Creating a Certificate to Manage Externally

• Console
• CLI
• API

• 1. Open the navigation menu and click Identity & Security.
  2. Under Certificates, click Certificates.
  3. Click Create Certificate.
  4. Under Compartment, choose the compartment where you want to create the certificate. The certificate can exist in the same compartment as the CA or a different one.
  5. Under Certificate Type, to issue a certificate from a Certificates service CA that's later managed by an external, third-party CA, click Issued by internal CA, managed externally.
  6. Enter a unique display name for the certificate. Avoid entering confidential information.
     Note
     
     No two certificates in the tenancy can share the same name, including certificates pending deletion.
  7. (Optional) Enter a description to help identify the certificate. Avoid entering confidential information.
  8. (Optional) To apply tags, click Show Tagging Options. For more information about tags, see Resource Tags.
  9. Click Next.
  10. For certificates that a third-party CA manages, you don't need to provide subject information. Instead, click Next again.
  11. To change the CA that issues the certificate, under Issuer Certificate Authority, choose a CA. If needed, click Change Compartment, and then choose a different compartment if the CA is in a different compartment from the one you selected for the certificate.
  12. (Optional) Click Not Valid Before, and then enter a date before which the certificate can't be used to validate the identity of its bearer. If you don't specify a date, the certificate validity period begins immediately. Values are rounded up to the nearest second.
  13. Click Not Valid After, and then change the date after which the certificate is no longer valid proof of the identity of its bearer. You must specify a date at least one day later than the starting date of the validity period. The date must not exceed the expiration of the issuing CA. You also can't specify a date beyond December 31, 2037. Values are rounded up to the nearest second. Typically, certificates are used for the entirety of the period that they're valid unless something happens to require revocation.
  14. Under Certificate Signing Request, provide certificate contents by doing one of the following:
      • Click Upload File, and then click Select One to upload the certificate as a file in PEM format.
      • Click Paste Content, and then click the text box to paste the certificate contents directly.

        When you're ready, click Next.

  15. You can't configure automatic renewal for certificates that the Certificates service doesn't manage. Click Next to continue.
  16. Verify that the information is correct, and then click Create Certificate.

• Use the oci certs-mgmt certificate create-certificate-managed-externally-issued-by-internal-ca command and required parameters to create a certificate with a private key that you plan to manage externally:

  oci certs-mgmt certificate create-certificate-managed-externally-issued-by-internal-ca --compartment-id <compartment_OCID> --issuer-certificate-authority-id <issuing_CA_OCID> --name <certificate_name> --csr-pem <certificate_signing_request_file>

  For example:

  oci certs-mgmt certificate create-certificate-managed-externally-issued-by-internal-ca --compartment-id ocid1.compartment.oc1..<unique_id> --issuer-certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --name externalCert --csr-pem file://path/to/externalcert.pem

  For a complete list of flags and variable options for CLI commands, see the CLI Command Reference.

• Run the CreateCertificate operation to create a certificate that you plan to manage externally.