Oracle Cloud Infrastructure Documentation

Creating a Certificate

Create a certificate to manage internally, including the certificate's private key.

You must have the appropriate level of security access to create a certificate. For more information, see Required IAM Policy.

You can create a certificate in multiple ways, including by using the Certificates service to issue a certificate and importing a certificate issued by a third-party certificate authority (CA). For the steps to import a certificate, see Importing a Certificate.

Multiple ways of managing a certificate also impact the creation process. When you issue a certificate, you can generate and manage the private key internally by using the same CA to handle everything. You can also generate a certificate signing request (CSR) and private key on the server where you plan to install the certificate, and then submit that CSR to a CA to issue a certificate, while managing the private key externally. This task describes how to issue a certificate that you plan to manage internally. For the steps to issue a certificate that you manage externally with a third-party CA, see Creating a Certificate to Manage Externally.

    1. Open the navigation menu and click Identity & Security.
    2. Under Certificates, click Certificates.
    3. Click Create Certificate.
    4. Under Compartment, choose the compartment where you want to create the certificate. The certificate can exist in the same compartment as the CA or a different one.
    5. Under Certificate Type, to issue a certificate from a Certificates service CA that then also manages the certificate, click Issued by internal CA.
    6. Enter a unique display name for the certificate. Avoid entering confidential information.
      Note

      No two certificates in the tenancy can share the same name, including certificates pending deletion.
    7. (Optional) Enter a description to help identify the certificate. Avoid entering confidential information.
    8. (Optional) To apply tags, click Show Tagging Options. For more information about tags, see Resource Tags.
    9. Click Next.
    10. Provide subject information. Subject information includes a common name to identify the owner of the certificate. Depending on the certificate's intended use, the subject might identify a person, organization, or computer endpoint. Subject information can also include DNS names or IP addresses as subject alternative names by which the certificate bearer is also known. You can use wildcards to issue a certificate for multiple domain or subdomain names.
    11. (Optional) To add more subject alternative names, click + Another Subject Alternative Name, choose the type of address, and then enter the name. When you're ready, click Next.
    12. Select a certificate profile type from the following profiles based on the certificate's intended use:
      • TLS Server or Client: Presented by a server or client for TLS/SSL connections.
      • TLS Server: Presented by a server for TLS/SSL connections.
      • TLS Client: Presented by a client during TLS/SSL connections.
      • TLS Code Sign: Presented by a program to validate its signature.
    13. To change the CA that issues the certificate, click Issuer Certificate Authority, and then choose a CA. If necessary, click Change Compartment, and then choose a different compartment if the CA is in a different compartment from the one you selected for the certificate.
    14. (Optional) Click Not Valid Before, and then enter a date before which the certificate can't be used to validate the identity of its bearer. If you don't specify a date, the certificate validity period begins immediately. Values are rounded up to the nearest second.
    15. Click Not Valid After, and then change the date after which the certificate is no longer valid proof of the identity of its bearer. You must specify a date at least one day later than the starting date of the validity period. The date must not exceed the expiration of the issuing CA. You also can't specify a date beyond December 31, 2037. Values are rounded up to the nearest second. Typically, certificates are used for the entirety of the period that they're valid unless something happens to require revocation.
    16. For Key Algorithm, choose the algorithm and key length combination that you need for the certificate key pair from the following options:
      • RSA2048: Rivest-Shamir-Adleman (RSA) 2048-bit key
      • RSA4096: RSA 4096-bit key
      • ECDSA_P256: Elliptic curve cryptography digital signature algorithm (ECDSA) key with a P256 curve ID
      • ECDSA_P384: ECDSA key with a P384 curve ID
    17. (Optional) Click Show Additional Fields, and then under Signature Algorithm, choose one of the following signing algorithms, depending on the key:
      • SHA256_WITH_RSA: Rivest-Shamir-Adleman (RSA) key with a SHA-256 hash function
      • SHA384_WITH_RSA: RSA key with a SHA-384 hash function
      • SHA512_WITH_RSA: RSA key with a SHA-512 hash function
      • SHA256_WITH_ECDSA: Elliptic curve cryptography digital signature algorithm (ECDSA) key with a SHA-256 hash function
      • SHA384_WITH_ECDSA: ECDSA key with a SHA-384 hash function
      • SHA512_WITH_ECDSA: ECDSA key with a SHA-512 hash function

        When you're ready, click Next.

    18. To configure automatic renewal of the certificate to avoid disruption in its use, specify a nonzero value for the following settings:
      • Renewal Interval (Days): How frequently the certificate is renewed
      • Advance Renewal Period (Days): The number of days before the certificate expiration that renewal happens
      For sufficient flexibility, renew the certificate before the end of its validity period and with enough advance renewal time in case of failures. A certificate that expires before the service can successfully renew it can result in service disruptions.
      When you're ready, click Next.
    19. Verify that the information is correct, and then click Create Certificate.
      It can take a while to create certificate-related resources.

  • Use the oci certs-mgmt certificate create-certificate-issued-by-internal-ca command and required parameters to create a certificate issued by the Certificates service:

    oci certs-mgmt certificate create-certificate-issued-by-internal-ca --certificate-profile-type <certificate_usage_profile> --compartment-id <compartment_OCID> --issuer-certificate-authority-id <issuing_CA_OCID> --name <certificate_name> --subject <subject_information>

    For example:

    oci certs-mgmt certificate create-certificate-issued-by-internal-ca --certificate-profile-type TLS_SERVER_OR_CLIENT --compartment-id ocid1.compartment.oc1..<unique_id> --issuer-certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --name internalCert --subject file://path/to/certsubject.json

    For a complete list of flags and variable options for CLI commands, see the CLI Command Reference.

  • Run the CreateCertificate operation to create a certificate that you plan to manage internally.