Oracle Cloud Infrastructure Documentation

Creating a Certificate to Manage Externally

Create a certificate to manage externally if you prefer to manage the certificate's private key yourself, instead of using a Certificates service certificate authority (CA) to manage the key.

You can create a certificate in multiple ways, including using the Certificates service to issue a certificate and importing a certificate issued by a third-party certificate authority (CA). For the steps to import a certificate, see Importing a Certificate.

Multiple ways of managing a certificate also impact the creation process. When you issue a certificate, you can generate and manage the private key internally by using the same CA to handle everything. You can also generate a certificate signing request (CSR) and private key on the server where you plan to install the certificate, and then submit that CSR to a CA to issue a certificate, while managing the private key externally. This task describes how to issue a certificate with a private key that you manage externally. For steps to issue a certificate that you manage internally with a Certificates service CA, see Creating a Certificate.

  • On the Certificates list page, select Create certificate. If you need help finding the list page, see Listing Certificates.

    The Create certificate panel opens.

    Creating a certificate consists of the following pages:

    • Basic Information
    • Subject Information
    • Certificate Configuration
    • Rules
    • Summary

    Run each of the following workflows in order. You can return to a previous page by selecting Previous.

    Basic Information

    Enter the following information:

    • Name: Enter the name of the certificate. No certificates in the tenancy can share the same name, including certificates pending deletion.
    • Description: (Optional) Enter a description for the certificate.
    • Compartment: Select the compartment where the certificate resides from the list.
    • Certificate type: Select Issued by internal CA, managed externally. This option creates a certificate issued by a Certificates service private certificate authority that you intend to manage outside the service.

    Tagging

    If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you're not sure whether to apply tags, skip this option or ask an administrator. You can apply tags later.

    Select Next.

    Subject Information

    For certificates that a third-party certificate manages, you don't need to provide subject information.

    Select Next.

    Certificate Configuration

    Enter the following information:

    • Issuer certificate authority compartment: Select the compartment containing the certificate authority you want to use.
    • Issuer certificate authority: Select the certificate authority you want. The certificate authorities listed are those contained in the issuer certificate authority compartment you selected.
    • Not valid before: Enter the date (mm/dd/yyyy) or use the calendar tool to specify before which the certificate can't be used to validate the identity of its bearer. If you don't specify a date, the certificate validity period begins immediately.
    • Time: Enter the time (hh:mm) in UTC for the day that you specified that the certificate isn't valid before.
    • Not valid after: Enter the date (mm/dd/yyyy) or use the calendar tool to specify after which the certificate is no longer valid proof of the identity of its bearer. You must specify a date at least one day later than the starting date of the validity period. The date must not exceed the expiration of the issuing CA.

      You can't specify a date beyond December 31, 2037. Typically, certificates are used for the entirety of the period that they're valid unless something happens to require revocation. The default value is three months after the certificate is created.

    • Time: Enter the time (hh:mm) in UTC for the day that you specified that the certificate isn't valid after.
    • Certificate signing request: Select one of the following options for how you want to import the certificate signing request in PEM format:
      • Upload file: Select the Drop a file or select one box and browse to where the certificate signing request file resides. Select it for uploading. You can also drag the PEM file from your computer to this box.
      • Paste content: Open the certificate signing request file on your computer. Copy the contents and paste it into the text box.

    Select Next.

    Rules

    You can't configure automatic renewal for certificates that the Certificates service doesn't manage.

    Select Next.

    Summary

    Review the contents of the Summary page. Select Edit to add or change information in the associated page. When the settings are fully verified, select Create certificate.

    The certificate you created appears in the Certificates list page.

  • Use the oci certs-mgmt certificate create-certificate-managed-externally-issued-by-internal-ca command and required parameters to create a certificate with a private key that you plan to manage externally:

    oci certs-mgmt certificate create-certificate-managed-externally-issued-by-internal-ca --compartment-id <compartment_OCID> --issuer-certificate-authority-id <issuing_CA_OCID> --name <certificate_name> --csr-pem <certificate_signing_request_file> [OPTIONS]

    For example:

    oci certs-mgmt certificate create-certificate-managed-externally-issued-by-internal-ca --compartment-id ocid1.compartment.oc1..<unique_id> --issuer-certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --name externalCert --csr-pem file://path/to/externalcert.pem

    For a complete list of flags and variable options for CLI commands, see the CLI Command Reference.

  • Run the CreateCertificate operation to create a certificate that you plan to manage externally.