Does this tool connect to my OCI account?

No. This tool runs entirely in your browser and generates configuration JSON that you can copy and paste into your infrastructure-as-code templates, CLI commands, or cloud console. It never connects to any cloud account or sends data externally.

Are the generated configurations production-ready?

The tool produces syntactically valid configurations based on current OCI service specifications. Always review generated configs against your organization security policies and test in a non-production environment before deploying.

OCI Certificate Authority Builder

IAM & SecurityOCI

Build OCI Certificates service CA configurations with subject details and CRL settings.

Last verified: May 2026

OCI Certificates Configuration

Build OCI Certificates service Certificate Authority configurations with subject details, signing algorithms, and CRL settings.

Required Fields

compartmentIddisplayNamecertificateAuthorityConfig.configTypecertificateAuthorityConfig.subject.commonNamekmsKeyId

{
  "compartmentId": "ocid1.compartment.oc1..aaaaaaaexample",
  "displayName": "internal-root-ca",
  "description": "Root CA for internal service TLS certificates",
  "certificateAuthorityConfig": {
    "configType": "ROOT_CA_GENERATED_INTERNALLY",
    "subject": {
      "commonName": "Internal Root CA",
      "organization": "Acme Corp",
      "organizationalUnit": "Platform Engineering",
      "country": "US",
      "stateOrProvinceName": "California",
      "locality": "San Francisco"
    },
    "signingAlgorithm": "SHA256_WITH_RSA",
    "validity": {
      "timeOfValidityNotAfter": "2034-12-31T23:59:59Z",
      "timeOfValidityNotBefore": "2024-01-01T00:00:00Z"
    }
  },
  "kmsKeyId": "ocid1.key.oc1.iad.aaaaaaaexample",
  "certificateRevocationListDetails": {
    "objectStorageConfig": {
      "objectStorageNamespace": "my-tenancy",
      "objectStorageBucketName": "crl-bucket",
      "objectStorageObjectNameFormat": "crl-{}.crl"
    },
    "customFormattedUrls": ["https://crl.example.com/root-ca.crl"]
  },
  "certificateAuthorityRules": [
    {
      "ruleType": "CERTIFICATE_AUTHORITY_ISSUANCE_EXPIRY_RULE",
      "certificateAuthorityMaxValidityDuration": "P3650D",
      "leafCertificateMaxValidityDuration": "P365D"
    }
  ],
  "freeformTags": {
    "purpose": "internal-pki",
    "team": "security"
  }
}

Generated Output

Output will appear here...

See It in Action

Your team needs to issue thousands of internal-service-to-internal-service TLS certificates without using a commercial CA (cost) or Let's Encrypt (rate limits + public exposure). The builder generates: an OCI Private Root CA with 10-year validity, two subordinate CAs (one per environment) with 5-year validity, configured CRL distribution points reachable from internal services. Service-to-service certs issued via the subordinate CAs with 90-day validity. Total cost: ~$200/month for the root + 2 subordinates + cert issuance vs $5K+/month for equivalent commercial CA capacity.

What This Tool Does

Build OCI Certificates service CA configurations with subject details and CRL settings. This tool helps OCI engineers generate valid configurations quickly without consulting documentation, reducing errors and accelerating infrastructure deployment. All processing runs in your browser with no data sent to external servers.

Technical Details

The builder constructs OCI Certificates CA configurations: CA resource (compartment, kind: ROOT or SUBORDINATE, name, description, subject distinguished name with common name + organization + country, validity period, signing algorithm, key vault key reference for backing key material, CRL distribution point URLs, certificate revocation reasons supported). Output is generated as oci certs-mgmt certificate-authority commands and Terraform oci_certificates_management_certificate_authority resources.

Common Use Cases

1Generating oci certificate authority configurations for new infrastructure deployments.
2Validating existing configurations against best practices before applying changes.
3Learning OCI service configuration patterns through interactive examples.
4Accelerating infrastructure-as-code development by producing correct JSON/YAML starting points.

Common Questions

Does this tool connect to my OCI account?: No. This tool runs entirely in your browser and generates configuration JSON that you can copy and paste into your infrastructure-as-code templates, CLI commands, or cloud console. It never connects to any cloud account or sends data externally.
Are the generated configurations production-ready?: The tool produces syntactically valid configurations based on current OCI service specifications. Always review generated configs against your organization security policies and test in a non-production environment before deploying.

Expert Tips

TIP

Private CAs are the right answer for internal-only TLS (service-to-service, internal APIs). Use OCI Certificates' private CA hierarchy to issue certs for internal hostnames. For external-facing certs, stick with Let's Encrypt or commercial CAs — public trust is what matters there.

TIP

CRL (Certificate Revocation List) distribution requires reachable CRL endpoints. If clients can't reach the CRL URL, they may either fail-closed (legitimate certs rejected) or fail-open (revoked certs accepted) depending on configuration. Test CRL accessibility from all clients that will validate certs.

TIP

Subordinate CAs let you delegate cert issuance to specific compartments without exposing the root CA. The root CA stays offline / heavily protected; subordinate CAs handle day-to-day cert issuance with their own audit trails. This hierarchy is how mature PKI works.

Related Learning Guides

OCI IAM, Compartments & Policies22 min read
OCI Security Best Practices24 min read

Was this tool helpful?

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.