Oracle Cloud Infrastructure Documentation

Renewing a Certificate Authority

Renew a certificate authority (CA) when it nears expiration, whenever you need to update its certificate contents, or if it's been revoked because of a security breach of its certificate or its key.

Renewing a certificate authority creates another certificate authority version with new certificate contents and a new validity period. certificate authority renewals happen manually. You can't automatically renew a certificate authority by using renewal rules. Before you renew a certificate authority, rotate the key that you use with the certificate authority to ensure that the new certificate authority version you create contains updated key material. For more information, see Rotating a Vault Key.

    1. On the Certificate Authorities list page, select the certificate authority that you want to work with. If you need help finding the list page or the certificate authority, see Listing Certificate Authorities.
      The certificate authority's details page opens.
    2. On the certificate's details page, select Versions.
      The Versions list opens.
    3. Select Renew certificate authority.
      The Renew certificate authority panel opens.
    4. Depending upon your CA type, perform the following steps to renew your CA.

    Renewing an OCI created CA

    If you renew an OCI created CA, fill out the following information.
    1. (Optional) Select Not Valid Before, and then specify the date when you want to begin using the new CA version. If you don't specify a date, the new CA is valid immediately, although you also need to make it the current version to begin using it.
    2. Select Not Valid After, and then specify the date after which the CA can no longer be used to issue or validate subordinate CAs or certificates.
    3. Decide whether you want to begin using the new CA version immediately by doing one of the following:
      • To make the new CA version the current version, clear the Set to Pending checkbox.
      • To make the new CA version the current version later, leave the checkbox selected.
    4. When you're ready, select Renew Certificate Authority.

    Renewing an Externally Imported CA

    Ensure you manually update your imported rootCA certificate in a timely manner. To renew a Subordinate Certificate Authority: External CA issued, Managed Internally CA type, follow these steps.
    1. Select Renew for the CA. The CA version status changes to Pending Activation.
    2. Download the CSR.
    3. Submit the CSR to your issuer or external CA, get it updated and signed.
    4. Return to the console and upload the signed certificate.
    5. Complete the process by selecting Activate for the new CA version.

  • The command you use to renew a certificate authority depends on whether the certificate authority is a root certificate authority or a subordinate certificate authority.

    Use the oci certs-mgmt certificate-authority update-root-ca-by-generating-config-details command and required parameters to renew a root certificate authority:

    oci certs-mgmt certificate-authority update-root-ca-by-generating-config-details --certificate-authority-id <CA_OCID> --validity <version_validity_period_JSON> [OPTIONS]

    For example:

    oci certs-mgmt certificate-authority update-root-ca-by-generating-config-details --certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --validity file://path/to/validity.json

    To renew a subordinate certificate authority, open a command prompt and run the oci certs-mgmt certificate-authority update-subordinate-ca-issued-by-internal-ca command and required parameters:

    oci certs-mgmt certificate-authority update-subordinate-ca-issued-by-internal-ca --certificate-authority-id <CA_OCID> --validity <version_validity_period_JSON> [OPTIONS]

    For example:

    oci certs-mgmt certificate-authority update-subordinate-ca-issued-by-internal-ca --certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --validity file://path/to/validity.json

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • Run the UpdateCertificateAuthority operation to renew a certificate authority.