Updated on 2024-01-31 GMT+08:00

Uploading a Certificate

If you select Cloud - CNAME or Dedicated for Protection and set Client Protocol to HTTPS, a certificate is required for your website.

If you upload a certificate to WAF, you can directly select the certificate when adding a website to WAF.

If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select your enterprise project from the Enterprise Project drop-down list and upload certificates in the project.

Prerequisites

You have obtained the certificate file and certificate private key.

Specification Limitations

You can upload as many certificates in WAF as the number of domain names that can be protected by your WAF instances in the same account. For example, if you purchase a standard edition WAF instance, which can protect 10 domain names, and a domain name expansion package, which can protect 20 domain names, your WAF instance can protect 30 domain names total. In this case, you can upload 30 certificates.

Constraints

  • If you purchase a certificate on the SCM console and push it to WAF, the certificate is added to the certificate list on the Certificates page on the WAF console. This certificate is also counted towards your total certificate quota. For details about how to push an SSL certificate in SCM to WAF, see Pushing an SSL Certificate to Other Cloud Services.

    Currently, certificates purchased in Huawei Cloud SCM can be pushed only to the default enterprise project. For other enterprise projects, SSL certificates pushed by SCM cannot be used.

  • If you import a new certificate when adding a protected website or updating a certificate, the certificate is added to the certificate list on the Certificates page, and the imported certificate is also counted towards your total certificate quota.

Application Scenario

If you select HTTPS for Client Protocol, a certificate is required.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall under Security & Compliance.
  4. In the navigation pane, choose Objects > Certificates.
  5. Click Add Certificate.
  6. In the displayed dialog box, enter a certificate name, and copy and paste the certificate file and private key to the corresponding text boxes.

    Figure 1 Upload Certificate

    Only .pem certificates can be used in WAF. If the certificate is not in .pem format, convert it into .pem locally by referring to Table 1 before uploading it.
    Table 1 Certificate conversion commands

    Format

    Conversion Method

    CER/CRT

    Rename the cert.crt certificate file to cert.pem.

    PFX

    • Obtain a private key. For example, run the following command to convert cert.pfx into key.pem:

      openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes

    • Obtain a certificate. For example, run the following command to convert cert.pfx into cert.pem:

      openssl pkcs12 -in cert.pfx -nokeys -out cert.pem

    P7B

    1. Convert a certificate. For example, run the following command to convert cert.p7b into cert.cer:

      openssl pkcs7 -print_certs -in cert.p7b -out cert.cer

    2. Rename certificate file cert.cer to cert.pem.

    DER

    • Obtain a private key. For example, run the following command to convert privatekey.der into privatekey.pem:

      openssl rsa -inform DER -outform PEM -in privatekey.der -out privatekey.pem

    • Obtain a certificate. For example, run the following command to convert cert.cer into cert.pem:

      openssl x509 -inform der -in cert.cer -out cert.pem

    • Before running an OpenSSL command, ensure that the OpenSSL tool has been installed on the local host.
    • If your local PC runs a Windows operating system, go to the command line interface (CLI) and then run the certificate conversion command.

  7. Click Confirm.

Verification

The certificate you created is displayed in the certificate list.

Other Operations

  • To change the certificate name, move the cursor over the name of the certificate, click , and enter a certificate name.

    If the certificate is in use, unbind the certificate from the domain name first. Otherwise, the certificate name cannot be changed.

  • To view details about a certificate, click View in the Operation column of the certificate.
  • In the row containing the certificate you want, click Use in the Operation column to use the certificate to the corresponding domain name.
  • To delete a certificate, locate the row of the certificate and click More > Delete in the Operation column.
  • To update a certificate, locate the row of the certificate and click More > Update in the Operation column.
  • To share a certificate with other enterprise projects, locate the row containing the certificate and click Share in the Operation column.