If you select Dedicated Mode as the access mode and set Client Protocol to HTTPS, a certificate is required for your website.
- If your website certificate is about to expire, purchase a new certificate before the expiration date and update the certificate associated with the website in WAF.
- If you plan to update the certificate associated with the website, associate a new certificate with your website on the WAF console.
Prerequisites
- The website to be protected has been added to WAF.
- Your website uses HTTPS as the client protocol.
Constraints
- Each domain name must have a certificate associated. A wildcard domain name can only use a wildcard domain certificate. If you only have single-domain certificates, add domain names one by one in WAF.
- Only .pem certificates can be used in WAF. If the certificate is not in .pem, before uploading it, convert it to .pem by referring to Step 6.
Impact on the System
- It is recommended that you update the certificate before it expires. Otherwise, all WAF protection rules will fail to take effect, and there can be massive impacts on the origin server, even more severe than a crashed host or website access failures.
- Updating certificates does not affect services. The old certificate still works during the certificate replacement. The new certificate will take over the job once it has been uploaded and successfully associated with the domain name.
Updating the Certificate Used for a Website
- Log in to the management console.
- Click
in the upper left corner and select a region or project. - Click
in the upper left corner and choose Web Application Firewall (Dedicated) under Security. - In the navigation pane on the left, click Website Settings.
- On the Website Settings page, click the target website domain name.
- Click
next to the certificate name. In the Update Certificate dialog box, import a new certificate or select an existing certificate.- If you select Import new certificate for Update Method, enter a certificate name, and copy and paste the certificate file and private key into the corresponding text boxes.
WAF encrypts and saves the private key to keep it safe.
Figure 1 Update Certificate
Only .pem certificates can be used in WAF. If the certificate is not in .pem format, convert it into .pem locally by referring to Table 1 before uploading it.Table 1 Certificate conversion commands Format
Conversion Method
CER/CRT
Rename the cert.crt certificate file to cert.pem.
PFX
- Obtain a private key. For example, run the following command to convert cert.pfx into key.pem:
openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes
- Obtain a certificate. For example, run the following command to convert cert.pfx into cert.pem:
openssl pkcs12 -in cert.pfx -nokeys -out cert.pem
P7B
- Convert a certificate. For example, run the following command to convert cert.p7b into cert.cer:
openssl pkcs7 -print_certs -in cert.p7b -out cert.cer
- Rename certificate file cert.cer to cert.pem.
DER
- Obtain a private key. For example, run the following command to convert privatekey.der into privatekey.pem:
openssl rsa -inform DER -outform PEM -in privatekey.der -out privatekey.pem
- Obtain a certificate. For example, run the following command to convert cert.cer into cert.pem:
openssl x509 -inform der -in cert.cer -out cert.pem
- Before running an OpenSSL command, ensure that the OpenSSL tool has been installed on the local host.
- If your local PC runs a Windows operating system, go to the command line interface (CLI) and then run the certificate conversion command.
- Obtain a private key. For example, run the following command to convert cert.pfx into key.pem:
- If you select Select existing certificate for Update Method, select an existing certificate from the Certificate drop-down list.Figure 2 Selecting an existing certificate
- If you select Import new certificate for Update Method, enter a certificate name, and copy and paste the certificate file and private key into the corresponding text boxes.
- Click Confirm.