Oracle Cloud Infrastructure Documentation

Renewing a Certificate Authority

Renew a certificate authority (CA) when it nears expiration, whenever you need to update its certificate contents, or if it's been revoked because of a security breach of its certificate or its key.

Renewing a CA creates another CA version with new certificate contents and a new validity period. CA renewals happen manually. You can't automatically renew a CA by using renewal rules. Before you renew a CA, rotate the key that you use with the CA to ensure that the new CA version you create contains updated key material. For more information, see Rotating a Vault Key.

    1. On the Certificate Authorities list page, select the name of the CA that you want to renew by creating a new version. If you need help finding the list page, see Listing Certificate Authorities.

      To find a CA in a different compartment, under List scope, select a different compartment.

    2. Under Resources, select Versions.
    3. Select Renew Certificate Authority.
    4. (Optional) Select Not Valid Before, and then specify the date when you want to begin using the new CA version. If you don't specify a date, the new CA is valid immediately, although you also need to make it the current version to begin using it.
    5. Select Not Valid After, and then specify the date after which the CA can no longer be used to issue or validate subordinate CAs or certificates.
    6. Decide whether you want to begin using the new CA version immediately by doing one of the following:
      • To make the new CA version the current version, clear the Set to Pending checkbox.
      • To make the new CA version the current version later, leave the checkbox selected.
    7. When you're ready, select Renew Certificate Authority.

  • The command you use to renew a CA depends on whether the CA is a root CA or a subordinate CA.

    Use the oci certs-mgmt certificate-authority update-root-ca-by-generating-config-details command and required parameters to renew a root CA:

    oci certs-mgmt certificate-authority update-root-ca-by-generating-config-details --certificate-authority-id <CA_OCID> --validity <version_validity_period_JSON>

    For example:

    oci certs-mgmt certificate-authority update-root-ca-by-generating-config-details --certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --validity file://path/to/validity.json

    To renew a subordinate CA, open a command prompt and run the oci certs-mgmt certificate-authority update-subordinate-ca-issued-by-internal-ca command and required parameters:

    oci certs-mgmt certificate-authority update-subordinate-ca-issued-by-internal-ca --certificate-authority-id <CA_OCID> --validity <version_validity_period_JSON>

    For example:

    oci certs-mgmt certificate-authority update-subordinate-ca-issued-by-internal-ca --certificate-authority-id ocid1.certificateauthority.oc1.<region>.<unique_id> --validity file://path/to/validity.json

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • Run the UpdateCertificateAuthority operation to renew a CA.