Issuing a Subordinate Certificate Authority

Issue a subordinate certificate authority (CA).

You must already have a root CA in Oracle Cloud Infrastructure Certificates to create a subordinate CA. You can issue a subordinate CA from any other CA as long as you don't exceed the total allowable number of CAs in the tenancy.

Creating a CA requires you to have access to an existing hardware-protected, asymmetric encryption key from the Oracle Cloud Infrastructure Vault service. For more information, see Overview of Vault.

When you create a CA with a certificate revocation list (CRL), you can specify an OCI Object Storage bucket where you want to store the CRL. The bucket must already exist at the time you create the CA.

1. On the Certificate Authorities list page, select the name of the CA from which you want to issue a subordinate CA. If you need help finding the list page, see Listing Certificate Authorities.
  
  To find a CA in a different compartment, under List scope, select a different compartment.
2. Under Resources, select Subordinate Certificate Authorities.
3. Select Issue Subordinate Certificate Authority.
4. Under Compartment, select the compartment where you want to create the CA.
5. Enter a unique display name for the CA. This name helps you identify the CA for administrative purposes but doesn't appear as part of the CA certificate. Avoid entering confidential information.
  
  Note
  
  No two CAs in the tenancy can share the same name, including CAs pending deletion.
6. (Optional) Enter a description to help identify the CA. This description helps you identify the CA, but doesn't appear as part of the CA certificate. Avoid entering confidential information.
7. (Optional) To apply tags, select Show Tagging Options. For more information about tags, see Resource Tags.
8. When you're ready, select Next.
9. Provide subject information. Subject information includes at least a common name to identify the owner of the CA certificate. Depending on the certificate's intended use, the subject might identify a person, organization, or computer endpoint. You can use wildcards to issue a certificate for multiple domain or subdomain names.
10. (Optional) To provide more certificate authority subject information, select Show Additional Fields. For details about each of the values in a subject distinguished name, see RFC 5280. When you're ready, select Next.
11. (Optional) Select Not Valid Before, and then specify the UTC time and date when you want to begin using the CA. If you don't specify a date, then the CA validity period begins immediately.
12. Select Not Valid After, and then specify the date after which the CA can no longer used to issue or validate subordinate CAs or certificates. (You must specify a date at least one day later than the starting date of the validity period. You can't specify a date beyond December 31, 2037. Values are rounded up to the nearest second.)
13. Under Vault, select the vault that contains the encryption key that you want to use for the CA certificate. If needed, select Change Compartment to specify a different compartment.
14. Under Key, select the key in the vault that you want to use. The list includes only asymmetric keys in the vault because Certificates only supports asymmetric keys. Furthermore, the list only includes keys from the same key algorithm family of the key that the parent CA uses. You can select from Rivest-Shamir-Adleman (RSA) keys that are 2,048 bits or 4,096 bits. You can also select from elliptic curve cryptography digital signature algorithm (ECDSA) keys that have an elliptic curve ID of NIST_P384. Specifically, the list includes only these types of asymmetric keys that are protected by a hardware security module (HSM). Certificates doesn't support the use of software-protected keys. For information about creating and managing keys, see Managing Keys.
15. Select Signing Algorithm, and then select from one of the following options, depending on the key algorithm family:
  
  SHA256_WITH_RSA: Rivest-Shamir-Adleman (RSA) key with a SHA-256 hash function
  
  SHA384_WITH_RSA: RSA key with a SHA-384 hash function
  
  SHA512_WITH_RSA: RSA key with a SHA-512 hash function
  
  SHA256_WITH_ECDSA: Elliptic curve cryptography digital signature algorithm (ECDSA) key with a SHA-256 hash function
  
  SHA384_WITH_ECDSA: ECDSA key with a SHA-384 hash function
  
  SHA512_WITH_ECDSA: ECDSA key with a SHA-512 hash function
  When you're ready, select Next.
16. Configure the expiry rule. Under Maximum Validity Duration for Certificates (Days), specify the maximum number of days that a certificate issued by this CA can be valid. We strongly recommend a validity period of no more than 90 days.
17. Under Maximum Validity Duration for Subordinate CA (Days), specify the maximum number of days that a CA issued by this CA can be valid to issue other CAs or certificates. When you're ready, select Next.
18. On the Revocation Configuration page, if you don't want to configure a certificate revocation list (CRL), select the Skip Revocation checkbox. To configure certificate revocation, clear the checkbox, and then specify an Object Storage Bucket where you plan to store the CRL. If needed, select Change Compartment to find a bucket in a different compartment.
19. Under Object Name Format, specify the object name. You can include curly braces in the object name to indicate where the service can insert the issuing CA version number. This helps prevent the overwriting of an existing CRL whenever you create another CA version. For more information about object names, see Object Names.
20. (Optional) Select Custom Formatted URLs, and then provide the URL that you want to use with APIs to access the object. This URL is named in certificates as the CRL distribution point (CDP). You can include curly braces in the URL to indicate where the service can insert the issuing CA version number. By doing this, you can avoid overwriting an existing CDP whenever you create another CA version. (You can specify an HTTPS URL only if no circular dependencies in the verification of the HTTPS chain exist.)
21. (Optional) To provide another CDP, select + Another URL, and then provide another URL where users can access the CRL.
22. When you're ready, select Next.
23. Confirm that the information is correct, and then select Create Certificate Authority.
  It can take a while to create certificate-related resources.

Use the oci certs-mgmt certificate-authority create-subordinate-ca-issued-by-internal-ca command and required parameters to issue a subordinate CA:

oci certs-mgmt certificate-authority create-subordinate-ca-issued-by-internal-ca --compartment-id <compartment_OCID> --issuer-certificate-authority-id <parent_CA_OCID> --name <CA_display_name> --subject <certificate_subject_information> --kms-key-id <Vault_encryption_key_OCID>

For example:

oci certs-mgmt certificate-authority create-subordinate-ca-issued-by-internal-ca --compartment-id ocid1.compartment.oc1..<unique_id> --issuer-certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --name mySubCA --subject file://path/to/casubject.json --kms-key-id ocid1.key.oc1.<region>.<unique_id>

For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

Run the CreateCertificateAuthority operation to issue a subordinate CA.

Oracle Cloud Infrastructure Documentation

Issuing a Subordinate Certificate Authority