Creating a Certificate Authority
Use the Certificates service to create a root certificate authority (CA) or a subordinate CA.
You must already have a root CA to create a subordinate CA.
You must have the appropriate level of security access to create a CA. For more information, see Required IAM Policy.
Creating a CA requires you to have access to an existing hardware-protected, asymmetric encryption key from the Oracle Cloud Infrastructure (OCI) Vault service. For more information, see Overview of Vault.
When you create a CA with a certificate revocation list (CRL), you can specify an OCI Object Storage bucket where you want to store the CRL. The bucket must already exist at the time you create the CA. The bucket must also be a dedicated bucket that you don't use for any other purpose or to store the CRL of any other CA.
- Open the navigation menu and click Identity & Security.
- Under Certificates, click Certificate Authorities.
- Click Create Certificate Authority.
- Click Compartment, and then choose the compartment where you want to create the CA.
-
Under Certificate Authority Type, choose the type of CA from the following options:
- Root Certificate Authority: the CA at the top of the hierarchy in a chain of CAs.
- Subordinate Certificate Authority: any CA that's not the root CA in a hierarchy containing other CAs.
-
Enter a unique display name for the CA. This name helps you identify the CA for administrative purposes but doesn't appear as part of the CA certificate. Avoid entering confidential information.
Note
No two CAs in the tenancy can share the same name, including CAs pending deletion. - (Optional) Enter a description to help identify the CA. (This description helps you identify the CA, but doesn't appear as part of the CA certificate.) Avoid entering confidential information.
- (Optional) To apply tags, click Show Tagging Options. For more information about tags, see Resource Tags.
- Click Next.
- Provide subject information. Subject information includes at least a common name to identify the owner of the CA certificate. Depending on the certificate's intended use, the subject might identify a person, organization, or computer endpoint. The format of the subject information must conform to RFC 5280 standards. You can use wildcards to issue a certificate for multiple domain or subdomain names.
- (Optional) To provide more certificate authority subject information, click Show Additional Fields. For details about each of the values in a subject distinguished name, see RFC 5280.
- When you're ready, click Next.
- (Optional) Click Not Valid Before, and then specify the UTC time and date when you want to begin using the CA. If you don't specify a date, then the CA validity period begins immediately.
- Click Not Valid After, and then specify the date after which the CA can no longer be used to issue or validate subordinate CAs or certificates. (You must specify a date at least one day later than the starting date of the validity period. You can't specify a date beyond December 31, 2037. Values are rounded up to the nearest second.)
- If you're creating a subordinate CA, under Issuer Certificate Authority, specify a parent CA to issue this CA. If you're creating a root CA, continue to the next step.
- Under Vault, choose the vault that contains the encryption key that you want to use for the CA certificate. Optionally, click Change Compartment to specify a different compartment. For information about creating and managing vaults, see Managing Vaults.
- Under Key, choose the key in the vault that you want to use. The list includes only the asymmetric keys in the vault because Certificates only supports asymmetric keys. You can choose from Rivest-Shamir-Adleman (RSA) keys that are 2,048 bits or 4,096 bits. You can also choose elliptic curve cryptography digital signature algorithm (ECDSA) keys that have an elliptic curve ID of NIST_P384. Specifically, the list includes only these types of asymmetric keys that are protected by a hardware security module (HSM). Certificates doesn't support the use of software-protected keys. For information about creating and managing keys, see Managing Keys.
-
Under Signing Algorithm, choose one of the following options, depending on the key algorithm family:
- SHA256_WITH_RSA: RSA key with a SHA-256 hash function
- SHA384_WITH_RSA: RSA key with a SHA-384 hash function
- SHA512_WITH_RSA: RSA key with a SHA-512 hash function
- SHA256_WITH_ECDSA: ECDSA key with a SHA-256 hash function
- SHA384_WITH_ECDSA: ECDSA key with a SHA-384 hash function
- SHA512_WITH_ECDSA: ECDSA key with a SHA-512 hash function
When you're ready, click Next.
- Configure the expiry rule. Under Maximum Validity Duration for Certificates (Days), specify the maximum number of days that a certificate issued by this CA can be valid. We strongly recommend a validity period of no more than 90 days.
- Under Maximum Validity Duration for Subordinate CA (Days), specify the maximum number of days that a CA issued by this CA can be valid to issue other CAs or certificates. When you're ready, click Next.
- On the Revocation Configuration page, if you don't want to configure a certificate revocation list (CRL), select the Skip Revocation check box. To configure certificate revocation, clear the check box, and then specify a dedicated Object Storage Bucket where you plan to store the CRL.
- (Optional) Click Change Compartment to find a bucket in a different compartment.
- Under Object Name Format, specify the object name. You can include curly braces in the object name to indicate where the service can insert the issuing CA version number. This addition helps prevent the overwriting of an existing CRL whenever you create another CA version. For more information about object names, see Object Names.
- (Optional) Under Custom Formatted URLs, provide the URL that you want to use with APIs to access the object. This URL is named in certificates as the CRL distribution point (CDP). You can include curly braces in the URL to indicate where the service can insert the issuing CA version number. This addition helps avoid overwriting an existing CDP whenever you create another CA version. You can specify an HTTPS URL only if no circular dependencies in the verification of the HTTPS chain exist.
- (Optional) To provide another CDP, click + Another URL, and then provide another URL where users can access the CRL.
- When you're ready, click Next.
-
Confirm that the information is correct, and then click Create Certificate Authority.
It can take a while to create certificate-related resources.
The command you use depends on whether you want to create a root CA or a subordinate CA.
Use the oci certs-mgmt certificate-authority create-root-ca-by-generating-config-details command and required parameters to create a root CA:
oci certs-mgmt certificate-authority create-root-ca-by-generating-config-details --compartment-id <compartment_OCID> --name <CA_display_name> --subject <certificate_subject_information> --kms-key-id <Vault_encryption_key_OCID>
For example:
oci certs-mgmt certificate-authority create-root-ca-by-generating-config-details --compartment-id ocid1.compartment.oc1..<unique_id> --name myNewCA --subject file://path/to/casubject.json --kms-key-id ocid1.key.oc1.<region>.<unique_id>
To create a subordinate CA, use the oci certs-mgmt certificate-authority create-subordinate-ca-issued-by-internal-ca command and required parameters:
oci certs-mgmt certificate-authority create-subordinate-ca-issued-by-internal-ca --compartment-id <compartment_OCID> --issuer-certificate-authority-id <parent_CA_OCID> --name <CA_display_name> --subject <certificate_subject_information> --kms-key-id <Vault_encryption_key_OCID>
For example:
oci certs-mgmt certificate-authority create-subordinate-ca-issued-by-internal-ca --compartment-id ocid1.compartment.oc1..<unique_id> --issuer-certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --name mySubCA --subject file://path/to/casubject.json --kms-key-id ocid1.key.oc1.<region>.<unique_id>
For a complete list of parameters and values for CLI commands, see the CLI Command Reference.
Run the CreateCertificateAuthority operation to create a CA.