Creating a Certificate

• Console
• CLI
• API

• 1. On the Certificates list page, select Create Certificate. If you need help finding the list page, see Listing Certificates.
  2. Under Compartment, select the compartment where you want to create the certificate. The certificate can exist in the same compartment as the CA or a different one.
  3. Under Certificate Type, to issue a certificate from a Certificates service CA that then also manages the certificate, select Issued by internal CA.
  4. Enter a unique display name for the certificate. Avoid entering confidential information.
     Note
     
     No two certificates in the tenancy can share the same name, including certificates pending deletion.
  5. (Optional) Enter a description to help identify the certificate. Avoid entering confidential information.
  6. (Optional) To apply tags, select Show Tagging Options. For more information about tags, see Resource Tags.
  7. Select Next.
  8. Provide subject information. Subject information includes a common name to identify the owner of the certificate. Depending on the certificate's intended use, the subject might identify a person, organization, or computer endpoint. Subject information can also include DNS names or IP addresses as subject alternative names by which the certificate bearer is also known. You can use wildcards to issue a certificate for multiple domain or subdomain names.
  9. (Optional) To add more subject alternative names, select + Another Subject Alternative Name, select the type of address, and then enter the name. When you're ready, select Next.
  10. Select a certificate profile type from the following profiles based on the certificate's intended use:
      • TLS Server or Client: Presented by a server or client for TLS/SSL connections.
      • TLS Server: Presented by a server for TLS/SSL connections.
      • TLS Client: Presented by a client during TLS/SSL connections.
      • TLS Code Sign: Presented by a program to validate its signature.
  11. To change the CA that issues the certificate, select Issuer Certificate Authority, and then select a CA. If needed, select Change Compartment, and then select a different compartment if the CA is in a different compartment from the one you selected for the certificate.
  12. (Optional) Select Not Valid Before, and then enter a date before which the certificate can't be used to validate the identity of its bearer. If you don't specify a date, the certificate validity period begins immediately. Values are rounded up to the nearest second.
  13. Select Not Valid After, and then change the date after which the certificate is no longer valid proof of the identity of its bearer. You must specify a date at least one day later than the starting date of the validity period. The date must not exceed the expiration of the issuing CA. You also can't specify a date beyond December 31, 2037. Values are rounded up to the nearest second. Typically, certificates are used for the entirety of the period that they're valid unless something happens to require revocation.
  14. For Key Algorithm, select the algorithm and key length combination that you need for the certificate key pair from the following options:
      • RSA2048: Rivest-Shamir-Adleman (RSA) 2048-bit key
      • RSA4096: RSA 4096-bit key
      • ECDSA_P256: Elliptic curve cryptography digital signature algorithm (ECDSA) key with a P256 curve ID
      • ECDSA_P384: ECDSA key with a P384 curve ID
  15. (Optional) Select Show Additional Fields, and then under Signature Algorithm, select one of the following signing algorithms, depending on the key:
      • SHA256_WITH_RSA: Rivest-Shamir-Adleman (RSA) key with a SHA-256 hash function
      • SHA384_WITH_RSA: RSA key with a SHA-384 hash function
      • SHA512_WITH_RSA: RSA key with a SHA-512 hash function
      • SHA256_WITH_ECDSA: Elliptic curve cryptography digital signature algorithm (ECDSA) key with a SHA-256 hash function
      • SHA384_WITH_ECDSA: ECDSA key with a SHA-384 hash function
      • SHA512_WITH_ECDSA: ECDSA key with a SHA-512 hash function

        When you're ready, select Next.

  16. To configure automatic renewal of the certificate to avoid disruption in its use, specify a nonzero value for the following settings:
      • Renewal Interval (Days): How frequently the certificate is renewed
      • Advance Renewal Period (Days): The number of days before the certificate expiration that renewal happens
      For maximum flexibility, renew the certificate before the end of its validity period and with enough advance renewal time in case of failures. A certificate that expires before the service can successfully renew it can result in service disruptions.
      When you're ready, select Next.
  17. Verify that the information is correct, and then select Create Certificate.
      It can take a while to create certificate-related resources.

• Use the oci certs-mgmt certificate create-certificate-issued-by-internal-ca command and required parameters to create a certificate issued by the Certificates service:

  Command

  CopyTry It

  oci certs-mgmt certificate create-certificate-issued-by-internal-ca --certificate-profile-type <certificate_usage_profile> --compartment-id <compartment_OCID> --issuer-certificate-authority-id <issuing_CA_OCID> --name <certificate_name> --subject <subject_information>

  For example:

  oci certs-mgmt certificate create-certificate-issued-by-internal-ca --certificate-profile-type TLS_SERVER_OR_CLIENT --compartment-id ocid1.compartment.oc1..<unique_id> --issuer-certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --name internalCert --subject file://path/to/certsubject.json

  For a complete list of flags and variable options for CLI commands, see the CLI Command Reference.

• Run the CreateCertificate operation to create a certificate that you plan to manage internally.