The certificate rotation process captures all certificates in the Oracle Key Vault server. This operation does not rotate the console certificates.

A certificate in Oracle Key Vault lasts 730 days. If you do not rotate the certificate (both server and endpoint certificates), then the endpoints that use the certificate cannot connect to the Oracle Key Vault server. When this happens, you must re-enroll the endpoint. To avoid this scenario, you can configure an alert to remind you to rotate the certificate before the 730-day limit is up. The rotation process handles the rotation for all certificates in one operation. You can find how much time the Oracle Key Vault server certificate has before it expires by checking the OKV Server Certificate Expiration setting on the Configure Alerts page in the Oracle Key Vault management console. To find the expiry time of the endpoints' certificates, you must to navigate to the Endpoints page and check the Certificate Expires field.

In addition to standalone environments, you can rotate certificates in primary-standby and multi-master cluster environments. In both, Oracle Key Vault automatically synchronizes the certificates in both systems in a primary-standby configuration, and in all nodes in a multi-master cluster configuration. You do not have to perform any extra configuration.

Oracle Key Vault provides advice on the best ways to rotate certificates.

• Do not initiate a certificate rotation while a node addition is in progress.
• Do not try node operations (such as adding or disabling nodes) while a certificate rotation is in process.
• You cannot initiate certificate rotation unless all nodes in the cluster are active. You can check if a node is active by checking the Cluster Monitoring page. (Click the Cluster tab, and then select Monitoring from the left navigation bar.)
• In a primary-standby configuration, do not perform certificate rotation if the primary database is in read-only restricted mode. Only initiate a certificate rotation when both servers in the configuration are active and synchronized with each other.
• If you are performing certificate rotation on a system that was upgraded from a previous release, ensure that you upgrade the endpoints as well. Endpoints whose software has not been upgraded will not receive updated credentials.
• You cannot perform a certificate rotation while a backup operation or a restore operation is in progress.
• Before performing a certificate rotation, back up the Oracle Key Vault system.
• In order for the certificate rotation process to fully complete, you must delete and re-enroll all endpoints that are not in the Enrolled state. If you no longer need the endpoint, then you only need to delete it.

• Each cluster node only generates certificates for a small set of endpoints. These endpoints are those whose creator node (the node on which the certificates are generated) it is. (You can find an endpoint's creator node in the Oracle Key Vault management console by going to the Endpoints page, and then looking for the creator node for each endpoint.) If all endpoints were created before an upgrade from Oracle Key Vault release 12.2, then it is possible that they may all be associated with one single cluster node. This can make the rotation process slower than if the endpoints had been created on different cluster nodes.
• During the rotation process, Oracle Key Vault rotates endpoints in batches on each node of the cluster, with a maximum number of endpoints that are allowed to be in the rotated state at any one time. At least one of those rotated endpoints must receive its new certificates and acknowledge receipt (involving at least two communications with the server) before the server moves on to processing another endpoint. If all endpoints are considered to have been created on a single Oracle Key Vault cluster node, then the rotation process may degenerate to rotating a few endpoints at a time across the cluster.
• In order to receive the new certificates, the endpoint must reach out to the node on which its certificates have been generated (that is, the creator node). In a multi-master cluster configuration, whenever the endpoint attempts to make a connection to Oracle Key Vault, it performs the following actions:
  • First, it obtains the list of server IPs from its configuration file (okvclient.ora).
  • Next, it picks one at random from those in the cluster subgroup to which the endpoint’s creator node belongs.

    The endpoint reaches out to a random Oracle Key Vault cluster node, and not necessarily to its creator node. This means that even if the Oracle Key Vault management console shows that the endpoint has had its certificates rotated, the endpoint may not receive the new certificates for some considerable period of time, despite making repeated attempts to reach out to the Oracle Key Vault cluster. An endpoint can only successfully receive an update if it has at least one object uploaded to the Oracle Key Vault server. You can check if the endpoint has objects by executing the okvutil list command.

• If a given endpoint does not receive its rotated certificates due to network or other issues, or is in the "Suspended" state, Oracle recommends that you re-enenroll the endpoint, or even delete it. This will allow the certificate rotation process to continue on to completion. You can find the current certificate rotation status by going to the Endpoints page and looking for Common Name of Certificate Issuer.

You can use the Oracle Key Vault management console to rotate certificates.

1. Back up Oracle Key Vault.
2. Log in to Oracle Key Vault management console as a user who has the System Administrator role.
   In a primary-standby environment, log in to the primary Oracle Key Vault server. In a multi-master cluster environment, you can log in to any node in the cluster. Oracle recommends that you initiate the rotation from one node at a time. Do not perform multiple rotations on different nodes at once.
3. Select the System tab.
4. Select Manage Server Certificate.
5. In the Manage Server Certificate page, click Generate System Certificate.
6. In the confirmation dialog box, select OK.
   This creates a new CA certificate, but does not enable it. At this stage, endpoints can still use their old credentials to connect using the previous certificate. The Old Certificate area shows the details of the currently active CA. The New Certificate area shows that the certificate has been rotated and displays its common name. If you want to cancel the rotation process, click Abort to cancel the process and clean up the new CA directory that was generated.
   In a mult-master cluster environment:

   • After the certification rotation process is initiated, the details of the new certificate that was generated are shown on the node on which you initiated the rotation. After a few minutes, if you refresh the Manage Server Certificate page on all of the other nodes, this page should show that a message saying that the new certificate is being propagated to that node.
   • The certificate will be propagated to all nodes, but not activated. Depending on the number of nodes in the cluster, it may take some time to complete the propagation process.
   • You can cancel the certificate rotation only up to the point that 1) all nodes in the cluster have received the certificates, and 2) each node has notified the other nodes that it has received the certificate. At this point, the Abort button will disappear and only Activate Certificate remains. The certificate activation process can only take place when all nodes in the cluster no longer have the Abort button appearing.
   • Periodically refresh the Manage Server Certificate page, in case there have been changes to the status. For example, you should refresh this page if you want to determine that the Abort button is no longer showing and the Activate Certificate button has appeared. To access this page, select the System tab and then select Manage Server Certificate from the left menu.
7. When the Activate Certificate button appears and is enabled, click it.
   Clicking Activate Certificate begins the process of putting the new Oracle Key Vault CA into use. When it completes, the endpoints should be able to connect to the Oracle Key Vault server using either the new or the old Oracle Key Vault CA. This process may take a few minutes to complete. You cannot cancel the rotation process after you click Activate Certificate.
   In a multi-master cluster environment, Activate Certificate applies the certificate to all nodes in the cluster. The certificate activation process can only take place when all nodes in the cluster no longer have the Abort button appearing. It takes a few minutes for the remaining nodes to be updated. Ensure that you click Activate Certificate on only one node before you refresh the Manage Server Certificates page on the other nodes. Wait a few minutes for the screen to refresh. (You only need to click Activate Certificate on one node, not multiple nodes.) Note that the Manage Server Certificates page on all nodes other than the one that you clicked Activate Certificate on may show no change in status for a few minutes, until the process starts to take effect on those nodes.
8. In the confirmation dialog box, click OK.
   A message appears saying that the automatic certificate update of the endpoints is in progress. In the background, Oracle Key Vault starts regenerating certificates for its endpoints, for a few endpoints at a time (so that not all endpoints are updated at once). To check if the credentials for an endpoint have been updated, click the Check Endpoint Progress button. The Endpoints page appears. If, for a given endpoint, the Common Name of Certificate Issuer field shows the common name of the old CA, the new credentials have not yet been generated. However, if, for existing endpoints, the field shows Updating to Current Certificate Issuer, the process has begun. Endpoints should be able to retrieve updated credentials a few minutes after this status has changed.
   After the new credentials have been generated for a given endpoint, when the endpoint next makes a connection to the Oracle Key Vault server, the new credentials for the certificate are sent over to the endpoint. After an endpoint has received its updated credentials from the Oracle Key Vault server, it must try to connect to the Oracle Key Vault server to let the server know that it has successfully received the credentials. You should periodically check the status of replication across the cluster by viewing either the Cluster Monitoring page or the Cluster Management page. (To access either of these pages, click the Cluster tab, and then select either Management or Monitoring in the left navigation bar.) When the endpoint successfully receives the credentials, the value in the Common Name of Certificate Issuer field for that endpoint on the Endpoints page should reflect the common name of the new Oracle Key Vault CA certificate.
9. If you had previously downloaded the Oracle Key Vault RESTful services software utility (okvrestservices.jar), then download it again so that you can continue to use the RESTful services utility.

   If you are using KMIP REST, then you do not need to perform this step because the okvutil endpoint that contains the okvclient.ora has received the updates.

You can use the Oracle Key Vault management console to check the status of a certificate rotation.

1. Log in to Oracle Key Vault management console as a user who has the System Administrator role.
2. Select the Endpoints tab.
3. Select Endpoints.
   On the Endpoints page, you can see a status of the rotation process for the certificate (Updating to current certificate issuer) in the Endpoints page. When it is complete, it will show the name of the common name of the new Oracle Key Vault CA.
   If there are errors with the certificate rotation of an endpoint, then Oracle recommends that you re-enroll the endpoint.