Creating a Certificate Authority

• Console
• CLI
• API

• 1. On the Certificate Authorities list page, select Create Certificate Authority. If you need help finding the list page, see Listing Certificate Authorities.
  2. Select Compartment, and then select the compartment where you want to create the CA.
  3. Under Certificate Authority Type, select the type of CA from the following options:
     • Root Certificate Authority: the CA at the top of the hierarchy in a chain of CAs.
     • Subordinate Certificate Authority: any CA that's not the root CA in a hierarchy containing other CAs.
  4. Enter a unique display name for the CA. This name helps you identify the CA for administrative purposes but doesn't appear as part of the CA certificate. Avoid entering confidential information.
     Note
     
     No two CAs in the tenancy can share the same name, including CAs pending deletion.
  5. (Optional) Enter a description to help identify the CA. (This description helps you identify the CA, but doesn't appear as part of the CA certificate.) Avoid entering confidential information.
  6. (Optional) To apply tags, select Show Tagging Options. For more information about tags, see Resource Tags.
  7. Select Next.
  8. Provide subject information. Subject information includes at least a common name to identify the owner of the CA certificate. Depending on the certificate's intended use, the subject might identify a person, organization, or computer endpoint. The format of the subject information must conform to RFC 5280 standards. You can use wildcards to issue a certificate for multiple domain or subdomain names.
  9. (Optional) To provide more certificate authority subject information, select Show Additional Fields. For details about each of the values in a subject distinguished name, see RFC 5280.
  10. When you're ready, select Next.
  11. (Optional) Select Not Valid Before, and then specify the UTC time and date when you want to begin using the CA. If you don't specify a date, then the CA validity period begins immediately.
  12. Select Not Valid After, and then specify the date after which the CA can no longer be used to issue or validate subordinate CAs or certificates. (You must specify a date at least one day later than the starting date of the validity period. You can't specify a date beyond December 31, 2037. Values are rounded up to the nearest second.)
  13. If you're creating a subordinate CA, under Issuer Certificate Authority, specify a parent CA to issue this CA. If you're creating a root CA, continue to the next step.
  14. Under Vault, select the vault that contains the encryption key that you want to use for the CA certificate. Optionally, select Change Compartment to specify a different compartment. For information about creating and managing vaults, see Managing Vaults.
  15. Under Key, select the key in the vault that you want to use. The list includes only the asymmetric keys in the vault because Certificates only supports asymmetric keys. You can select from Rivest-Shamir-Adleman (RSA) keys that are 2,048 bits or 4,096 bits. You can also select elliptic curve cryptography digital signature algorithm (ECDSA) keys that have an elliptic curve ID of NIST_P384. Specifically, the list includes only these types of asymmetric keys that are protected by a hardware security module (HSM). Certificates doesn't support the use of software-protected keys. For information about creating and managing keys, see Managing Keys.
  16. Under Signing Algorithm, select one of the following options, depending on the key algorithm family:
      • SHA256_WITH_RSA: RSA key with a SHA-256 hash function
      • SHA384_WITH_RSA: RSA key with a SHA-384 hash function
      • SHA512_WITH_RSA: RSA key with a SHA-512 hash function
      • SHA256_WITH_ECDSA: ECDSA key with a SHA-256 hash function
      • SHA384_WITH_ECDSA: ECDSA key with a SHA-384 hash function
      • SHA512_WITH_ECDSA: ECDSA key with a SHA-512 hash function

        When you're ready, select Next.

  17. Configure the expiry rule. Under Maximum Validity Duration for Certificates (Days), specify the maximum number of days that a certificate issued by this CA can be valid. We strongly recommend a validity period of no more than 90 days.
  18. Under Maximum Validity Duration for Subordinate CA (Days), specify the maximum number of days that a CA issued by this CA can be valid to issue other CAs or certificates. When you're ready, select Next.
  19. On the Revocation Configuration page, if you don't want to configure a certificate revocation list (CRL), select the Skip Revocation checkbox. To configure certificate revocation, clear the checkbox, and then specify a dedicated Object Storage Bucket where you plan to store the CRL.
  20. (Optional) Select Change Compartment to find a bucket in a different compartment.
  21. Under Object Name Format, specify the object name. You can include curly braces in the object name to indicate where the service can insert the issuing CA version number. This addition helps prevent the overwriting of an existing CRL whenever you create another CA version. For more information about object names, see Object Names.
  22. (Optional) Under Custom Formatted URLs, provide the URL that you want to use with APIs to access the object. This URL is named in certificates as the CRL distribution point (CDP). You can include curly braces in the URL to indicate where the service can insert the issuing CA version number. This addition helps avoid overwriting an existing CDP whenever you create another CA version. You can specify an HTTPS URL only if no circular dependencies in the verification of the HTTPS chain exist.
  23. (Optional) To provide another CDP, select + Another URL, and then provide another URL where users can access the CRL.
  24. When you're ready, select Next.
  25. Confirm that the information is correct, and then select Create Certificate Authority.
      It can take a while to create certificate-related resources.

• The command you use depends on whether you want to create a root CA or a subordinate CA.

  Use the oci certs-mgmt certificate-authority create-root-ca-by-generating-config-details command and required parameters to create a root CA:

  Command

  CopyTry It

  oci certs-mgmt certificate-authority create-root-ca-by-generating-config-details --compartment-id <compartment_OCID> --name <CA_display_name> --subject <certificate_subject_information> --kms-key-id <Vault_encryption_key_OCID>

  For example:

  oci certs-mgmt certificate-authority create-root-ca-by-generating-config-details --compartment-id ocid1.compartment.oc1..<unique_id> --name myNewCA --subject file://path/to/casubject.json --kms-key-id ocid1.key.oc1.<region>.<unique_id>

  To create a subordinate CA, use the oci certs-mgmt certificate-authority create-subordinate-ca-issued-by-internal-ca command and required parameters:

  Command

  CopyTry It

  oci certs-mgmt certificate-authority create-subordinate-ca-issued-by-internal-ca --compartment-id <compartment_OCID> --issuer-certificate-authority-id <parent_CA_OCID> --name <CA_display_name> --subject <certificate_subject_information> --kms-key-id <Vault_encryption_key_OCID>

  For example:

  oci certs-mgmt certificate-authority create-subordinate-ca-issued-by-internal-ca --compartment-id ocid1.compartment.oc1..<unique_id> --issuer-certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --name mySubCA --subject file://path/to/casubject.json --kms-key-id ocid1.key.oc1.<region>.<unique_id>

  For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

• Run the CreateCertificateAuthority operation to create a CA.