Oracle Cloud Infrastructure Certificates Frequently Asked Questions

Open all Close all
  • What is a Certificate Authority (CA)

    A Certificate Authority (CA) is an organization that issues digital certificates. ISO X.509 is the standard for the most common type of commercial digital certificate. The CA issues signed digital certificates to affirm the identity of the certificate subject and bind that identity to the public key in the certificate. A CA also typically manages certificates.

  • What is a SSL/TLS certificate?

    SSL/TLS certificates allow web browsers to identify and establish encrypted network connections to websites using the Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocol. Certificates are used within a cryptographic system known as a public key infrastructure (PKI). A certificate’s PKI allows one party to establish the identity of another party using certificates and trusting a third party known as a CA.

  • What is a Root Certificate?

    A CA typically exists within a hierarchical structure that contains multiple subordinate CAs with clearly defined parent-child relationships. Parent CAs certify child or subordinate CAs that create a certificate chain. The root CA sits at the top of the chain and is typically self-signed.

  • What is Secure Sockets Layer (SSL)?

    Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are cryptographic protocols that provide communication security over a computer network. TLS is the successor to SSL, both using X.509 certificates to authenticate the server. Both protocols negotiate a symmetric key between the client and the server that is used to encrypt data flowing between the two entities.

  • What is HTTPS?

    HTTPS stands for HTTP over SSL/TLS, a secure form of HTTP supported by all major browsers and servers. All HTTP requests and responses are encrypted before they are sent across a network. HTTPS combines the HTTP protocol with symmetric, asymmetric, and X.509 certificate-based cryptographic techniques. HTTPS inserts a cryptographic security layer below the HTTP application layer and above the TCP transport layer in the Open Systems Interconnection (OSI) model. This security layer uses the Secure Sockets Layer (SSL) or the Transport Layer Security (TLS) protocol.

  • What are SSL Server Certificates?

    HTTPS transactions require server certificates to authenticate a server. A server certificate is an X.509 v3 data structure that binds the public key in the certificate to the subject of the certificate. An SSL/TLS certificate is signed by a CA and contains the name of the server, the validity period, the public key, the signature algorithm, and more.

  • What is the Oracle Cloud Infrastructure (OCI) Certificates service?

    OCI Certificates automatically creates a certificate and deploys it to resources (such as a load balancer), and renews the certificate before it expires. OCI Certificates eliminates the need for a manual certificate management process.

  • What SSL certificates are supported?

    OCI Certificates creates a private certificate for the roles of Client/Server, Client, Server, or Code Signing. Any public or private certificate can be uploaded into the Certificate Manager.

  • How does auto-deployment work?

    If you are assigning a certificate to the Load Balancer, OCI Certificates alerts the service a certificate is ready to be installed. The Load Balancer will retrieve the certificate from OCI Certificates, install the certificate, and apply the changes. OCI Certificates will monitor and renew the certificate based on the renewal rules defined by the CA. When it's time for renewal, the process repeats.

  • How much do SSL Certificates cost?

    Creating CAs and leaf certificates is a free service in OCI.

  • What services are integrated with the OCI Certificates service?

    The Load Balancer and the API Gateway are the first services integrated with the OCI Certificates service.

  • How many CAs can I create?

    If you are a free tier customer, you can create up to five CAs. Paid tenancies can create up to 100 CAs.

  • How many certificates can I create?

    If you are a free tier customer, you can create up to 150 certificates. Paid tenancies can create up to 5,000 certificates in their tenancy.

  • What is a CA bundle?

    A CA bundle is a file that contains root and intermediate certificates. The end-entity certificate along with a CA bundle constitutes the certificate chain.

  • What types of management use cases does the OCI Certificates cover?

    There are three different ways to manage your certificates.

    1. 1. Managed Internally - This is the fully automated system where OCI Certificates creates, deploys, monitors, and renews the certificate.
    2. 2. Managed Externally - If it is your policy to have the private key on your site, you can upload a Certificate Signing Request (CSR) to OCI Certificates which will then sign the certificate.
    3. 3. Bring your own certificate - If you already have a certificate, you can upload it to OCI Certificates and have it deployed and monitored for you. You will be alerted when it is time to renew the certificate.
  • Can I download the private key of a certificate?

    For the CA, you cannot download the private key since it’s stored in the Hardware Security Module (HSM). For a leaf certificate and for security purposes, the private key is only available to download via the API and CLI.