Oracle Cloud Infrastructure Documentation

Editing Certificate Authority Rules

You can edit a certificate authority (CA)'s expiry rule to change the maximum amount of time that a certificate or subordinate certificate authority issued by the certificate authority is valid.

Changes apply only to new certificates and new subordinate certificate authorities that you issue after making the changes. Any previous changes to the expiry rule must be complete and the certificate authority must be in an Active state before you can edit the expiry rule again.

Important

Issuance rules can’t be modified after creation.
    1. On the Certificate Authorities list page, select the certificate authority that you want to work with. If you need help finding the list page or the certificate authority, see Listing Certificate Authorities.
      The certificate authority's details page opens.
    2. On the certificate's details page, select Rules.
      The Rules list opens.
    3. From the Actions menu for the rule, select Edit Expiry Rule.
      The Edit Rules panel opens.
    4. Update any of the following settings:
      • Maximum Validity Duration for Certificates (Days): The maximum number of days that a certificate issued by this certificate authority can be valid. We recommend a validity period of no more than 90 days.
      • Maximum Validity Duration for Subordinate CA (Days): The maximum number of days that a certificate authority issued by this certificate authority can be valid to issue other certificate authorities or certificates.
    5. Select Update.

  • The command you use to update a certificate authority's expiry rule depends on whether it is a root certificate authority or a subordinate certificate authority.

    Use the oci certs-mgmt certificate-authority update-root-ca-by-generating-config-details command and required parameters to edit the expiry rule for a root certificate authority:

    oci certs-mgmt certificate-authority update-root-ca-by-generating-config-details --certificate-authority-id <CA_OCID> --certificate-authority-rules <CA_expiry_rules> [OPTIONS]

    For example:

    oci certs-mgmt certificate-authority update-root-ca-by-generating-config-details --certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --certificate-authority-rules file://path/to/expiryrules.json

    To edit the expiry rules for a subordinate CA, open a command prompt and run oci certs-mgmt certificate-authority update-subordinate-ca-issued-by-internal-ca command and required parameters:

    oci certs-mgmt certificate-authority update-subordinate-ca-issued-by-internal-ca --certificate-authority-id <CA_OCID> --certificate-authority-rules <CA_expiry_rules> [OPTIONS]

    For example:

    oci certs-mgmt certificate-authority update-subordinate-ca-issued-by-internal-ca --certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --certificate-authority-rules file://path/to/expiryrules.json

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • Run the UpdateCertificateAuthority operation to edit the expiry rule for a CA.