Oracle Cloud Infrastructure Documentation

Editing Certificate Authority Rules

You can edit a CA's expiry rule to change the maximum amount of time that a certificate or subordinate CA issued by the CA is valid.

Changes apply only to new certificates and new subordinate CAs that you issue after making the changes. Any previous changes to the expiry rule must be complete and the CA must be in an Active state before you can edit the expiry rule again.

    1. Open the navigation menu and click Identity & Security.
    2. Under Certificates, click Certificate Authorities.
    3. From the list of CAs in the compartment, click the name of the CA with the expiry rule that you want to update.

      To find a CA in a different compartment, under List scope, choose a different compartment.

    4. Under Resources, click Rules, and then click Edit Expiry Rule.
    5. Enter a new value for either or both of the following settings:
      • Maximum Validity Duration for Certificates (Days): The maximum number of days that a certificate issued by this CA can be valid. We strongly recommend a validity period of no more than 90 days.
      • Maximum Validity Duration for Subordinate CA (Days): The maximum number of days that a CA issued by this CA can be valid to issue other CAs or certificates.
    6. Click Submit.

  • The command you use to update a CA's expiry rule depends on whether it is a root CA or a subordinate CA.

    Use the oci certs-mgmt certificate-authority update-root-ca-by-generating-config-details command and required parameters to edit the expiry rule for a root CA:

    oci certs-mgmt certificate-authority update-root-ca-by-generating-config-details --certificate-authority-id <CA_OCID> --certificate-authority-rules <CA_expiry_rules>

    For example:

    oci certs-mgmt certificate-authority update-root-ca-by-generating-config-details --certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --certificate-authority-rules file://path/to/expiryrules.json

    To edit the expiry rules for a subordinate CA, open a command prompt and run oci certs-mgmt certificate-authority update-subordinate-ca-issued-by-internal-ca command and required parameters:

    oci certs-mgmt certificate-authority update-subordinate-ca-issued-by-internal-ca --certificate-authority-id <CA_OCID> --certificate-authority-rules <CA_expiry_rules>

    For example:

    oci certs-mgmt certificate-authority update-subordinate-ca-issued-by-internal-ca --certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --certificate-authority-rules file://path/to/expiryrules.json

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • Run the UpdateCertificateAuthority operation to edit the expiry rule for a CA.