Creating a Certificate to Manage Externally

Create a certificate to manage externally if you prefer to manage the certificate's private key yourself, instead of using a Certificates service certificate authority (CA) to manage the key.

You can create a certificate in multiple ways, including using the Certificates service to issue a certificate and importing a certificate issued by a third-party certificate authority (CA). For the steps to import a certificate, see Importing a Certificate.

Multiple ways of managing a certificate also impact the creation process. When you issue a certificate, you can generate and manage the private key internally by using the same CA to handle everything. You can also generate a certificate signing request (CSR) and private key on the server where you plan to install the certificate, and then submit that CSR to a CA to issue a certificate, while managing the private key externally. This task describes how to issue a certificate with a private key that you manage externally. For steps to issue a certificate that you manage internally with a Certificates service CA, see Creating a Certificate.

1. On the Certificates list page, select Create Certificate. If you need help finding the list page, see Listing Certificates.
2. Under Compartment, select the compartment where you want to create the certificate. The certificate can exist in the same compartment as the CA or a different one.
3. Under Certificate Type, to issue a certificate from a Certificates service CA that's later managed by an external, third-party CA, select Issued by internal CA, managed externally.
4. Enter a unique display name for the certificate. Avoid entering confidential information.
  
  Note
  
  No two certificates in the tenancy can share the same name, including certificates pending deletion.
5. (Optional) Enter a description to help identify the certificate. Avoid entering confidential information.
6. (Optional) To apply tags, select Show Tagging Options. For more information about tags, see Resource Tags.
7. Select Next.
8. For certificates that a third-party CA manages, you don't need to provide subject information. Instead, select Next again.
9. To change the CA that issues the certificate, under Issuer Certificate Authority, select a CA. If needed, select Change Compartment, and then select a different compartment if the CA is in a different compartment from the one you selected for the certificate.
10. (Optional) Select Not Valid Before, and then enter a date before which the certificate can't be used to validate the identity of its bearer. If you don't specify a date, the certificate validity period begins immediately. Values are rounded up to the nearest second.
11. Select Not Valid After, and then change the date after which the certificate is no longer valid proof of the identity of its bearer. You must specify a date at least one day later than the starting date of the validity period. The date must not exceed the expiration of the issuing CA. You also can't specify a date beyond December 31, 2037. Values are rounded up to the nearest second. Typically, certificates are used for the entirety of the period that they're valid unless something happens to require revocation.
12. Under Certificate Signing Request, provide certificate contents by doing one of the following:
  
  Select Upload File, and then select Select One to upload the certificate as a file in PEM format.
  
  Select Paste Content, and then select the text box to paste the certificate contents directly.
  When you're ready, select Next.
13. You can't configure automatic renewal for certificates that the Certificates service doesn't manage. Select Next to continue.
14. Verify that the information is correct, and then select Create Certificate.

Use the oci certs-mgmt certificate create-certificate-managed-externally-issued-by-internal-ca command and required parameters to create a certificate with a private key that you plan to manage externally:

oci certs-mgmt certificate create-certificate-managed-externally-issued-by-internal-ca --compartment-id <compartment_OCID> --issuer-certificate-authority-id <issuing_CA_OCID> --name <certificate_name> --csr-pem <certificate_signing_request_file>

For example:

oci certs-mgmt certificate create-certificate-managed-externally-issued-by-internal-ca --compartment-id ocid1.compartment.oc1..<unique_id> --issuer-certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --name externalCert --csr-pem file://path/to/externalcert.pem

For a complete list of flags and variable options for CLI commands, see the CLI Command Reference.

Run the CreateCertificate operation to create a certificate that you plan to manage externally.

Oracle Cloud Infrastructure Documentation

Creating a Certificate to Manage Externally