Oracle Cloud Infrastructure Documentation

Renewing a Certificate Authority

Renew a certificate authority (CA) when it nears expiration, whenever you need to update its certificate contents, or if it's been revoked because of a security breach of its certificate or its key.

Renewing a CA creates another CA version with new certificate contents and a new validity period. CA renewals happen manually. You can't automatically renew a CA by using renewal rules. Before you renew a CA, rotate the key that you use with the CA to ensure that the new CA version you create contains updated key material. For more information, see Rotating a Vault Key.

    1. Open the navigation menu and click Identity & Security.
    2. Under Certificates, click Certificate Authorities.
    3. From the list of CAs in the compartment, click the name of the CA that you want to renew by creating a new version.

      To find a CA in a different compartment, under List scope, choose a different compartment.

    4. Under Resources, click Versions.
    5. Click Renew Certificate Authority.
    6. (Optional) Click Not Valid Before, and then specify the date when you want to begin using the new CA version. If you don't specify a date, the new CA is valid immediately, although you also need to make it the current version to begin using it.
    7. Click Not Valid After, and then specify the date after which the CA can no longer be used to issue or validate subordinate CAs or certificates.
    8. Decide whether you want to begin using the new CA version immediately by doing one of the following:
      • To make the new CA version the current version, clear the Set to Pending check box.
      • To make the new CA version the current version later, leave the check box selected.
    9. When you're ready, click Renew Certificate Authority.

  • The command you use to renew a CA depends on whether the CA is a root CA or a subordinate CA.

    Use the oci certs-mgmt certificate-authority update-root-ca-by-generating-config-details command and required parameters to renew a root CA:

    oci certs-mgmt certificate-authority update-root-ca-by-generating-config-details --certificate-authority-id <CA_OCID> --validity <version_validity_period_JSON>

    For example:

    oci certs-mgmt certificate-authority update-root-ca-by-generating-config-details --certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --validity file://path/to/validity.json

    To renew a subordinate CA, open a command prompt and run the oci certs-mgmt certificate-authority update-subordinate-ca-issued-by-internal-ca command and required parameters:

    oci certs-mgmt certificate-authority update-subordinate-ca-issued-by-internal-ca --certificate-authority-id <CA_OCID> --validity <version_validity_period_JSON>

    For example:

    oci certs-mgmt certificate-authority update-subordinate-ca-issued-by-internal-ca --certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --validity file://path/to/validity.json

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • Run the UpdateCertificateAuthority operation to renew a CA.