Issuing a Subordinate Certificate Authority

Issue a subordinate certificate authority (CA).

You must already have a root CA to create a subordinate CA. You can issue a subordinate CA from any other CA as long as you don't exceed the total allowable number of CAs in the tenancy.

Creating a CA requires you to have access to an existing hardware-protected, asymmetric encryption key from the Oracle Cloud Infrastructure Vault service. For more information, see Overview of Vault.

When you create a CA with a certificate revocation list (CRL), you can specify an OCI Object Storage bucket where you want to store the CRL. The bucket must already exist at the time you create the CA.

    1. Open the navigation menu and click Identity & Security.
    2. Under Certificates, click Certificate Authorities.
    3. From the list of CAs in the compartment, click the name of the CA from which you want to issue a subordinate CA.

      To find a CA in a different compartment, under List scope, choose a different compartment.

    4. Under Resources, click Subordinate Certificate Authorities.
    5. Click Issue Subordinate Certificate Authority.
    6. Under Compartment, choose the compartment where you want to create the CA.
    7. Enter a display name for the CA. This name helps you identify the CA for administrative purposes, but doesn't appear as part of the CA certificate. Avoid entering confidential information.
    8. (Optional) Enter a description to help identify the CA. This description helps you identify the CA, but doesn't appear as part of the CA certificate. Avoid entering confidential information.
    9. (Optional) To apply tags, click Show Tagging Options. For more information about tags, see Resource Tags.
    10. When you're ready, click Next.
    11. Provide subject information. Subject information includes at least a common name to identify the owner of the CA certificate. Depending on the certificate's intended use, the subject might identify a person, organization, or computer endpoint. You can use wildcards to issue a certificate for multiple domain or subdomain names.
    12. (Optional) To provide more certificate authority subject information, click Show Additional Fields. For details about each of the values in a subject distinguished name, see RFC 5280. When you're ready, click Next.
    13. (Optional) Click Not Valid Before, and then specify the UTC time and date when you want to begin using the CA. If you don't specify a date, then the CA validity period begins immediately.
    14. Click Not Valid After, and then specify the date after which the CA can no longer used to issue or validate subordinate CAs or certificates. (You must specify a date at least one day later than the starting date of the validity period. You can't specify a date beyond December 31, 2037. Values are rounded up to the nearest second.)
    15. Under Vault, choose the vault that contains the encryption key that you want to use for the CA certificate. If needed, click Change Compartment to specify a different compartment.
    16. Under Key, choose the key in the vault that you want to use. The list includes only asymmetric keys in the vault because Certificates only supports asymmetric keys. Furthermore, the list only includes keys from the same key algorithm family of the key that the parent CA uses. You can choose from Rivest-Shamir-Adleman (RSA) keys that are 2,048 bits or 4,096 bits. You can also choose from elliptic curve cryptography digital signature algorithm (ECDSA) keys that have an elliptic curve ID of NIST_P384. Specifically, the list includes only these types of asymmetric keys that are protected by a hardware security module (HSM). Certificates doesn't support the use of software-protected keys. For information about creating and managing keys, see Managing Keys.
    17. Click Signing Algorithm, and then choose from one of the following options, depending on the key algorithm family:
      • SHA256_WITH_RSA: Rivest-Shamir-Adleman (RSA) key with a SHA-256 hash function
      • SHA384_WITH_RSA: RSA key with a SHA-384 hash function
      • SHA512_WITH_RSA: RSA key with a SHA-512 hash function
      • SHA256_WITH_ECDSA: Elliptic curve cryptography digital signature algorithm (ECDSA) key with a SHA-256 hash function
      • SHA384_WITH_ECDSA: ECDSA key with a SHA-384 hash function
      • SHA512_WITH_ECDSA: ECDSA key with a SHA-512 hash function

        When you're ready, click Next.

    18. Configure the expiry rule. Under Maximum Validity Duration for Certificates (Days), specify the maximum number of days that a certificate issued by this CA can be valid. We strongly recommend a validity period of no more than 90 days.
    19. Under Maximum Validity Duration for Subordinate CA (Days), specify the maximum number of days that a CA issued by this CA can be valid to issue other CAs or certificates. When you're ready, click Next.
    20. On the Revocation Configuration page, if you don't want to configure a certificate revocation list (CRL), select the Skip Revocation check box. To configure certificate revocation, clear the check box, and then specify an Object Storage Bucket where you plan to store the CRL. If needed, click Change Compartment to find a bucket in a different compartment.
    21. Under Object Name Format, specify the object name. You can include curly braces in the object name to indicate where the service can insert the issuing CA version number. This helps prevent the overwriting of an existing CRL whenever you create another CA version. For more information about object names, see Object Names.
    22. (Optional) Click Custom Formatted URLs, and then provide the URL that you want to use with APIs to access the object. This URL is named in certificates as the CRL distribution point (CDP). You can include curly braces in the URL to indicate where the service can insert the issuing CA version number. By doing this, you can avoid overwriting an existing CDP whenever you create another CA version. (You can specify an HTTPS URL only if no circular dependencies in the verification of the HTTPS chain exist.)
    23. (Optional) To provide another CDP, click + Another URL, and then provide another URL where users can access the CRL.
    24. When you're ready, click Next.
    25. Confirm that the information is correct, and then click Create Certificate Authority.
      It can take a while to create certificate-related resources.
  • Use the oci certs-mgmt certificate-authority create-subordinate-ca-issued-by-internal-ca command and required parameters to issue a subordinate CA:

    oci certs-mgmt certificate-authority create-subordinate-ca-issued-by-internal-ca --compartment-id <compartment_OCID> --issuer-certificate-authority-id <parent_CA_OCID> --name <CA_display_name> --subject <certificate_subject_information> --kms-key-id <Vault_encryption_key_OCID>

    For example:

    oci certs-mgmt certificate-authority create-subordinate-ca-issued-by-internal-ca --compartment-id ocid1.compartment.oc1..<unique_id> --issuer-certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --name mySubCA --subject file://path/to/casubject.json --kms-key-id ocid1.key.oc1.<region>.<unique_id>

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • Run the CreateCertificateAuthority operation to issue a subordinate CA.