload the chain of trust for the intermediate CA certificate. In the CA Certificate Details area, select Choose File for Certificate Chain of Trust to find and select the chain of trust file, and then click Upload.
    Description of 214_upload_ca_intermediate_and_trust_chain_certificate.png follows
    Description of the illustration 214_upload_ca_intermediate_and_trust_chain_certificate.png

    The chain of trust file is a PEM bundle that consists of the CA certificate used by the external signing authority to sign the intermediate certificate signing request, OKV_Intermediate_CA_Certificate.csr file, as well as all of the certificates in that CA's trust chain, in reverse order.

    For example, suppose that OKV_Intermediate_CA_certificate.csr has been signed by the external signing authority, and that the generated certificate is called OKV_Intermediate_CA_certificate.crt . Also suppose that the external signing authority used its CA certificate, CACertA, to generate OKV_Intermediate_CA_certificate.crt from OKV_Intermediate_CA_certificate.csr. CACertA was, in turn, issued by CACertB. CACertB was issued by CACertC. The certificate trust chain file that you must upload must consist of CACertA, CACertB, CACertC, in that order, in the PEM bundle format. It should NOT contain OKV_Intermediate_CA_certificate.crt. For example, assuming that CACertA, CACertB, and CACertC are all certificates in PEM format, where each certificate file is of the form: 

    -----BEGIN CERTIFICATE-----
<cert contents>
-----END CERTIFICATE----

    The certificate chain of trust would look like this:

    
-----BEGIN CERTIFICATE-----
<CACertA contents>
-----END CERTIFICATE----
-----BEGIN CERTIFICATE-----
<CACertB contents>
-----END CERTIFICATE----
-----BEGIN CERTIFICATE-----
<CACertC contents>
-----END CERTIFICATE----

    In a multi-master cluster environment, you must upload the certificate chain of trust on the same node where you uploaded the intermediate CA certificate.

    As part of the upload, Oracle Key Vault performs the following validations:
    1. The uploaded intermediate CA is verified using the uploaded certificate chain of trust.
    2. The certificate chain of trust has a depth of less than or equal to 8.

    After the uploads are successful, the Rotate CA Certificate button is displayed.

    Go to section Rotating CA Certificate to enable the uploaded intermediate CA certificate.

    Note:

    • If you choose to set up an intermediate CA certificate, it is recommended that the certificate signature algorithm is a valid SHA-2 algorithm, such as sha256.
    • If you choose to set up an intermediate CA certificate, ensure that the certificate can be used as a CA for both TLS clients and servers. This can be verified by checking the certificate's properties.
    .

Related Topics

Parent topic: Managing CA Certificate Rotation

19.4.6 Rotating CA Certificate

Use the Oracle Key Vault management console to rotate CA certificate and enable either a self-signed root CA certificate or an intermediate CA certificate.

Back up Oracle Key Vault before you start the certificate rotation process.
CA certificate rotation issues new certificates for the Oracle Key Vault servers, nodes, and endpoints.

Perform these steps to complete the CA certificate rotation process throughout the Oracle Key Vault environment.

  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.

    In a primary-standby environment, log in to the primary Oracle Key Vault server.

    In a multi-master cluster environment, log in to the node selected for CA certificate rotation in the cluster. If you want to enable an intermediate CA certificate, then ensure that you initiate the CA certificate rotation from the same node where the intermediate certificate was uploaded.

  2. Select the System tab, then Settings from the left navigation side bar.
  3. In the Certificates area, click Service Certificates.
  4. In the Service Certificates page, select Manage CA Certificate.
  5. If you want to enable a self-signed root CA certificate, then in CA Certificate Details Area, select the Self-Signed Root CA option.
    If necessary, set the Self-Signed Root CA Certificate Validity value as described in Setting the Validity of Self-Signed Root CA Certificate
  6. If you want to enable an intermediate CA certificate, then upload the intermediate CA certificate and the certificate chain of trust successfully. The Rotate CA Certificate button will now be visible.

    If you do not see the Rotate CA Certification button, then set up the intermediate CA certificate as described in section Setting Up the Intermediate CA Certificate.

  7. Click Rotate CA certificate.
  8. In the Manage CA Certificate page, you may set endpoint certificate rotation controls - batch size and in multi-master cluster deployments, sequence.

    In a multi-master cluster environment, if necessary, choose the sequence in which the endpoint certificates should be rotated as described in section Setting the Endpoint Certificate Rotation Sequence

    Description of 214_endpoint_certiface_rotation_and_ca_certificate.png follows
    Description of the illustration 214_endpoint_certiface_rotation_and_ca_certificate.png

  9. In the Manage CA Certificate page, in the Current CA Certificate area, select Start CA Certificate Rotation.
  10. In the confirmation dialog box, click OK.

    If you enable a self-signed root CA certificate, a new self-signed root CA certificate is created. In a multi-master cluster environment, Oracle Key Vault distributes and installs the newly created self-signed root CA certificate or uploaded intermediate CA certificate to all nodes of the cluster. In a primary-standby environment Oracle Key Vault distributes and installs these certificates to the standby. In case of a standalone environment, Oracle Key Vault simply installs the certificate that you enable.

    At this stage, the endpoints continue to use the certificates issued using the previous CA certificate. The Old CA Certificate area displays the details of the currently active CA. The New CA Certificate area displays the certificate you have rotated along with its common name. Additionally, once a CA certificate rotation has begun, a banner is displayed, indicating that a CA certificate rotation is in progress and the number of days left to expiration of the old CA. It continues to be displayed until CA certificate rotation is complete. The banner is periodically updated with the number of days left to expiration of the old CA, and continues to be displayed until CA certificate rotation is complete.

    If you want to cancel the rotation process, click Abort CA Certificate Rotation.

    The Abort CA Certificate Rotation operation is available for initial few minutes. After this, when the Abort CA Certificate Rotation button is no longer visible, Oracle Key Vault automatically begins the process of enabling the new Oracle Key Vault CA certificate.

    Note:

    In Oracle Key Vault 21.4 and earlier, CA certificate rotation involved two steps: Start CA Certificate Rotation, followed by Activate CA Certificate. Starting with Oracle Key Vault 21.5, it is now a single-step process initiated by Start CA Certificate Rotation. Please exercise caution and initiate CA certificate rotation only when fully ready to do so.

    In a multi-master cluster environment, note the following:

    • After the start of the certification rotation process, the details of the new certificate that was generated is displayed on the node on which you started the CA rotation. If you refresh the Manage CA Certificate page on all of the other nodes, this page displays a message that the new certificate is propagated to that node.
    • To access this page, select the System tab, select Settings in the left navigation bar, select Service Certificates,and then select Manage CA Certificate in the Certificates area.
    • The certificate is now distributed to all the nodes. The propagation process takes a few minutes to complete.
    • You can abort the certificate rotation before the point where:
      • All nodes in the cluster have received the new CA certificates.
      • Each node has notified the other nodes that it has received the certificate.

    Periodically refresh the Manage CA Certificate page, in case there are any changes to the rotation status. For example, refresh the page to determine if the Abort CA Certificate Rotation button is no longer displayed.

    Oracle Key Vault automatically initiates the activation when all nodes receive the new CA certificate and displays the message, 

    Automatic certificate update of the endpoints is in progress.

    After you click on Start CA Certificate Rotation, you have only a few minutes to cancel the CA certificate rotation process. When the Abort CA Certificate Rotation button is no longer visible, the certificate rotation cannot be aborted and will proceed. It is therefore recommended that you click on Start CA Certificate Rotation only when required.



    Description of 215_abort_ca_rotation.png follows
    Description of the illustration 215_abort_ca_rotation.png

    The new CA certificate takes a few minutes to propagate to all the nodes and the Manage CA Certificate page on other nodes may show no change in status. Refresh the Manage CA Certificate page on the other nodes till the following message is displayed: 

    Automatic certificate update of the endpoints is in progress.

    The new CA certificate is now activated and the Oracle Key Vault servers or nodes begin issuing new endpoint certificates signed by the new CA certificate. The endpoints can now connect to the Oracle Key Vault server or nodes using the endpoint certificate issued by either the new or the old Oracle Key Vault CA. In the background, Oracle Key Vault starts issuing certificates for its endpoints, a few endpoints at a time.

    When a new certificate is generated on Oracle Key Vault for an endpoint, it is not delivered to the endpoint right away. The endpoint receives the new certificate the next time it reaches out to Oracle Key Vault, and in particular, to the server or node that has generated the certificate. After the endpoint has received the new certificate, the endpoint must connect to Oracle Key Vault a second time to let the server know that the endpoint has successfully received (and is using) the new certificate. When Oracle Key Vault receives this acknowledgment from the endpoint, Oracle Key Vault updates the Common Name of Certificate Issuer“” field for that endpoint on the Endpoints page to the common name of the new Oracle Key Vault CA certificate.

    Note:

    Periodically check the status of replication across the cluster by viewing either the Cluster Monitoring page or the Cluster Management page. To access either of these pages, click the Cluster tab, and then select either Management or Monitoring in the left navigation bar.
  11. To check if the credentials for an endpoint are updated, click the Check Endpoint Progress button.

    Click the Check Endpoint Progress button to display the Endpoints page.

    For more information, see, Checking Certificate Rotation Status for Endpoints


    Description of 21.4_endpoint_certificate_issue_using_new_ca_certificate.png follows
    Description of the illustration 21.4_endpoint_certificate_issue_using_new_ca_certificate.png

  12. Complete the CA certificate rotation.

    After Oracle Key Vault issues certificates to all the endpoints using the new CA certificate, the Oracle Key Vault server rotates the server certificates for standalone and primary-standby environments and the node certificates for the cluster environment.

    CA certificate rotation process is complete when the Manage CA Certificate page does not list the certificates but only lists the new CA certificate. In a multi-master cluster environment, to check if rotation is complete, go to each node and check the Manage CA Certificate page for that node. The CA certificate rotation process is complete when the Start CA Certificate Rotation button is available on the Manage CA Certificate page, along with the Current CA Certificate and Current Server Certificate.

    The CA certificate rotation process is complete when clicking the Manage CA certificate button on the Service Certificates page takes you to the CA Certificate Details page and you can make a choice between the Self-Signed Root CA and Intermediate CA. In a multi-master cluster environment CA certificate rotation process is complete when certificate rotation is complete on every node of the cluster.

    You can initiate another certificate rotation only after all the servers or nodes have completed their certification rotation process. After you complete the rotation, configure an alert for when the new certificate should be rotated next.

    Note:

    • The CA Certificate rotation process can take several days to complete. Oracle recommends that you start the process ahead of the CA certificate expiration to avoid Oracle Key Vault and endpoint downtime.
    • The CA certificate rotation should be completed before expiration of the old CA to avoid disruption to endpoints. However, if you are unable to complete the CA certificate rotation before expiration of the old CA certificate, Oracle Key Vault forces the CA certificate rotation process to completion by rotating the server or node certificates, to avoid downtime for the Oracle Key Vault deployment. If this happens, some endpoints will need to be re-enrolled, as explained below:
      • All endpoints in the deployment that were successfully rotated will continue to operate with no downtime. However, any endpoints that had not yet been rotated, or were still in the process of being updated when the old CA expired, will experience an outage and will need to be re-enrolled.
      • You can determine which endpoints need to be re-enrolled by logging in to the Oracle Key Vault Management console as a user with the System Administrator role, then navigating to Endpoints, and checking the Common Name of Certificate Issuer field. Any endpoints whose certificate issuer is not the new CA, or in the Updating to Current Certificate Issuer status, will need to be re-enrolled.

Related Topics

Parent topic: Managing CA Certificate Rotation

19.4.7 Setting the Endpoint Certificate Rotation Batch Size

The endpoint certificate rotation batch size value represents the number of endpoints that can be in the ROTATED state on a given Oracle Key Vault server or node during the CA certification rotation process.

During the CA certificate rotation process, an endpoint is considered to be in a ROTATED state when Oracle Key Vault server or node has issued the endpoint certificate using the new CA certificate but the new endpoint certificate is either not yet received or acknowledged by the endpoint.
  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
    In a primary-standby environment, log in to the primary Oracle Key Vault server.

    In a multi-master cluster environment, log in to the node selected for initiating the CA certificate rotation in the cluster.

  2. Select the System tab, then Settings from the left navigation side bar.
  3. In the Certificates area, click Service Certificates.
  4. In the Service Certificates page, select Manage CA Certificate.
  5. In the CA Certificate Details page, select the Self-Signed Root CA option or the Intermediate CA option (this should be selected by default). Click Rotate CA Certificate. For the Intermediate CA option, Rotate CA Certificate button is displayed only after the intermediate CA and its trust chain has been uploaded.
  6. Scroll to the Endpoint Certificate Rotation Controls area.
  7. Enter a value in the Endpoint Certificate Rotation Batch Size field.
    Enter a value from 5 through 50. The default is 15.
  8. Click Save.

Parent topic: Managing CA Certificate Rotation

19.4.8 Setting the Endpoint Certificate Rotation Sequence

In a multi-master cluster environment, when you rotate certificate authority (CA) certificate, you broadly set the order in which endpoints can be rotated by ordering cluster subgroups.

  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
    In a primary-standby environment, log in to the primary Oracle Key Vault server.

    In a multi-master cluster environment, log in to the node selected for initiating the CA certificate rotation in the cluster.

  2. Select the System tab, then Settings from the left navigation side bar.
  3. In the Certificates area, click Service Certificates.
  4. In the Service Certificates page, select Manage CA Certificate.
  5. In the CA Certificate Details page, select the Self-Signed Root CA option or the intermediate CA option (this should be selected by default).Then click Rotate CA Certificate. For the Intermediate CA option, Rotate CA Certificate button is displayed only after the intermediate CA and its trust chain has been uploaded.
  6. Scroll to the Endpoint Certificate Rotation Sequence area.
  7. Click Select Cluster Subgroup.
  8. In the Select Cluster Subgroup Order dialog box, move the cluster subgroups that contain the endpoints to rotate to the right, and then use the arrow keys to set their order.
    For example, if this is your priority list:
    1. ClusterSubgroupA (EP1, EP4)
    2. ClusterSubgroupB (EP2, EP3, EP5)
    3. ClusterSubgroupC (EP6, EP7)

    Endpoints EP1 and EP4, which belong to ClusterSubgroupA, will be rotated first. After EP1 and EP4 receive and acknowledge their updated endpoint certificates, the rotation process will move to the next set of endpoints, ClusterSubgroupB (EP2, EP3, EP5).

    You can check if an endpoint has received and acknowledged its new certifications by navigating to the Endpoints page. The endpoint's Certificate Issuer field will change from Updating to Current Certificate Issuer to DN_of_new_OKV_CA.

    Note:

    If you specify the cluster subgroup priority order, then the number of endpoints that are processed at a time may be less than the Endpoint Certificate Rotation Batch Size parameter. For instance, if a given cluster subgroup has far fewer endpoints associated with it than the Endpoint Certificate Rotation Batch Size parameter, then only endpoints from the chosen cluster subgroup will be processed. Oracle Key Vault server or node does not begin processing of endpoints from other cluster subgroups with the lower priority order until certificate rotation is complete for all of the endpoints from the current cluster subgroup.

  9. Click Apply.

Cluster subgroups are usually used to group endpoints in a region or data center. Since the re-issue of endpoint certificates during CA certificate rotation could be a time consuming process, it is convenient to process endpoints per cluster subgroup for operations simplicity.

Parent topic: Managing CA Certificate Rotation

19.4.9 Checking Overall Certificate Rotation Status

Use the Oracle Key Vault management console to check the overall status of a certificate rotation.

After all the endpoints have been updated to using the new certificate, the Oracle Key Vault server begins the process of fully rotating its own server certificates in the background.
  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the System tab, then Settings in the left navigation side bar.
  3. In the Certificates area, select Service Certificate.
    By default, Service Certificate is selected.
  4. Check the Manage CA Certificate page.
  5. Check the certificate rotation status.

    After clicking the Manage CA Certificate and if you are directed to the CA Certificate Details page, you can make a choice between the Self-Signed Root CA and Intermediate CA, the certificate rotation is complete. Otherwise it is still in progress.

    The End Date field in the Service Certificates page should reflect the expiration time of the new CA certificate.

    In a multi-master cluster environment CA certificate rotation process is complete when certificate rotation is complete on every node of the cluster.

    When a CA certificate rotation is in progress, OKV management console displays a banner on the Home page , as well as Manage Service Certificates, to that effect. In a multi-master cluster environment, the presence of the banner on a given node indicates that CA certificate rotation is still in progress on that node.

    You can initiate another certificate rotation only after all the nodes have completed their certification rotation process.

Parent topic: Managing CA Certificate Rotation

19.4.10 Checking Certificate Rotation Status for Endpoints

Use the Oracle Key Vault management console to check the status of a certificate rotation for endpoints.

  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
  2. Select the Endpoints tab.
  3. Select Endpoints.

    In the Endpoints page, Common Name of Certificate Issuer field tracks the progress of how many endpoints have been issued certificates using the new CA certificate.

    The Common Name of Certificate Issuer field shows if the endpoint certificate is issued by the Old CA, the new CA, or if the endpoint is in the process of updating its endpoint certificate.

    For an endpoint, whose endpoint certificate:
    • Has been issued using the new CA certificate, the Common Name of Certificate Issuer field shows the common name of the new CA.
    • Is in the process of being issued using the new CA certificate, the Common Name of Certificate Issuer field shows Updating to Current Certificate Issuer.
    • Has not been issued using the new CA certificate, Common Name of Certificate Issuer field shows the common name of the old CA.

    Note:

    If there are errors with the certificate rotation of an endpoint, then Oracle recommends that you re-enroll the endpoint.

Parent topic: Managing CA Certificate Rotation

19.4.11 Post-CA Certificate Rotation Tasks

After you complete the CA certificate rotation, perform the post-rotation tasks.

  • If you had previously downloaded the Oracle Key Vault RESTful services software utility (okvrestclipackage.zip), then download it again to continue to use the RESTful services utility.

    Ensure that you have fully rotated the certificate, across all the nodes in a multi-master cluster environment and in the servers of a primary-standby environment, before you download okvrestclipackage.zip.

    To do this, select the Endpoint Enrollment and Software Download link on the Oracle Key Vault management console login page. Select the Download RESTful Service Utility tab, and then click Download to download the okvrestclipackage.zip file to a secure location.

  • Update the backup destinations

    After the CA certificate rotation, each server or node will have been issued a new certificate. The public key of the Oracle Key Vault node or server will also have changed. You need to copy the public key that appears in the Public Key field on the Backup Destination Details page and then paste it in the appropriate configuration file, such as authorized_keys, on the backup destination server.

    To do so, navigate to the System tab, then Settings in the left navigation side bar. In the System Configuration area, select Backup and Restore. Click on the Manage Backup Destination to view all backup destinations. Click on the Create button. The Public Key field will have the new public key.

  • Back up all Oracle Key Vault nodes and servers.

    It is important to perform this backup operation after the certificate rotation is complete. Later, if you have to restore a backup, the backup to restore must have been initiated after the CA certificate rotation. Restoring the backup before the CA certificate rotation can make the Oracle Key Vault server available but then the endpoints will not be able to connect to the restored Oracle Key Vault server. The CA certificate of the restored system may have expired and the endpoints would be using the endpoint certificates issued by the new CA not present in the backup done before CA certificate rotation.

Parent topic: Managing CA Certificate Rotation

19.4.12 Factors Affecting CA Certificate Rotation Process

Consider these factors that affect the certificate authority (CA) certificate rotation process in cluster environments.

The duration of CA certificate rotation is determined by how quickly the CA, node, and endpoint certificates are rotated. The endpoint certificate rotation takes the most time.

During the CA certificate rotation process, Oracle Key Vault rotates certificates for endpoints in batches on each node of the cluster, with an upper limit on the number of endpoints that are allowed to be in the ROTATED state at any one time. The number of endpoints that can be in a ROTATED state at any given time on an Oracle Key Vault node is defined by the endpoint certificate rotation batch size. The endpoint must receive its new certificate from the issuing node and acknowledge the receipt of the certificate back to the issuing node. An endpoint must have created at least one object for it to receive the certificate.

Note:

Generally, the node that issues an endpoint's certificate is one of those in the endpoint's affiliated cluster subgroup.

The following factors affect the endpoint certificate rotation process:

  • In order to receive the new certificates, the endpoint must reach out to the issuing node on which its certificates have been generated. Since the endpoint can communicate with any node in the endpoint node scan list, the endpoint may run many operations before it reaches the creator node and receives its certificate. The endpoint also has to acknowledge the receipt of the new certificates by reaching out to a node in the cluster.
  • The endpoint certificate rotation times increases with the number of nodes in the cluster. The endpoints prioritize the nodes in the local subgroup, hence consider setting a different subgroup for each node during the CA certificate rotation.
  • The endpoint certificate rotation batch size applies to each node of the cluster. So, if the endpoints are created on each node evenly, each node will rotate the number of endpoints equal to the batch size simultaneously. However, if all the endpoints are created on a single node, then the certificate rotation burden for all the endpoints will fall on that one node instead of being distributed across other nodes.
  • For faster endpoint certification rotation and general load balancing in the cluster, consider distributing the endpoint creation among all nodes of the cluster.
  • If the endpoints were created before an upgrade from Oracle Key Vault release 12.2, then the endpoints may all be associated with one single node. This can make the rotation process slower than if the endpoints had been created on different cluster nodes.
  • An endpoint can only successfully receive an update if it has at least one object uploaded to the Oracle Key Vault server. You can check if the endpoint has objects by executing the okvutil list command.
  • For any endpoint stalling the endpoint certificate rotation, consider endpoint re-enroll or running the okvutil list command. You can also suspend or delete the endpoint.

Related Topics

Parent topic: Managing CA Certificate Rotation

19.4.13 Guidelines for Managing CA Certificate Rotations

Consider these Oracle Key Vault guidelines for managing certificate authority (CA) certificate.

Guidelines for Endpoint Software Versions

  • For self-signed root CA certificate rotation, ensure that all the endpoints software are at version 18.2.0.0.0 or later.
  • For intermediate CA certificate rotation, ensure that all the endpoints software are at version 21.4.0.0.0 or later.
  • Upgrade the endpoint software to the same version as Oracle Key Vault before initiating a CA certificate rotation to ensure that the latest fixes to certificate rotation are also available on the endpoint software.

Recommendations for CA Certificate Rotation

  • In a multi-master cluster environment, Oracle recommends that you initiate the rotation from one node only. Use this node to complete the CA certificate rotation process. In case a node is made unavailable during certificate rotation, pick another node and use that node to complete the rest of the CA certificate rotation process. Do not switch nodes while performing certificate rotation.
  • Before performing a CA certificate rotation, back up the Oracle Key Vault system.
  • If a given endpoint does not receive its re-issued endpoint certificate due to network or other issues, Oracle recommends that you re-enroll the endpoint. If it is unused and no longer needed, you can also choose to suspend or delete it.
  • If an endpoint uses the persistent master encryption key cache, it is recommended that the PKCS11 Persistent Cache Refresh Window parameter should be set to a large value before initiating a CA certificate rotation process. You can find the current certificate rotation status by going to the Endpoints page and looking for Common Name of Certificate Issuer.

Checks Before Initiating CA Certificate Rotation

  • Before beginning certificate rotation, ensure that the recovery pass phrase is the same across all multi-master cluster nodes.
  • You cannot perform a CA certificate rotation when a backup operation or a restore operation is in progress.
  • Depending on the deployment, the CA certificate rotation process can take several days to complete, begin the CA certificate rotation well in advance of the CA certificate expiry.
  • Before beginning the CA certificate rotation, identify all unused endpoints and either delete or suspend them. Suspended endpoints will be skipped during a CA certificate rotation and will not be issued with a new certificate issued by the new CA. If you do not delete or suspend such endpoints, the CA certificate rotation will stall and you will need to re-enroll those endpoints to allow the rotation to complete.
  • You can identify unused endpoints from the Oracle Key Vault management console by navigating to Endpoints, then clicking on the Endpoints tab in the left navigation bar. This brings up the Endpoints page, listing all endpoints in the deployment. Check the Last Active Time column to determine when a given endpoint last reached out to Oracle Key Vault. You can delete or suspend all endpoints whose Last Active Time column shows that they have been inactive.
  • Ensure node addition is not in progress. Do not initiate a CA certificate rotation while a node addition is in progress.
  • Ensure any node operation is not in progress. Do not try node operations (such as adding or disabling nodes) when a CA certificate rotation is in process.
  • In the multi-master cluster environment, ensure all the nodes are active. Do not initiate CA certificate rotation till all nodes in the cluster are active. You can check if a node is active by checking the Cluster Monitoring page. Click the Cluster tab, and then select Monitoring from the left navigation bar.
  • In a primary-standby environment, ensure the primary server is active. Do not perform CA certificate rotation if the primary server is in read-only restricted mode. Only initiate a CA certificate rotation when both servers in the configuration are active and synchronized with each other.
  • Ensure endpoint certificate rotation is not in progress. Do not initiate a CA certificate rotation while an endpoint certificate rotation is being performed.

Expired CA Certificate

  • Do not upgrade Oracle Key Vault if the CA certificate has already expired. The upgrade will fail.
  • In Oracle Key Vault release 21.5 and later, you cannot start a CA certificate rotation if the CA has already expired. You must generate a new CA certificate manually and re-enroll all endpoints instead. See section 17.6, Managing the Oracle Key Vault CA Certificate after it has expired, for details on how to do so. In Oracle Key Vault 21.4 and earlier, contact Oracle Support.

Certificate Rotation for Non-Oracle Database

  • For an endpoint that does not automatically reach out to the Oracle Key Vault server (for example, an ACFS endpoint), use the okvutil list command to fetch the endpoint certificate.
  • You may need to run the okvutil list more than once to ensure that the command reaches the cluster node that regenerated the endpoint's certificate. Also, ensure that the endpoint has access to at least one security object.

Related Topics

Parent topic: Managing CA Certificate Rotation

19.5 Managing Server Certificates and Node Certificates Rotation

Use the Oracle Key Vault management console to rotate server or node certificates.

Parent topic: Managing Service Certificates

19.5.1 About Server Certificates and Node Certificates Rotation

Oracle Key Vault uses server certificates to communicate with its endpoints. Oracle Key Vault cluster nodes use node certificates to communicate with each other and with the endpoints.

These certificates are referred to as server certificates for standalone and primary-standby configurations and as node certificates in multi-master cluster configurations. The Oracle Key Vault certificate authority (CA) certificate issues these certificates.

You can rotate just these certificates, independently of the CA certificate rotation process. Doing so has no impact on the certificate expiry dates of the Oracle Key Vault CA or on any endpoints.

It is useful to rotate just the server and node certificates in situations where the Oracle Key Vault CA is still valid for much longer, but the server node certification will expire soon. This can happen because the CA validity is usually longer than the server or node certification validity.

The server or node certificate rotation process is described below:
  • Set the validity of the server or node certificate
  • Rotate server or node certificate

Parent topic: Managing Server Certificates and Node Certificates Rotation

19.5.2 Configuring Certificate Validity Period for Server and Node Certificates

You can configure the validity period for server or node certificates in the Oracle Key Vault management console.

The certificate validity period takes effect the next time you rotate the server or node certificates. It will also be taken into account when you generate the server or node certificates as part of a CA certificate rotation, or when you add a new node to the cluster, to the node certificates for that new node. Irrespective of the value that the server or node certificate validity is set to, when the certificates are eventually generated, Oracle Key Vault ensures that their expiry date is less than that of the CA certificate.

  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
    In a multi-master cluster environment, you can log in to any node in the cluster.
  2. Select the System tab, then Settings from the left navigation side bar.
  3. In the Certificates area, select Service Certificates.
  4. Depending on your environment, perform the following:
    • In a standalone or primary-standby environment: In the Current Server Certificate area, select Manage Server Certificate.
    • In a multi-master cluster environment: In the Current Node Certificate area, select Manage Node Certificate.
  5. In the Server Certificate Validity (in days) or Node Certificate Validity (in days) field, enter a value between 365 days (the minimum and the default) and 1095 days for this setting.
  6. Click Save.

Parent topic: Managing Server Certificates and Node Certificates Rotation

19.5.3 Rotating Server Certificates and Node Certificates

You can rotate server certificates and node certificates in the Oracle Key Vault management console.

Before you perform the rotation, ensure that you read the guidelines for rotating server certificates and node certificates.
  1. Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
    In a multi-master cluster environment, you can log in to any node in the cluster.
  2. Select the System tab, then Settings from the left navigation side bar.
  3. In the Certificates area, select Service Certificates.
  4. Depending on your environment, perform the following:
    • In a standalone or primary-standby environment: In the Current Server Certificate area, select Manage Server Certificate.
    • In a multi-master cluster environment: In the Current Node Certificate area, select Manage Node Certificate.
  5. If required, in the Server Certificate Validity (in days) field (for standalone or primary-standby environments) or Node Certificate Validity (in days) field (for multi-master cluster environments), enter a value between 365 days (the minimum and the default) and 1095 days for this setting.
    Wait several minutes to make sure that this setting takes effect, particularly in a multi-master cluster environment. When the change is visible across all cluster nodes (navigate to the same page on each node to verify), you are ready to initiate a server or node certificate rotation.
  6. Depending on your environment, do the following:
    • In a standalone or primary-standby environment: Select Generate Server Certificate.
    • In a multi-master cluster environment: Select Generate Node Certificate.
  7. In the confirmation window, click OK.
    This process can take several minutes to complete. It may also result in a momentary disruption of endpoint servicing.
If the process successfully completes, then the Current Server Certificate (for standalone or primary-standby environments) and the Current Node Certificate (for multi-master cluster environments) sections display new values for the End Date and Expiring in settings. In a multi-master cluster environment, you can view the expiry dates of all the node certificates in the cluster in the Cluster Node Certificate Details area.

Parent topic: Managing Server Certificates and Node Certificates Rotation

19.5.4 Guidelines for Rotating Server Certificates and Node Certificates

Review these guidelines before you perform a rotation of server certificates or node certificates.

  • Do not perform a certificate authority (CA) certificate rotation while a server or node certificate rotation is in progress.
  • Do not perform a server or node certificate rotation while a CA certificate rotation is in progress.
  • Do not perform a server or node certificate rotation while a Endpoint certificate rotation is in progress.
  • Do not perform a node certificate rotation on one node while another is in progress on a different node.
  • Do not alter the CA certificate validity period while a CA certificate rotation is in progress.
  • Do not attempt to rotate the server certificates if the CA certificate is already expired.
  • Do not alter the Server Certificate Validity (in days) field (for standalone or primary-standby environments) or Node Certificate Validity (in days) field while either a CA certificate rotation or a server or node certificate rotation is in progress.

Parent topic: Managing Server Certificates and Node Certificates Rotation

19.6 Managing the Oracle Key Vault CA Certificate After Expiry

You cannot start a CA certificate rotation when the Oracle Key Vault CA certificate has already expired.

When the endpoints cannot communicate with Oracle Key Vault it results in an outage. As a result, in a multi-master cluster environment, Oracle Key Vault nodes cannot communicate with each other. In such a scenario, you must regenerate a new CA certificate manually using the steps outlined below.

In a multi-master cluster environment, this new CA certificate must be distributed from the generating node to all other nodes. After the CA certificate has been distributed across the cluster, you must rotate the node certificates on each cluster node in turn.

Finally, you must re-enroll all endpoints because this involves endpoint outage until they have been re-enrolled. Oracle recommends that you configure alerts for CA certificate expiration and complete CA certificate rotation, see Managing CA Certificate Rotation before the CA certificate expires, in preference to the steps below. This ensures that the CA certificate rotation is completed with minimal disruption to endpoints and in a multi-master cluster environment, to the Oracle Key Vault cluster nodes.
Back up Oracle Key Vault before commencing with these steps.

To manually issue a new CA certificate after the current CA certificate has expired, perform the following steps.

  1. Log into the Oracle Key Vault management console as a user with the System Administrator role.
    • In a primary-standby environment: Log into the Oracle Key Vault primary server.
    • In a multi-master cluster environment: Select a node to generate a new CA certificate and log into that node. If you want to enable an intermediate CA certificate, then log into the node where the intermediate CA certificate was previously uploaded.
  2. Select the System tab, then Settings from the left navigation side bar.
  3. In the Certificates area, click Service Certificates.
  4. In the Service Certificates page, select Manage CA Certificate.
    The current CA certificate details including its start and end date displays, as well as a message to the effect that the CA certificate has expired.
  5. Click on Check Expired CA Certificate Rotation Status.
  6. In the confirmation dialog box, click OK. In the backend, this performs a series of checks on the Oracle Key Vault system.
  7. In a multi-master cluster environment, you must perform steps 1 - 6 on each node of the cluster.
  8. On successful validation, the Generate New CA Certificate button becomes active. In a multi-master cluster environment, an additional button, Upload CA Certificate Bundle, is shown.

    Note:

    These buttons are shown on each node of a multi-master cluster only if the checks are completed successfully on that node. If the checks are unsuccessful on any cluster node or if the Generate New CA Certificate and Upload CA Certificate Bundle buttons do not show on every node of the cluster, then do not proceed to the next step. Contact Oracle Support.
  9. On the Oracle Key Vault system selected for generation of the new CA certificate in step 1, click on Generate New CA Certificate.

    In a primary-standby environment, this is the Oracle Key Vault primary server.

    In a multi-master cluster environment, this is the cluster node that was chosen in step 1 to generate the new CA. If you want to enable an intermediate CA certificate, then this is the node that the intermediate CA was uploaded on before the current CA expired.

  10. Click OK in the confirmation box. In the backend, this generates a new CA certificate.
    In a multi-master cluster environment, this also creates a certificate bundle that is made available to download. The bundle must be stored in a safe place because it must be distributed to all cluster nodes.
  11. Refresh the page on the Oracle Key Vault management console on which the new CA certificate was generated. The Complete CA Certificate Rotation button is now active. Additionally, other details of the new CA certificate, such as the certificate common name and certificate fingerprint are displayed.


    Description of 21.5_complete_ca_certificate_rotation.png follows
    Description of the illustration 21.5_complete_ca_certificate_rotation.png

    In a multi-master cluster environment, proceed to step 12. In standalone and primary-standby environments, proceed to step 15.

  12. In a multi-master cluster environment, log into a node of the cluster other than the one on which the CA certificate was generated. Click on Upload CA Certificate Bundle and upload the bundle that was downloaded in step 10.When this successfully completes, details of the new CA are displayed, including the common name of the CA and its certificate fingerprint. Compare these details with those displayed on the generating node (see step 11).
  13. If any of the details of the new CA certificate uploaded in step 12 do not match with the details displayed on the generating node in step 11, then click on Abort and repeat step 12 again. Proceed to step 14 only after the CA certificate details on this node match with that of the generating node.
  14. Perform step 12 (and if necessary, step 13) on every node of the cluster other than the generating node. Proceed to step 15 only after the CA certificate bundle has been uploaded to all nodes of the cluster, and the certificate details have been verified to be an exact match across all nodes.
  15. Click on Complete CA Certificate Rotation. In the confirmation dialog box, click OK. This process may take several minutes to complete.

    In the backend, this generates new server or node certificates, issued by the new CA that was generated in step 9.In a primary-standby environment, this operation must be performed on the Oracle Key Vault primary server.In a multi-master cluster environment, this operation must be performed on every node of the cluster, one after the other.

  16. In case of an error, click Abort. In a multi-master cluster environment, you can upload the certificate bundle and try performing the process again.
  17. You can also select Complete CA Certificate Rotation again.

    Note:

    In a multi-master cluster environment proceed to next steps only after successful certificate validation on all nodes.
  18. In a multi-master cluster environment, check the Cluster Monitoring pages, verify that communication is restored between all cluster nodes. Also consider testing replication between nodes by creating a wallet on each node of the cluster and verifying that it transitions from the PENDING to ACTIVE state.
  19. Re-enroll all the Oracle Key Vault endpoints.
  20. Complete the recommended post-recovery tasks - download the Oracle Key Vault RESTful services utility again and update the Oracle Key Vault remote backup destination configuration file with the new public key, if required.

Parent topic: Managing Service Certificates

19.7 Configuring Oracle Key Vault with an Alternate Hostname

You can configure Oracle Key Vault with an alternate hostname, that is, a fully-qualified domain name (FQDN) or a secondary IP address.

Parent topic: Managing Service Certificates

19.7.1 About Configuring Oracle Key Vault with an Alternate Hostname

An Oracle Key Vault system is configured with an IP address when it is first installed (modifiable until it is converted to a multi-master cluster node).

Its endpoints communicate with it via this IP address, which they read from their configuration files (okvclient.ora or okvrestcli.ini). The Oracle Key Vault IP address therefore serves as the primary identity of the server/node for communication with its endpoints. In the case of systems deployed on Oracle Cloud Infrastructure (OCI) compute instances, which may have two IPs (a public IP and a private IP), endpoint communication is via the private IP by default.

You can configure Oracle Key Vault to allow its endpoints to communicate with it via a FQDN or an alternate IP address (hereinafter referred to as alternate hostname). The configuration is a two-step process - first, provide the alternate hostname as input and regenerate Oracle Key Vault server/node certificates; next, choose the hostname that you wish endpoints to use when communicating with the server/node.

Note:

  • This feature is available only in standalone and multi-master cluster deployments. It is not available in primary-standby deployments (deprecated in Oracle Key Vault release 21.5).
  • The networking changes to set up an alternate IP address or fully-qualified domain name are out of scope of this document. The steps below refer only to changes that must be made on the Oracle Key Vault server/node to allow endpoint communication via the new alternate hostname.

Parent topic: Configuring Oracle Key Vault with an Alternate Hostname

19.7.2 Configuring Oracle Key Vault Alternate Hostname on the Management Console

You can configure alternate hostnames on the Oracle Key Vault management console. The alternate hostname must be a valid IP address or a fully-qualified domain name (FQDN).

Up to two alternate hostnames can be configured for a given Oracle Key Vault server/multi-master cluster node. You can choose one of these alternate hostnames (or the Oracle Key Vault server/node IP address) as the hostname for endpoints to use when communicating with the system.
Configuring the alternate hostname requires rotating the Oracle Key Vault server/node certificates. Ensure that you follow the guidelines for server/node certificate rotation when doing so.
  1. Log into the Oracle Key Vault management console as a user who has the System Administrator role. In a multi-master cluster environment, you must log into the management console of the node whose alternate hostname you are configuring.
  2. Select the System tab, then Settings from the left navigation side bar.
  3. In the Certificates area, select Service Certificates.
  4. In a standalone environment, select Manage Server Certificate. In a multi-master cluster environment, select Manage Node Certificate. Alternate hostnames cannot be configured in primary-standby deployments.
  5. Depending on the environment, do the following:
    1. In a standalone environment, on the Server Certificates Details page, scroll down to the Current Server Alternate Hostname area. Enter a valid IP address or fully-qualified domain name (FQDN) in the Alternate Hostname1 field. If desired, enter a different IP address or FQDN in the Alternate Hostname2 field. Select Generate Server Certificate.
    2. In a multi-master cluster environment, on the Node Certificates Details page, scroll down to the Current Node Alternate Hostname area. Enter a valid IP address or fully-qualified domain name (FQDN) in the Alternate Hostname1 field. If desired, enter a different IP address or FQDN in the Alternate Hostname2 field. Select Generate Node Certificate.
  6. In the confirmation window, select OK.
    This process can take several minutes to complete.
  7. After the server/node certificates have been successfully generated, the alternate hostname(s) can be viewed in the Current Server Certificate (in standalone environments) or Current Node Certificate (in multi-master clusters) section. In a multi-master cluster environment, the alternate hostname(s) used by each multi-master cluster node can be viewed in the Cluster Node Certificates Details section of the Node Certificates Details page.

Parent topic: Configuring Oracle Key Vault with an Alternate Hostname

19.7.3 Choosing the Alternate Hostname to Use in Endpoint Configuration

After successfully configuring Oracle Key Vault with one or more alternate hostnames, you can choose one of these alternate hostnames as the identity that endpoints will use when connecting to the Oracle Key Vault server/multi-master cluster node.

  1. Log into the Oracle Key Vault management console as a user who has the System Administrator role. In a multi-master cluster environment, you must log into the management console of the node whose alternate hostname you are configuring.
  2. Select the System tab, then Settings from the left navigation side bar.
  3. In the Certificates area, select Service Certificates.
  4. In a standalone environment, select Manage Server Certificate. In a multi-master cluster environment, select Manage Node Certificate. Alternate hostnames cannot be configured in primary-standby deployments.
  5. Depending on the environment, do the following:
    1. In a standalone environment, scroll down to the Current Server Alternate Hostname section.
    2. In a multi-master cluster environment, scroll down to the Current Node Alternate Hostname section.
  6. In the Hostname to use in Endpoint Configuration drop-down menu, choose the desired hostname for endpoints to use, and select Save.
  7. In the confirmation window, select OK. In a multi-master cluster environment, wait for a few minutes for this change to propagate to all nodes of the cluster.
    New endpoints that are registered with Oracle Key Vault now use this desired hostname to communicate with the Oracle Key Vault server/node. Existing Oracle Key Vault endpoints will be notified of the alternate hostname when they next reach out to Oracle Key Vault, and subsequently use the alternate hostname for communication.

Parent topic: Configuring Oracle Key Vault with an Alternate Hostname

19.7.4 Guidelines for Configuring Alternate Hostnames

Review these guidelines before configuring an alternate hostname for endpoints to communicate with Oracle Key Vault.

  • Configure the alternate hostname during initial setup of the Oracle Key Vault deployment, before registering endpoints.
  • In a multi-master cluster environment, each node must be given its own (unique) alternate hostname. Configure the alternate hostname one node at a time, after all nodes have been added to the multi-master cluster.
  • Alternate hostnames cannot be configured or used by endpoints in primary-standby deployments.
  • Configuring an alternate hostname requires rotating the Oracle Key Vault server/node certificates. Follow the guidelines for rotating server/node certificates during the configuration.
  • Up to two alternate hostnames can be configured for a given Oracle Key Vault server/node. However, only one of these values may be chosen as the hostname for endpoints to use when reaching out to the server/node.
  • Before updating the Hostname to use in Endpoint Configuration, verify network connectivity using the desired alternate hostname.

Related Topics

Parent topic: Configuring Oracle Key Vault with an Alternate Hostname