Oracle Cloud Infrastructure Certificates Frequently Asked Questions

SSL/TLS certificates allow web browsers to identify and establish encrypted network connections to websites using the Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocol. Certificates are used within a cryptographic system known as a public key infrastructure (PKI). A certificate’s PKI allows one party to establish the identity of another party using certificates and trusting a third party known as a CA.

A CA typically exists within a hierarchical structure that contains multiple subordinate CAs with clearly defined parent-child relationships. Parent CAs certify child or subordinate CAs that create a certificate chain. The root CA sits at the top of the chain and is typically self-signed.

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are cryptographic protocols that provide communication security over a computer network. TLS is the successor to SSL, both using X.509 certificates to authenticate the server. Both protocols negotiate a symmetric key between the client and the server that is used to encrypt data flowing between the two entities.

HTTPS stands for HTTP over SSL/TLS, a secure form of HTTP supported by all major browsers and servers. All HTTP requests and responses are encrypted before they are sent across a network. HTTPS combines the HTTP protocol with symmetric, asymmetric, and X.509 certificate-based cryptographic techniques. HTTPS inserts a cryptographic security layer below the HTTP application layer and above the TCP transport layer in the Open Systems Interconnection (OSI) model. This security layer uses the Secure Sockets Layer (SSL) or the Transport Layer Security (TLS) protocol.

HTTPS transactions require server certificates to authenticate a server. A server certificate is an X.509 v3 data structure that binds the public key in the certificate to the subject of the certificate. An SSL/TLS certificate is signed by a CA and contains the name of the server, the validity period, the public key, the signature algorithm, and more.

OCI Certificates automatically creates a certificate and deploys it to resources (such as a load balancer), and renews the certificate before it expires. OCI Certificates eliminates the need for a manual certificate management process.

OCI Certificates creates a private certificate for the roles of Client/Server, Client, Server, or Code Signing. Any public or private certificate can be uploaded into the Certificate Manager.

If you are assigning a certificate to the Load Balancer, OCI Certificates alerts the service a certificate is ready to be installed. The Load Balancer will retrieve the certificate from OCI Certificates, install the certificate, and apply the changes. OCI Certificates will monitor and renew the certificate based on the renewal rules defined by the CA. When it's time for renewal, the process repeats.

Creating CAs and leaf certificates is a free service in OCI.

The Load Balancer and the API Gateway are the first services integrated with the OCI Certificates service.

If you are a free tier customer, you can create up to five CAs. Paid tenancies can create up to 100 CAs.

If you are a free tier customer, you can create up to 150 certificates. Paid tenancies can create up to 5,000 certificates in their tenancy.

A CA bundle is a file that contains root and intermediate certificates. The end-entity certificate along with a CA bundle constitutes the certificate chain.

There are three different ways to manage your certificates.

1. 1. Managed Internally - This is the fully automated system where OCI Certificates creates, deploys, monitors, and renews the certificate.
2. 2. Managed Externally - If it is your policy to have the private key on your site, you can upload a Certificate Signing Request (CSR) to OCI Certificates which will then sign the certificate.
3. 3. Bring your own certificate - If you already have a certificate, you can upload it to OCI Certificates and have it deployed and monitored for you. You will be alerted when it is time to renew the certificate.

For the CA, you cannot download the private key since it’s stored in the Hardware Security Module (HSM). For a leaf certificate and for security purposes, the private key is only available to download via the API and CLI.