Certificate Overview
When you add an HTTPSor TLS listener, you need to bind a server certificate to it. To enable mutual authentication, you also need to bind a CA certificate to the listener. You can purchase a server certificate from Huawei Cloud SSL Certificate Manager (SCM) or upload your own certificates to the ELB console.
Use Cases
When you add an HTTPS or TLS listener to route requests, you need to select SSL Authentication. For one-way authentication, you need to configure a server certificate for the listener. For two-way authentication, you need to configure both a server certificate and a CA certificate.
One-way Authentication |
Only backend servers will be authenticated. You need to bind a server certificate to the listener to authenticate the server. |
---|---|
Mutual Authentication |
The clients and the load balancer authenticate each other. Only authenticated clients will be allowed to access the load balancer. You need to bind both a server certificate and a CA certificate to the listener to allow the clients and the load balancer to authenticate each other. You do not need to configure two-way authentication on the backend servers. |
ELB supports two types of certificates.
Server Certificate |
Used for SSL handshake negotiations if an HTTPSor TLS listener is used. Both the certificate content and private key are required. |
---|---|
CA Certificate |
Also called client CA public key certificate and used to verify the client certificate issuer. If mutual authentication is required, connections can be established only when the client provides a certificate issued by a specific CA. |
Precautions
- A certificate can be used by multiple load balancers but only needs to be uploaded to ELB once.
- You must specify a domain name for an SNI certificate. The domain name must be the same as that in the certificate. An SNI certificate can have multiple domain names.
- For each certificate type, a listener can have only one certificate by default, but a certificate can be bound to more than one listener. If SNI is enabled for the listener, multiple server certificates can be bound.
- Only original certificates are supported. That is to say, you cannot encrypt your certificates.
- You can use self-signed certificates. However, note that self-signed certificates pose security risks. It is recommended that you use certificates issued by third parties.
- ELB only supports certificates in PEM format. If you have a certificate in any other format, you must convert it to a PEM-encoded certificate.
- If a certificate has expired, you need to manually replace or delete it.
Certificate Format
You can copy and paste the certificate body to create a certificate or directly upload a certificate.
A certificate issued by the Root CA is unique, and no additional certificates are required. The configured site is considered trustable by access devices, such as a browser.
The body of the server and CA certificates must meet the requirements as described below.
- The content must start with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----.
- Each row contains 64 characters except the last row.
- There are no empty rows.
The following is an example:
-----BEGIN CERTIFICATE----- Base64–encoded certificate -----END CERTIFICATE-----
Private Key Format
When creating a server certificate, you also need to upload the private key of the certificate. You can copy and paste the private key content or directly upload the private key in the required format.
Private keys must be unencrypted and meet the following requirements:
- The value must be in PEM format.
- The content must start with -----BEGIN RSA PRIVATE KEY----- and end with -----END RSA PRIVATE KEY-----.
- The content must start with -----BEGIN EC PRIVATE KEY----- and end with -----END EC PRIVATE KEY-----.
- There are no empty rows. Each row contains 64 characters except the last row.
The following is an example:
-----BEGIN RSA PRIVATE KEY----- [key] -----END RSA PRIVATE KEY-----
Converting Certificate Formats
ELB only supports certificates in PEM format. If you have a certificate in any other format, you must convert it to a PEM-encoded certificate. There are some common methods for converting a certificate from any other format to PEM.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot