Managing Certificates
Use Certificates to create and manage digital certificates.
Certificate management tasks include the following:
- Creating a Certificate
- Creating a Certificate to Manage Externally
- Importing a Certificate
- Listing Certificates
- Viewing Certificate Details
- Editing a Certificate
- Editing Certificate Rules
- Renewing a Certificate
- Updating a Certificate PEM
- Viewing Certificate Associations
- Moving a Certificate
- Deleting a Certificate
- Canceling Certificate Deletion
Every certificate has one or more certificate versions. As such, certificate management also includes the following tasks specific to certificate versions:
Required IAM Policy
To use Oracle Cloud Infrastructure, you must be granted security access in a policy (IAM) by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don't have permission or are unauthorized, verify with your administrator what type of access you have and which compartment you should work in.
The following policy gives permission to the example group CertificateAdmins to manage certificates and CA bundles. Specifically, the policy gives permission to list any resources included in the aggregate resource-type certificate-authority-family
(without access to any confidential information). The policy also gives permission to the example group to work with the resource-type certificate-authority-delegate
. (The example group can use any CA in the compartment to sign a certificate, but can't create, update, or delete CAs). Lastly, the policy gives permission to the group to do anything with any resources included in the aggregate resource-type leaf-certificate-family
. Access is limited to resources in the specified example compartments.
Allow group CertificateAdmins to inspect certificate-authority-family in compartment ABC
Allow group CertificateAdmins to use certificate-authority-delegate in compartment ABC
Allow group CertificateAdmins to manage leaf-certificate-family in compartment ABC
These statements provide the minimum access needed to complete administrative tasks with certificates, as described later in this section.
You might want to provide access to a group to work with certificates while restricting their ability to create, update, or delete any certificate-related resources. The following policy gives permission to the example group CertificateUsers to read and update certificates and CA bundles. The policy also gives permission to the group to renew certificates. Access is limited to resources in the specified example compartments.
Allow group CertificateUsers to use leaf-certificate-family in compartment DEF
Allow group CertificateUsers to use certificate-authority-delegate in compartment DEF
Allow group CertificateUsers to manage certificate-associations in compartment DEF
Allow group CertificateUsers to inspect certificate-authority-associations in compartment DEF
Allow group CertificateUsers to manage cabundle-associations in compartment DEF
Allow group CertificateDevelopers to read leaf-certificate-bundles in compartment ABC where target.leaf-certificate.bundle-type='CERTIFICATE_CONTENT_WITH_PRIVATE_KEY'
For more information about permissions or if you need to write more or less restrictive policies, see Details for the Certificates Service. If you're new to policies, see Getting Started with Policies and Common Policies.