Oracle Cloud Infrastructure Documentation

Issuing a Subordinate Certificate Authority

Create a subordinate certificate authority (CA).

You must already have a root certificate authority in Oracle Cloud Infrastructure Certificates to create a subordinate certificate authority. You can issue a subordinate certificate authority from any other certificate authority as long as you don't exceed the total allowable number of certificate authorities in the tenancy.

Creating a certificate authority requires you to have access to an existing hardware-protected, asymmetric encryption key from the Oracle Cloud Infrastructure Vault service. For more information, see Overview of Vault.

When you create a certificate authority with a certificate revocation list (CRL), you can specify an OCI Object Storage bucket where you want to store the CRL. The bucket must already exist at the time you create the certificate authority.

    1. On the Certificate Authorities list page, find the certificate that you want to work with. If you need help finding the list page or the certificate, see Listing Certificates.
    2. From the Actions menu for the certificate authority, select Issue Subordinate Certificate Authority.
      Note

      If the selected CA is an external rootCA, you can only issue a subordinate ca that is internally managed and externally issued.
      The Create certificate authority panel opens.
    3. Create the certificate authority as described in Creating a Certificate Authority.

  • Issue a subordinate certificate authority based on your certificate type.

    Issuing a Subordinate CA for an Internally Created CA

    Use the oci certs-mgmt certificate-authority create-subordinate-ca-issued-by-internal-ca command and required parameters to issue a subordinate CA:

    oci certs-mgmt certificate-authority create-subordinate-ca-issued-by-internal-ca --compartment-id <compartment_OCID> --issuer-certificate-authority-id <parent_CA_OCID> --name <CA_display_name> --subject <certificate_subject_information> --kms-key-id <Vault_encryption_key_OCID>

    For example:

    oci certs-mgmt certificate-authority create-subordinate-ca-issued-by-internal-ca --compartment-id ocid1.compartment.oc1..<unique_id> --issuer-certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --name mySubCA --subject file://path/to/casubject.json --kms-key-id ocid1.key.oc1.<region>.<unique_id>

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

    Issuing a Subordinate CA for an Externally Created CA

    Use the create-subordinate-ca-managed-internally-issued-by-external-ca command and required parameters to issue a subordinate CA:

    oci certs-mgmt certificate-authority create-subordinate-ca-managed-internally-issued-by-external-ca --issuer-certificate-authority-id <your_certificate_authority_id>  --subject '{ <your_json_data> }' --compartment-id <your-compartment-id> --name <your_certificate_authority_name> --kms-key-id <your_kms_id>

    For example:

    oci certs-mgmt certificate-authority create-subordinate-ca-managed-internally-issued-by-external-ca \
                            --issuer-certificate-authority-id ocid1.certificateauthority.oc1.us-sanjose-1.amaaaaaaxkd4eg... \
                            --subject '{
                            "commonName": "Example-CN-SubCA-From-ExternalRootCA"
                            }' \
                            --compartment-id ocid1.compartment.oc1..aaaaaaaa7zl... \
                            --name Example_Subbordinate_CA \
                            --kms-key-id ocid1.key.oc1.us-sanjose-1.grtxobgpaaf7...

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • Run the CreateCertificateAuthority operation to issue a subordinate certificate authority.