Oracle Cloud Infrastructure Documentation

Key Doesn't Appear When Creating a Certificate Authority

When you try to create a certificate authority (CA), the Certificates service might not list the encryption keys that you expect it to list. Sometimes, you might get the error, "No data available" when you try to find an encryption key to use for the CA certificate. Encryption keys might not appear during CA creation for several reasons.

Key doesn't exist

The requested key might not exist.

Verify that the key exists in the tenancy and hasn't been deleted.

Missing or incorrect policy statements

You might not have the required permissions.

Verify that policy statements exist to grant at least the minimum permissions described in the Required IAM Policy section of Managing Certificate Authorities. You might need policy statements for both groups and dynamic groups, depending on the resources you want to work with.

If you have no policy that grants CAs the permissions they need, then an administrator must write the policy. If you have no dynamic group for CAs to begin with, an administrator must first create a dynamic group with a matching rule that includes all CAs, and then write the policy.

Key exists in a different compartment or tenancy

The key might exist in a different compartment or tenancy.

If you don't see the expected key, confirm that you selected the compartment where the key exists. Resources don't need to belong to the same compartment, but you do need permissions to work with resources in all relevant compartments.

Also confirm that the Vault key exists in the same tenancy as the CA you're trying to create. The Certificates service doesn't support cross-tenancy requests.

Key protection mode is unsupported

You have a software-protected encryption key. The Certificates service doesn't support using a master encryption key in software protection mode with a CA.

To create a CA, you need a hardware-protected encryption key. A master encryption key protected by a hardware security module (HSM) is stored on an HSM and can't be exported from the HSM. All cryptographic operations involving the key also happen on the HSM. For more information about Vault keys, including information about protection modes, see Key and Secret Management Concepts.

Key algorithm is unsupported

You have a key that uses the Advanced Encryption Standard (AES) algorithm.

To create a CA, you need an asymmetric key that uses either the Rivest-Shamir-Adleman (RSA) or the Elliptic curve cryptography digital signature algorithm (ECDSA) algorithm. The service supports the following asymmetric keys for use with a CA:
  • SHA256_WITH_RSA: RSA key with a SHA-256 hash function
  • SHA384_WITH_RSA: RSA key with a SHA-384 hash function
  • SHA512_WITH_RSA: RSA key with a SHA-512 hash function
  • SHA256_WITH_ECDSA: ECDSA key with a SHA-256 hash function
  • SHA384_WITH_ECDSA: ECDSA key with a SHA-384 hash function
  • SHA512_WITH_ECDSA: ECDSA key with a SHA-512 hash function