Creating a Certificate to Manage Externally

Create a certificate to manage externally if you prefer to manage the certificate's private key yourself, instead of using a Certificates service certificate authority (CA) to manage the key.

You can create a certificate in multiple ways, including using the Certificates service to issue a certificate and importing a certificate issued by a third-party certificate authority (CA). For the steps to import a certificate, see Importing a Certificate.

Multiple ways of managing a certificate also impact the creation process. When you issue a certificate, you can generate and manage the private key internally by using the same CA to handle everything. You can also generate a certificate signing request (CSR) and private key on the server where you plan to install the certificate, and then submit that CSR to a CA to issue a certificate, while managing the private key externally. This task describes how to issue a certificate with a private key that you manage externally. For steps to issue a certificate that you manage internally with a Certificates service CA, see Creating a Certificate.

    1. Open the navigation menu and click Identity & Security.
    2. Under Certificates, click Certificates.
    3. Click Create Certificate.
    4. Under Compartment, choose the compartment where you want to create the certificate. The certificate can exist in the same compartment as the CA or a different one.
    5. Under Certificate Type, to issue a certificate from a Certificates service CA that's later managed by an external, third-party CA, click Issued by internal CA, managed externally.
    6. Enter a display name for the certificate. Avoid entering confidential information.
    7. (Optional) Enter a description to help identify the certificate. Avoid entering confidential information.
    8. (Optional) To apply tags, click Show Tagging Options. For more information about tags, see Resource Tags.
    9. Click Next.
    10. For certificates that a third-party CA manages, you don't need to provide subject information. Instead, click Next again.
    11. To change the CA that issues the certificate, under Issuer Certificate Authority, choose a CA. If needed, click Change Compartment, and then choose a different compartment if the CA is in a different compartment from the one you selected for the certificate.
    12. (Optional) Click Not Valid Before, and then enter a date before which the certificate can't be used to validate the identity of its bearer. If you don't specify a date, the certificate validity period begins immediately. Values are rounded up to the nearest second.
    13. Click Not Valid After, and then change the date after which the certificate is no longer valid proof of the identity of its bearer. You must specify a date at least one day later than the starting date of the validity period. The date must not exceed the expiration of the issuing CA. You also can't specify a date beyond December 31, 2037. Values are rounded up to the nearest second. Typically, certificates are used for the entirety of the period that they're valid unless something happens to require revocation.
    14. Under Certificate Signing Request, provide certificate contents by doing one of the following:
      • Click Upload File, and then click Select One to upload the certificate as a file in PEM format.
      • Click Paste Content, and then click the text box to paste the certificate contents directly.

        When you're ready, click Next.

    15. You can't configure automatic renewal for certificates that the Certificates service doesn't manage. Click Next to continue.
    16. Verify that the information is correct, and then click Create Certificate.
  • Use the oci certs-mgmt certificate create-certificate-managed-externally-issued-by-internal-ca command and required parameters to create a certificate with a private key that you plan to manage externally:

    oci certs-mgmt certificate create-certificate-managed-externally-issued-by-internal-ca --compartment-id <compartment_OCID> --issuer-certificate-authority-id <issuing_CA_OCID> --name <certificate_name> --csr-pem <certificate_signing_request_file>

    For example:

    oci certs-mgmt certificate create-certificate-managed-externally-issued-by-internal-ca --compartment-id ocid1.compartment.oc1..<unique_id> --issuer-certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --name externalCert --csr-pem file://path/to/externalcert.pem

    For a complete list of flags and variable options for CLI commands, see the CLI Command Reference.

  • Run the CreateCertificate operation to create a certificate that you plan to manage externally.