Oracle Cloud Infrastructure Documentation

Certificate Versions and Rotation States

Learn about certificate versions and rotation states in the context of certificate renewals.

Renewing a certificate replaces the contents of the certificate's current, specific certificate version. Typically, certificate renewal happens as a certificate nears expiration, but it can also happen because certificate metadata needs to change, a certificate in the certificate chain suffers a security breach, or you have a new CA. You can even renew a certificate to roll back the current version to a previous version.

When you renew or create a certificate, the service assigns the new certificate version one or more rotation states. Rotation states indicate the relationship of the new certificate version to the previous certificate version, if any, and tell you what you can do with the certificate version. The new certificate version also automatically has a bearing on the rotation state of other certificate versions, if they exist. When necessary, having certificate rotation states can help facilitate the rollback of a certificate version.

Where only one certificate version exists, such as when you first create a certificate, the certificate version is automatically marked as both 'current' and the 'latest'. The 'latest' version of a certificate contains the certificate contents that were last uploaded to the service, in case you want to keep track of that.

When you renew a certificate to upload new certificate contents, you can mark the certificate version as 'pending'. Marking a certificate version's rotation state as 'pending' lets you upload the certificate contents to the service without immediately putting the certificate version into active use. You can continue using the 'current' certificate version until you're ready to promote a pending certificate version to 'current' status.

For the purposes of rolling back to a previous version easily, such as when you've made a mistake in updating the certificate contents, and need to resume using older certificate contents, certificate versions can also be marked as 'previous.' A certificate version marked as 'previous' was previously a certificate version marked as 'current.' To roll back to a previous version, you update the certificate to specify the certificate version number you want.

As long as a certificate version hasn't been deleted, you can update the certificate to use that past certificate version. When you update the certificate, the certificate version number you choose gets marked as 'current.' This has the same effect as promoting a certificate version to 'current.'

You can only delete certificate versions that have been marked as 'deprecated.' A deprecated certificate version is one that's not marked as 'current,' 'pending,' or 'previous.' This helps to prevent circumstances where you might delete a certificate version that you need later. A certificate version that's marked as anything other than 'deprecated' can be marked as 'current' to return it to active use.

When you renew a certificate, you should also rotate the private key to generate the new certificate version.