Oracle Cloud Infrastructure Documentation

Creating a Certificate Authority

Use the Certificates service to create a root certificate authority (CA) or a subordinate certificate authority.

You must already have a root certificate authority to create a subordinate certificate authority.

You must have the appropriate level of security access to create a certificate authority. For more information, see Required IAM Policy.

Creating a certificate authority requires you to have access to an existing hardware-protected, asymmetric encryption key from the Oracle Cloud Infrastructure (OCI) Vault service. For more information, see Overview of Vault.

When you create a certificate authority with a certificate revocation list (CRL), you can specify an OCI Object Storage bucket where you want to store the CRL. The bucket must already exist at the time you create the certificate authority. The bucket must also be a dedicated bucket that you don't use for any other purpose or to store the CRL of any other certificate authority.

  • On the Certificate Authorities list page, select Create certificate authority. If you need help finding the list page or the certificate authority, see Listing Certificate Authorities.

    The Create certificate authority panel opens.

    Creating a certificate authority consists of the following pages:

    • Basic Information
    • Subject Information
    • Authority Configuration
    • Rules
    • Revocation Configuration
    • Summary

    Run each of the following workflows in order. You can return to a previous page by selecting Previous.

    Basic Information

    Enter the following information:

    • Name: Enter the name of the certificate. No certificate authorities in the tenancy can share the same name, including certificate authorities pending deletion.
    • Description: (Optional) Enter a description for the certificate authority.
    • Compartment: Select the compartment where the certificate authority resides from the list.
    • Certificate authority type: Select one of the following options:
      • Root certificate authority: Creates a certificate authority (certificate authority) that issues digital certificates and manages their revocation. A certificate authority typically contains other certificate authorities with defined parent-child relationships between them. The certificate authority at the top of a hierarchy is known as the root certificate authority.
      • Subordinate certificate authority: Creates a subordinate certificate authority that's an intermediate entity within a hierarchy of other such entities that issue digital certificates.
      • Subordinate Certificate Authority: External CA issued, Managed Internally: Creates a subordinate certificate authority that's issued by the external root certificate authority, but managed internally (keys stored) in OCI hardware security module (HSM). Create a certificate signing request here and complete issuance through your external certificate authority.

    Tagging

    If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you're not sure whether to apply tags, skip this option or ask an administrator. You can apply tags later.

    Select Next.

    Subject Information

    The Subject Information page includes at least a common name to identify the owner of the certificate authority certificate. Depending on the certificate's intended use, the subject might identify a person, organization, or computer endpoint. The format of the subject information must conform to RFC 5280 standards. You can use wildcards to issue a certificate for multiple domain or subdomain names.

    Enter the following information:

    • Common name: Enter a common name.

    Additional Fields

    Enter the requested information, such as the name, address, and organizational information of the subject. For details about each of the values in a subject distinguished name, see RFC 5280.

    Select Next.

    Authority Configuration

    Enter the following information:

    • Issuer certificate authority compartment: (Subordinate certificate authority only) Select the compartment containing the parent certificate authority you want to issue the subordinate certificate authority you're creating.
    • Issuer certificate authority: (Subordinate certificate authority only) Select the subordinate certificate authority you want. The subordinate certificate authorities listed are those contained in the issuer certificate authority compartment you selected. f you have chosen Subordinate Certificate Authority: External CA issued, Managed Internally CA type, ensure you choose your external root as your parent RootCA.
    • Not valid before: Enter the date (mm/dd/yyyy) or use the calendar tool to specify before which the certificate authority can't be used to validate the identity of its bearer. If you don't specify a date, the certificate authority validity period begins immediately.
    • Time: Enter the time (hh:mm) in UTC for the day that you specified that the certificate authority isn't valid before.
    • Not valid after: Enter the date (mm/dd/yyyy) or use the calendar tool to specify after which the certificate authority is no longer valid proof of the identity of its bearer. You must specify a date at least one day later than the starting date of the validity period. The date must not exceed the expiration of the issuing certificate authority.

      You can't specify a date beyond December 31, 2037. Typically, certificate authorities are used for the entirety of the period that they're valid unless something happens to require revocation. The default value is three months after the certificate authority is created.

    • Time: Enter the time (hh:mm) in UTC for the day that you specified that the certificate authority isn't valid after.
    • Vault in compartment: Select the compartment containing the vault that contains the encryption key that you want to use for the certificate authority certificate.
    • Vault in: Select the vault that contains the encryption key you want to use for the certificate authority certificate. The vaults listed are those contained in the vault compartment you selected.
    • Key in compartment: Select the compartment containing the encryption key in the vault that you want to use for the certificate authority certificate.
    • Key in: Select the key you want to use. The list includes only the asymmetric keys in the vault because Certificates only supports asymmetric keys. You can select from Rivest-Shamir-Adleman (RSA) keys that are 2,048 bits or 4,096 bits.

      You can also select elliptic curve cryptography digital signature algorithm (ECDSA) keys that have an elliptic curve ID of NIST_P384. The list includes only these types of asymmetric keys that are protected by a hardware security module (HSM). Certificates doesn't support the use of software-protected keys. For information about creating and managing keys, see Managing Keys.

    • Signature algorithm: Select one of the following options, depending on the key algorithm family:
      • SHA256_WITH_RSA: RSA key with a SHA-256 hash function.
      • SHA384_WITH_RSA: RSA key with a SHA-384 hash function.
      • SHA512_WITH_RSA: RSA key with a SHA-512 hash function.
      • SHA256_WITH_ECDSA: ECDSA key with a SHA-256 hash function.
      • SHA384_WITH_ECDSA: ECDSA key with a SHA-384 hash function.
      • SHA512_WITH_ECDSA: ECDSA key with a SHA-512 hash function.

    Select Next.

    Rules

    The Rules page is where you configure rules to apply constraints to this certificate authority and the resources you issue from it.

    Expiry Rule

    You can specify the maximum amount of time that a certificate or subordinate certificate authority issued by this certificate is valid. Changes apply only to new certificates and new subordinate certificate authority that you issue after making the changes.

    Enable Expiry rule to configure the following settings:

    • Maximum validity duration for certificates (days): Specify the maximum amount of time that any certificate issued by this certificate authority can be valid.
    • Maximum Validity Duration for Subordinate CA (Days): Specify the maximum number of days that a CA issued by this CA can be valid to issue other CAs or certificates. The recommended value is 1095 days (3 years).

    Issuance Rule

    You can specify issuance rules to enforce certain conditions regarding the resources that this certificate authority issues. A path length constraint restricts how many subordinate certificate authorities a certificate authority can have. A name constraint on certificate subject names specifies allowable namespaces for the hierarchical name forms in certificates that any certificate authority in this certificate chain issues. Issuance rules can't be updated later.

    Enable Issuance rule to configure the following settings:

    • Path length constraint: Select the maximum length (0–10) for subordinate CAs.
    • Excluded subtrees: Specify the type and value to block certain namespaces. Select Add excluded subtree to create another entry.
    • Permitted subtrees: Specify the type and value to allow certain namespaces. Select Add permitted subtree to create another entry.

    Select Next.

    Revocation Configuration

    The Revocation Configuration page is where you can configure a location for publishing a certificate revocation list (CRL). A CRL specifies the versions of a certificate authority or certificate considered no longer trustworthy and invalid before the end of their validity period. You can either store a CRL in an Object Storage bucket or specify a custom formatted URL as the CRL distribution point. Revocation settings can be updated at any time.

    Enable Revocation to configure the following settings:

    • Object storage bucket compartment: Select the compartment containing the Object Storage bucket where you can store a CRL.
    • Object storage bucket: Select the Object Storage bucket you want. The buckets that appear are those contained in the compartment you selected.
    • Object name format: Specify the object name. You can include curly braces in the object name to indicate where the service can insert the issuing certificate authority version number. This addition helps prevent the overwriting of an existing CRL whenever you create another certificate authority version. For more information about object names, see Object Names.

    Custom Formatted URLs

    Enter the URL that you want to use with APIs to access the object. This URL is named in certificates as the CRL distribution point (CDP). You can include curly braces in the URL to indicate where the service can insert the issuing certificate authority version number. This addition helps avoid overwriting an existing CDP whenever you create another certificate authority version. You can specify an HTTPS URL only if no circular dependencies in the verification of the HTTPS chain exist.

    To provide another CDP, select + Another URL, and then provide another URL where users can access the CRL.

    Select Next.

    Summary

    Review the contents of the Summary page. Select Edit to add or change information in the associated page. When the settings are fully verified, select Create certificate authority.

    The certificate authority you created appears in the Certificate Authorities list page.

  • The command you use depends on whether you want to create a root certificate authority or a subordinate certificate authority.

    Use the oci certs-mgmt certificate-authority create-root-ca-by-generating-config-details command and required parameters to create a root certificate authority:

    oci certs-mgmt certificate-authority create-root-ca-by-generating-config-details --compartment-id <compartment_OCID> --name <CA_display_name> --subject <certificate_subject_information> --kms-key-id <Vault_encryption_key_OCID> [OPTIONS]

    For example:

    oci certs-mgmt certificate-authority create-root-ca-by-generating-config-details --compartment-id ocid1.compartment.oc1..<unique_id> --name myNewCA --subject file://path/to/casubject.json --kms-key-id ocid1.key.oc1.<region>.<unique_ID>

    To create a subordinate certificate authority, use the oci certs-mgmt certificate-authority create-subordinate-ca-issued-by-internal-ca command and required parameters:

    oci certs-mgmt certificate-authority create-subordinate-ca-issued-by-internal-ca --compartment-id <compartment_OCID> --issuer-certificate-authority-id <parent_CA_OCID> --name <CA_display_name> --subject <certificate_subject_information> --kms-key-id <Vault_encryption_key_OCID> [OPTIONS]

    For example:

    oci certs-mgmt certificate-authority create-subordinate-ca-issued-by-internal-ca --compartment-id ocid1.compartment.oc1..<unique_id> --issuer-certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_ID> --name mySubCA --subject file://path/to/casubject.json --kms-key-id ocid1.key.oc1.<region>.<unique_id>

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • Run the CreateCertificateAuthority operation to create a certificate authority.