Creating a Certificate to Manage Externally

• Console
• CLI
• API

• 1. On the Certificates list page, select Create Certificate. If you need help finding the list page, see Listing Certificates.
  2. Under Compartment, select the compartment where you want to create the certificate. The certificate can exist in the same compartment as the CA or a different one.
  3. Under Certificate Type, to issue a certificate from a Certificates service CA that's later managed by an external, third-party CA, select Issued by internal CA, managed externally.
  4. Enter a unique display name for the certificate. Avoid entering confidential information.
     Note
     
     No two certificates in the tenancy can share the same name, including certificates pending deletion.
  5. (Optional) Enter a description to help identify the certificate. Avoid entering confidential information.
  6. (Optional) To apply tags, select Show Tagging Options. For more information about tags, see Resource Tags.
  7. Select Next.
  8. For certificates that a third-party CA manages, you don't need to provide subject information. Instead, select Next again.
  9. To change the CA that issues the certificate, under Issuer Certificate Authority, select a CA. If needed, select Change Compartment, and then select a different compartment if the CA is in a different compartment from the one you selected for the certificate.
  10. (Optional) Select Not Valid Before, and then enter a date before which the certificate can't be used to validate the identity of its bearer. If you don't specify a date, the certificate validity period begins immediately. Values are rounded up to the nearest second.
  11. Select Not Valid After, and then change the date after which the certificate is no longer valid proof of the identity of its bearer. You must specify a date at least one day later than the starting date of the validity period. The date must not exceed the expiration of the issuing CA. You also can't specify a date beyond December 31, 2037. Values are rounded up to the nearest second. Typically, certificates are used for the entirety of the period that they're valid unless something happens to require revocation.
  12. Under Certificate Signing Request, provide certificate contents by doing one of the following:
      • Select Upload File, and then select Select One to upload the certificate as a file in PEM format.
      • Select Paste Content, and then select the text box to paste the certificate contents directly.

        When you're ready, select Next.

  13. You can't configure automatic renewal for certificates that the Certificates service doesn't manage. Select Next to continue.
  14. Verify that the information is correct, and then select Create Certificate.

• Use the oci certs-mgmt certificate create-certificate-managed-externally-issued-by-internal-ca command and required parameters to create a certificate with a private key that you plan to manage externally:

  oci certs-mgmt certificate create-certificate-managed-externally-issued-by-internal-ca --compartment-id <compartment_OCID> --issuer-certificate-authority-id <issuing_CA_OCID> --name <certificate_name> --csr-pem <certificate_signing_request_file>

  For example:

  oci certs-mgmt certificate create-certificate-managed-externally-issued-by-internal-ca --compartment-id ocid1.compartment.oc1..<unique_id> --issuer-certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --name externalCert --csr-pem file://path/to/externalcert.pem

  For a complete list of flags and variable options for CLI commands, see the CLI Command Reference.

• Run the CreateCertificate operation to create a certificate that you plan to manage externally.