Create a TLS certificate using the OCI Certificate Service

September 20, 2022 | 5 minute read
Catalin Andrei
Master Principal Cloud Architect
Text Size 100%:

Introduction

With the embracement of the cloud, enterprise organizations started a massive initiative to standardize all their architectures around the Core cloud services, automate the deployments and integrate them in the CI/CD footprint.
One of the tasks that fits this core services is the Certificate Service. Customers wants to have a single api rest point to manage all the infrastructure and the Certificate Service is fully integrated into that.

In this post we will focus on the creation of an Certificate Authority (CA) in the OCI Certificate Service and generate a wildcard certificate for a domain.

Oracle Cloud Infrastructure (OCI) Certificates is a service for creating and managing Transport Layer Security (TLS) certificates. The service enables organizations to create private Certificate Authorities (CA) hierarchies and TLS certificates, that can be deployed and renewed automatically in the customer tenancy, integrated with OCI services such as OCI Load Balancing and OCI API Gateway.

Generate the private key of the CA

An HSM (Hardware Security Module) key is required to create a CA. OCI Vault service integrates with OCI Certificates to easily use the customer’s private key to create a CA. OCI Certificates will never have direct access to the private key, nor will it retain copies.

Create Master Encryption Key

Below is a list of steps needed to create a "Master Encryption Key":

  • Creation of Vault service using the documentation found here.
  • Creation of RSA Master Encryption key using the documentation found here.
    As an example you can find bellow a screenshot for a RSA 2048bits Master encryption key.
    0c560fdc09f2ced578f8a5055f34ac99.png

Create the Certificate Authority

Using the following documentation for the creation of "Root Certificate Authority".
The result looks like the screenshot below.
bebc654857d9860f6d0436d385cdafc9.png

Generate a wildcard certificate

Using the following documentation for the creation of an "Issued by Internal CA" certificate with a Subject Information DNS of *.lb-workshop and a Profile type of "TLS Server or Client", key algorithm of RSA2048.
The result looks like the screenshot below:
bac9895706b0bcc13037af1fadee77e4.png

Use the Certificate with the OCI LB

Below are the steps required to update an existing listener on a load balancer to use the certificate previously generated.

  1. Open the navigation menu, click Networking, and then click Load Balancers.
  2. Select the Compartment from the list where the LB was provisioned.
  3. Select the load balancer which will use the certificate on their listener.
  4. Click Listeners under Resources.
  5. Edit the listener.
  6. Under Protocol, make sure you choose "HTTPS" and check the "Use SLL".
  7. Under Certificate Resource, select "Certificate Service Managed Certificate".
  8. Select the Compartment where the certificate is provisioned.
  9. Select the Certificate from the dropdown list.

The editing page looks similar to the one below.
e7b8981cc1b919da30c1287c16ec6676.png

Catalin Andrei

Master Principal Cloud Architect


Previous Post

OCI Network Firewall - NAT Gateway use case

Andrei Stoian | 4 min read

Next Post

OCI Network Firewall - Hub and Spoke traffic inspection

Andrei Stoian | 7 min read
Resources for
Why Oracle
Learn
What's New
Contact Us