If you set Client Protocol to HTTPS when you add a website to WAF, upload a certificate and use it for your website.
- If your website certificate is about to expire, purchase a new certificate before the expiration date and update the certificate associated with the website in WAF.
- If you plan to update the certificate associated with the website, associate a new certificate with your website on the WAF console.
Prerequisites
- The website to be protected has been added to WAF.
- Your website uses HTTPS as the client protocol.
Constraints
- Each domain name must have a certificate associated. A wildcard domain name can only use a wildcard domain certificate. If you only have single-domain certificates, add domain names one by one in WAF.
- Only .pem certificates can be used in WAF. If the certificate is not in .pem, before uploading it, convert it to .pem by referring to Step 6.
Impact on the System
- It is recommended that you update the certificate before it expires. Otherwise, all WAF protection rules will fail to take effect, and there can be massive impacts on the origin server, even more severe than a crashed host or website access failures.
- Updating certificates does not affect services. The old certificate still works during the certificate replacement. The new certificate will take over the job once it has been uploaded and successfully associated with the domain name.
Procedure
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project. - Click
in the upper left corner and choose Web Application Firewall (Dedicated) under Security. - In the navigation pane, choose Website Settings.
- In the Domain Name column, click the domain name of the website to go to the basic information page.
- Click
next to the certificate name. In the Update Certificate dialog box, import a new certificate or select an existing certificate.- If you select Import new certificate for Update Method, enter a certificate name, and copy and paste the certificate file and private key into the corresponding text boxes. Figure 1 shows an example.
WAF encrypts and saves the private key to keep it safe.
Only .pem certificates can be used in WAF. If the certificate is not in .pem format, convert it into .pem locally by referring to Table 1 before uploading it.Table 1 Certificate conversion commands Format
Conversion Method
CER/CRT
Rename the cert.crt certificate file to cert.pem.
PFX
- Obtain a private key. For example, run the following command to convert cert.pfx into key.pem:
openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes
- Obtain a certificate. For example, run the following command to convert cert.pfx into cert.pem:
openssl pkcs12 -in cert.pfx -nokeys -out cert.pem
P7B
- Convert a certificate. For example, run the following command to convert cert.p7b into cert.cer:
openssl pkcs7 -print_certs -in cert.p7b -out cert.cer
- Rename certificate file cert.cer to cert.pem.
DER
- Obtain a private key. For example, run the following command to convert privatekey.der into privatekey.pem:
openssl rsa -inform DER -outform PEM -in privatekey.der -out privatekey.pem
- Obtain a certificate. For example, run the following command to convert cert.cer into cert.pem:
openssl x509 -inform der -in cert.cer -out cert.pem
- Before running an OpenSSL command, ensure that the OpenSSL tool has been installed on the local host.
- If your local PC runs a Windows operating system, go to the command line interface (CLI) and then run the certificate conversion command.
- Obtain a private key. For example, run the following command to convert cert.pfx into key.pem:
- If you select Select existing certificate for Update Method, select an existing certificate from the Certificate Name drop-down list.Figure 2 Selecting an existing certificate
- If you select Import new certificate for Update Method, enter a certificate name, and copy and paste the certificate file and private key into the corresponding text boxes. Figure 1 shows an example.
- Click Confirm.
