Creating a Certificate
Create a certificate to manage internally, including the certificate's private key.
You must have the appropriate level of security access to create a certificate. For more information, see Required IAM Policy.
You can create a certificate in several ways, including by using the Certificates service to issue a certificate and importing a certificate issued by a third-party certificate authority (CA). For the steps to import a certificate, see Importing a Certificate.
When you issue a certificate, you can generate and manage the private key internally by using the same CA to handle everything. You can also generate a certificate signing request (CSR) and private key on the server where you plan to install the certificate, and then submit that CSR to a CA to issue a certificate, while managing the private key externally.
This topic describes how to issue a certificate that you plan to manage internally. For the steps to issue a certificate that you manage externally with a third-party CA, see Creating a Certificate to Manage Externally.
On the Certificates list page, select Create certificate. If you need help finding the list page, see Listing Certificates. The Create certificate panel opens.
Creating a certificate consists of the following pages:
- Basic Information
- Subject Information
- Certificate Configuration
- Rules
- Summary
Run each of the following workflows in order. You can return to a previous page by selecting Previous.
Basic Information
Enter the following information:
- Name: Enter the name of the certificate. No certificates in the tenancy can share the same name, including certificates pending deletion.
- Description: (Optional) Enter a description for the certificate.
- Compartment: Select the compartment where the certificate resides from the list.
- Certificate type: Select one of the following options:
- Issued by internal CA: Creates a certificate issued and managed by a Certificates service private certificate authority (CA).
- Issued by internal CA, managed externally: Creates a certificate issued by a Certificates service private certificate authority that you intend to manage outside the service.
Tagging
If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you're not sure whether to apply tags, skip this option or ask an administrator. You can apply tags later.
Select Next.
Subject Information
The Subject information page is where you provide a common name to identify the owner of the certificate. Depending on the certificate's intended use, the subject might identify a person, organization, or computer endpoint. Subject information can also include DNS names or IP addresses as subject alternative names by which the certificate bearer is also known. You can use wildcards to issue a certificate for multiple domain or subdomain names.
Enter the following information:
- Common name: Enter a common name.
- Subject alternative names: Select one of the following options and enter its corresponding value:
- DNS name
- IP address
Select Another subject alternative name to add another DNS name or IP address.
Additional Fields
Enter the requested information, such as the name, address, and organizational information of the subject. For details about each of the values in a subject distinguished name, see RFC 5280.
Select Next.
Certificate Configuration
Enter the following information:
- TLS server or client: Select one of the following options from the list:
- TLS Server or client: Presented by a server or client for TLS/SSL connections.
- TLS Server: Presented by a server for TLS/SSL connections.
- TLS client: Presented by a client during TLS/SSL connections.
- TLS code sign: Presented by a program to validate its signature.
- Issuer certificate authority compartment: Select the compartment containing the certificate authority you want to use.
- Issuer certificate authority: Select the certificate authority you want. The certificate authorities listed are those contained in the issuer certificate authority compartment you selected.
- Not valid before: Enter the date (mm/dd/yyyy) or use the calendar tool to specify before which the certificate can't be used to validate the identity of its bearer. If you don't specify a date, the certificate validity period begins immediately.
- Time: Enter the time (hh:mm) in UTC for the day that you specified that the certificate isn't valid before.
- Not valid after: Enter the date (mm/dd/yyyy) or use the calendar tool to specify after which the certificate is no longer valid proof of the identity of its bearer. You must specify a date at least one day later than the starting date of the validity period. The date must not exceed the expiration of the issuing CA.
You can't specify a date beyond December 31, 2037. Typically, certificates are used for the entirety of the period that they're valid unless something happens to require revocation. The default value is three months after the certificate is created.
- Time: Enter the time (hh:mm) in UTC for the day that you specified that the certificate isn't valid after.
- Key algorithm: Select the algorithm and key length combination that you need for the certificate key pair from the following options:
- RSA2048: Rivest-Shamir-Adleman (RSA) 2048-bit key.
- RSA4096: RSA 4096-bit key.
- ECDSA_P256: Elliptic curve cryptography digital signature algorithm (ECDSA) key with a P256 curve ID.
- ECDSA_P384: ECDSA key with a P384 curve ID.
Show additional fields
Signature algorithm: (Optional) Select one of the following signing algorithms, depending on the certificate authority you selected:
- SHA256_WITH_RSA: Rivest-Shamir-Adleman (RSA) key with a SHA-256 hash function.
- SHA384_WITH_RSA: RSA key with a SHA-384 hash function.
- SHA512_WITH_RSA: RSA key with a SHA-512 hash function.
- SHA256_WITH_ECDSA: Elliptic curve cryptography digital signature algorithm (ECDSA) key with a SHA-256 hash function.
- SHA384_WITH_ECDSA: ECDSA key with a SHA-384 hash function.
- SHA512_WITH_ECDSA: ECDSA key with a SHA-512 hash function.
Select Next.
Rules
The Rules page is where you select the renewal rule settings. For maximum flexibility, renew the certificate before the end of its validity period and with enough advance renewal time in case of failures. A certificate that expires before the service can successfully renew it can result in service disruptions.
- Renewal interval (days): Specify the number of days after which the rule is renewed.
- Advance renewal period (days): Specify the number of days when the certificate is renewed.
Select Next.
Summary
Review the contents of the Summary page. Select Edit to add or change information in the associated page. When the settings are fully verified, select Create certificate.
The certificate you created appears in the Certificates list page.
Use the oci certs-mgmt certificate create-certificate-issued-by-internal-ca command and required parameters to create a certificate:
oci certs-mgmt certificate create-certificate-issued-by-internal-ca --certificate-profile-type <certificate_usage_profile> --compartment-id <compartment_OCID> --issuer-certificate-authority-id <issuing_CA_OCID> --name <certificate_name> --subject <subject_information> [OPTIONS]For example:
oci certs-mgmt certificate create-certificate-issued-by-internal-ca --certificate-profile-type TLS_SERVER_OR_CLIENT --compartment-id ocid1.compartment.oc1..<unique_id> --issuer-certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --name internalCert --subject file://path/to/certsubject.jsonFor a complete list of flags and variable options for CLI commands, see the CLI Command Reference.
Run the CreateCertificate operation to create a certificate that you plan to manage internally.