Issuing a Subordinate Certificate Authority
Issue a subordinate certificate authority (CA).
You must already have a root CA in Oracle Cloud Infrastructure Certificates to create a subordinate CA. You can issue a subordinate CA from any other CA as long as you don't exceed the total allowable number of CAs in the tenancy.
Creating a CA requires you to have access to an existing hardware-protected, asymmetric encryption key from the Oracle Cloud Infrastructure Vault service. For more information, see Overview of Vault.
When you create a CA with a certificate revocation list (CRL), you can specify an OCI Object Storage bucket where you want to store the CRL. The bucket must already exist at the time you create the CA.
Use the oci certs-mgmt certificate-authority create-subordinate-ca-issued-by-internal-ca command and required parameters to issue a subordinate CA:
oci certs-mgmt certificate-authority create-subordinate-ca-issued-by-internal-ca --compartment-id <compartment_OCID> --issuer-certificate-authority-id <parent_CA_OCID> --name <CA_display_name> --subject <certificate_subject_information> --kms-key-id <Vault_encryption_key_OCID>
For example:
oci certs-mgmt certificate-authority create-subordinate-ca-issued-by-internal-ca --compartment-id ocid1.compartment.oc1..<unique_id> --issuer-certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --name mySubCA --subject file://path/to/casubject.json --kms-key-id ocid1.key.oc1.<region>.<unique_id>
For a complete list of parameters and values for CLI commands, see the CLI Command Reference.
Run the CreateCertificateAuthority operation to issue a subordinate CA.