With the embracement of the cloud, enterprise organizations started a massive initiative to standardize all their architectures around the Core cloud services, automate the deployments and integrate them in the CI/CD footprint.
One of the tasks that fits this core services is the Certificate Service. Customers wants to have a single api rest point to manage all the infrastructure and the Certificate Service is fully integrated into that.
In this post we will focus on the creation of an Certificate Authority (CA) in the OCI Certificate Service and generate a wildcard certificate for a domain.
Oracle Cloud Infrastructure (OCI) Certificates is a service for creating and managing Transport Layer Security (TLS) certificates. The service enables organizations to create private Certificate Authorities (CA) hierarchies and TLS certificates, that can be deployed and renewed automatically in the customer tenancy, integrated with OCI services such as OCI Load Balancing and OCI API Gateway.
An HSM (Hardware Security Module) key is required to create a CA. OCI Vault service integrates with OCI Certificates to easily use the customer’s private key to create a CA. OCI Certificates will never have direct access to the private key, nor will it retain copies.
Below is a list of steps needed to create a "Master Encryption Key":
Using the following documentation for the creation of "Root Certificate Authority".
The result looks like the screenshot below.
Using the following documentation for the creation of an "Issued by Internal CA" certificate with a Subject Information DNS of *.lb-workshop and a Profile type of "TLS Server or Client", key algorithm of RSA2048.
The result looks like the screenshot below:
Below are the steps required to update an existing listener on a load balancer to use the certificate previously generated.
The editing page looks similar to the one below.