Help Center> Elastic Load Balance> User Guide> User Guide for Shared Load Balancers> Security> Certificate> Certificate Overview
Updated on 2024-06-20 GMT+08:00
View PDF

Certificate Overview

ELB supports two types of certificates. If you add an HTTPS listener, you need to bind a server certificate to it. To enable mutual authentication, you also need to bind a CA certificate to the listener.
  • Server certificate: used for SSL handshake negotiations if an HTTPS listener is used. Both the certificate content and private key are required.
  • CA certificate: issued by a certificate authority (CA) and used to verify the certificate issuer. If HTTPS mutual authentication is required, HTTPS connections can be established only when the client provides a certificate issued by a specific CA.

SSL Certificate Manager (SCM) allows you to purchase a certificate from Huawei Cloud or upload your own certificates for easier management.

Precautions

  • A certificate can be used by multiple load balancers but only needs to be uploaded to ELB once.
  • You must specify a domain name for an SNI certificate. The domain name must be the same as that in the certificate. An SNI certificate can have multiple domain names.
  • For each certificate type, a listener can have only one certificate by default, but a certificate can be bound to more than one listener. If SNI is enabled for the listener, multiple server certificates can be bound.
  • Only original certificates are supported. That is to say, you cannot encrypt your certificates.
  • You can use self-signed certificates. However, note that self-signed certificates pose security risks. It is recommended that you use certificates issued by third parties.
  • ELB supports certificates only in PEM format. If you have a certificate in any other format, you must convert it to a PEM-encoded certificate.
  • If a certificate has expired, you need to manually replace or delete it.

Certificate Format

You can copy and paste the certificate body to create a certificate or directly upload a certificate.

A certificate issued by the Root CA is unique, and no additional certificates are required. The configured site is considered trustable by access devices, such as a browser.

The body of the server and CA certificates must meet the requirements as described below.

  • The content starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----.
  • Each row contains 64 characters except the last row.
  • There are no empty rows.

The following is an example:

-----BEGIN CERTIFICATE-----
Base64–encoded certificate
-----END CERTIFICATE-----

Private Key Format

When creating a server certificate, you also need to upload the private key of the certificate. You can copy and paste the private key content or directly upload the private key in the required format.

Private keys must be unencrypted and meet the following requirements:

  • The value must be in PEM format.
    • The content must start with -----BEGIN RSA PRIVATE KEY----- and end with -----END RSA PRIVATE KEY-----.
    • The content must start with -----BEGIN EC PRIVATE KEY----- and end with -----END EC PRIVATE KEY-----.
  • There are no empty rows. Each row must contain 64 characters except the last row.

The following is an example:

-----BEGIN RSA PRIVATE KEY-----
[key]
-----END RSA PRIVATE KEY-----
Parent Topic: Certificate