Quickly Applying for and Using an OV SSL Certificate

With an SSL certificate deployed on your web server, the server uses HTTPS to establish encrypted links to the client, ensuring data transmission security.

Scenarios

Cloud Certificate & Manager provides domain SSL certificates. You can purchase them as required. There are three types of domain name certificates: DV, OV, and EV. OV wildcard-domain SSL certificates are widely used to provide encryption protection for all subdomain names and are widely used by the Ministry of Foreign Affairs, State Grid, and Huawei Cloud.
This topic walks you through on how to quickly apply for and use an SSL certificate in CCM. Let's apply for a wildcard-domain OV SSL certificate from GlobalSign.
A wildcard-domain certificate can protect only subdomains of the same level. For example, a level-2 wildcard domain name *.example.com can protect test.example.com, but cannot protect a level-3 subdomain name such as test.test.example.com.

Procedure

Step	Description
Preparations	After registering a Huawei Cloud and enabling Huawei Cloud services, complete real-name authentication, top up your account, and grant permissions to IAM users.
Step 1: Purchase an SSL Certificate	Configure the parameters for purchasing an OV SSL certificate.
Step 2: Apply for an SSL Certificate	After you purchase a certificate, associate a domain name, provide additional details, and then submit the application for approval.
Step 3: Verify the Domain Ownership	After you submit a certificate application, configure domain name verification information to verify your ownership of the domain name.
Step 4: Verify the Organization	After the domain name ownership is verified, the CA will initiate organization verification.
Step 5: Issue an SSL Certificate	After the organization verification is complete, the CA manually reviews the certificate information. After the information is approved, the CA issues the certificate.
Step 6: Using an OV SSL Certificate	After applying for a certificate, you can deploy the certificate to other Huawei Cloud services in one-click mode or download the certificate and deploy it on a server.

Preparations

Sign up with Huawei Cloud and complete real-name authentication.
Before purchasing a certificate, Signing Up for a HUAWEI ID and Enabling Huawei Cloud Services and Real-name authentication.
Ensure that your account has sufficient balance or has a valid payment method configured.
The account for purchasing a certificate has the SCM Administrator/SCM FullAccess, BSS Administrator, and DNS Administrator permissions.
- BSS Administrator: has all permissions on account center, billing center, and resource center. It is a project-level role, which must be assigned in the same project.
- DNS Administrator: has full permissions for DNS.
For details, see Permissions Management.

Step 1: Purchase an SSL Certificate

Log in to the CCM console.
Click in the upper left corner of the page and choose Security & Compliance > Cloud Certificate & Manager. The SSL certificate manager page is displayed.
In the upper right corner of the page, click Buy Certificate to go to the certificate purchase page.

On the Buy CCM page, set the following parameters, as shown in Figure 1.

**Table 1** Parameters for purchasing an OV SSL certificate
Parameter	Example	Description
Billing Mode	One-time	SSL certificates are a single-time product.
Type	SSL certificate - domain name	-
Domain Type	Wildcard	You can associate Single domain, Multiple domain, or Wildcard with a certificate as required. For more information, see Domain Name Types Supported in SCM.
Domain Quantity	1	If the Domain Type value is Single domain or Wildcard, you can only associate one domain name with a certificate. If the Domain Type value is Multiple domains. The number of domain names ranges from 2 to 250. Set the number of domain names as required.
Certificate Type	OV	CCM provides three types of SSL certificates: OV, DV, and EV. Different types of certificates apply to different application scenarios, trust levels, and security levels. For details, see Certificate Types.
Certificate Authority	GlobalSign	CCM supports the following certificate authorities: DigiCert, GeoTrust, and GlobalSign. For details about the types of certificates that can be issued by each CA, see Certificate Authority.
Region	All	-
Validity Period	1 year	Select the validity period as required. The longer the subscription period, the higher the discount.
Quantity	1	Set the value as required.
Tags	Not added	Tags are used to identify SSL certificates, facilitating cloud resource classification and management.

Figure 1 Parameters for purchasing an OV SSL certificate

Click to enlarge

Click Next.
Confirm the order information and agree to the CCM statement by selecting I have read and agree to the Cloud Certificate & Manager Statement. Click Pay.
On the displayed page, select a payment method.

After the payment is successful, you can go to the SSL Certificate Manager > SSL Certificates page to view certificates you purchased.

Step 2: Apply for an SSL Certificate

After you purchase a certificate, you still need to associate a domain name with it, provide certain details, and then submit it for approval. The CA will not issue the certificate until all of the submitted details have been reviewed.

Log in to the CCM console.
Click in the upper left corner of the page and choose Security & Compliance > Cloud Certificate & Manager. The SSL certificate manager page is displayed.
In the Operation column that contains the certificate to be applied for, click Apply for Certificate.

Figure 2 Applying for a Certificate
On the displayed page, set parameters such as domain name, enterprise, and applicant. For details, see Submitting an SSL Certificate Application.

Figure 3 Certificate application details page
After confirming that the entered information is correct, read through the Cloud Certificate & Manager Statement, Privacy Statement, and the authorization statement, and check the box to agree to the disclaimer and statements.
Click Submit.

The system will submit your application to the CA. During the approval process, make sure that you can be reached by phone and that you regularly check for emails from the CA.

Step 3: Verify the Domain Ownership

The CA will handle your application within 2 to 3 working days and send a verification email to you. You need to verify the domain name as required to prove the domain name ownership. This section uses DNS verification as an example.

Log in to the CCM console.
Click in the upper left corner of the page and choose Security & Compliance > Cloud Certificate & Manager. The SSL certificate manager page is displayed.
In the SSL certificate list, locate the row that contains the certificate to be applied for, and click Verify Domain Name in the Operation column.

Figure 4 Domain ownership verification
On the Verify Domain Name page, view the content for Host Record, Record Type, and Record Value. Figure 5 shows an example.

If Host Record, Record Type, and Record Value are not displayed, log in to the mailbox to view. The mailbox is the one you provide during certificate application.
Figure 5 Viewing a host record
Go to the DNS service provider of your domain name and add a record. For details, see Manual DNS Verification.
Check whether the domain name verification takes effect. For details, see Manual DNS Verification.
Review the DNS verification result.

If you have verified the domain name ownership, the CA will take 2 to 3 working days to verify your information. You can proceed to the organization verification step only after the application is approved.

Step 4: Verify the Organization

If you apply for an OV SSL certificate, the CA sends an organization verification email after domain name ownership is verified. The CA validates your organization identity by contacting you through the method you select.

If you purchase a certificate again from the same CA within 13 months and the certificate information is not changed, organization verification is not required.
After the organization verification completes, it takes some time for CA to complete the verification.

Log in to the mailbox you left when applying for a certificate.
Open the organization verification email from the CA.
Reply to the email from the CA to select an organization verification method.
Cooperate with the CA and complete the verification by the method you select.

Step 5: Issue an SSL Certificate

Your SSL certificates will be issued after the CA approves your application. The certificate approval time depends on how quickly you respond with requested information from the CA. The CA contacts you through the reserved email address and phone number. Ensure you can be contacted through the information you leave when applying for the certificate.

Generally, the CA manually reviews the information about an OV SSL certificate after the organization verification is complete. If the information is correct, the review takes three to five working days. After the CA approves the certificate, it issues the certificate. The certificate takes effect upon issuance. The OV SSL certificate application is complete.

Step 6: Using an OV SSL Certificate

After applying for a certificate, you can deploy the certificate to other Huawei Cloud services in one-click mode or download the certificate and deploy it on a server. Downloading a Certificate. The following describes how to deploy a certificate:

If traffic passes through WAF and needs to be encrypted using HTTPS, you need to deploy the SSL certificate on WAF, especially when the multi-node architecture such as CDN → WAF → Origin Server is used. This prevents attackers from tampering with data on intermediate nodes and decrypts, detects, and allows incoming traffic, improving overall security and data transmission security.

Prerequisites
- You have enabled WAF, routed your website domain name to WAF, and configured an SSL certificate for the domain name in WAF.
- You have an SSL certificate that is in Issued or Hosted status.
Constraints
- If you have not purchased WAF or the domain name you want to use the certificate for has not been added to WAF, deploying the certificate to WAF may fail.
- If you select Upload a CSR for CSR when applying for a certificate, the issued certificate cannot be directly deployed to other cloud products through SCM because no private key of the certificate is available on the Huawei cloud. To use a certificate in a cloud product, download the certificate to your local PC first. Then, upload the certificate and private key to the cloud product and complete deployment.
Step
1. Log in to the CCM console.
2. In the navigation pane on the left, choose SSL Certificate Manager > SSL Certificates.
3. Locate the row containing the certificate you want to deploy on other cloud product, and click Deploy in the Operation to go to the certificate deployment details page.
4. On the displayed page, select WAF in the Deployment Details area.
5. Select the domain name you want to deploy the certificate for and click Deploy in the Operation column.
  To deply the certificates for multiple domain names, select all the target domain names and click Batch Update above the domain name list.
6. In the displayed confirmation dialog box, click Confirm.
  After the deployment is successful, a message is displayed, indicating that the deployment is successful. Go to the deployment record page to view the result.

To enable secure connections for website traffic distributed through ELB, you need to deploy SSL certificates on ELB. This applies to all websites that need to protect user data privacy and security, prevent insecure browser warnings, and protect customer information, such as online transactions and sensitive data.

Prerequisites
- You have enabled Elastic Load Balance (ELB) as required below, added your website domain name to ELB, and configured an SSL certificate for the website in ELB.
  If you have not purchased ELB or the domain name you want to use the certificate for has not been added to ELB, deploying the certificate to ELB may fail.
- You have an SSL certificate that is in Issued or Hosted status.
Constraints
- You need to create a listener and configure HTTPS for the listener. This means the certificate that is being used for ELB and you want to update in CCM must have been configured in ELB at the very beginning. Then, you can quickly update it in CCM.
- If an ELB certificate is used for multiple domain names, ensure that the new certificate you want to update in CCM for ELB must match with those domain names. If they do not match, the domain names in the new certificate will overwrite the ones in the original certificate after the update.
- If you select Upload a CSR for CSR when applying for a certificate, the issued certificate cannot be directly deployed to other cloud products through SCM because no private key of the certificate is available on the Huawei cloud. To use a certificate in a cloud product, download the certificate to your local PC first. Then, upload the certificate and private key to the cloud product and complete deployment.
- You can use SCM to update the certificate deployed on listeners in ELB. If you update an SSL certificate in SCM, the certificate content and private keys are updated in ELB accordingly. ELB then updates the certificate content and private keys on all listeners where the certificate is deployed for.
Step
1. Log in to the CCM console.
2. In the navigation pane on the left, choose SSL Certificate Manager > SSL Certificates.
3. Locate the row containing the certificate you want to deploy on other cloud product, and click Deploy in the Operation to go to the certificate deployment details page.
4. On the displayed page, select ELB in the Deployment Details area.
5. Select the domain name you want to deploy the certificate for and click Deploy in the Operation column.
  To deply the certificates for multiple domain names, select all the target domain names and click Batch Update above the domain name list.
6. In the displayed confirmation dialog box, click Confirm.
  After the deployment is successful, a message is displayed, indicating that the deployment is successful. Go to the deployment record page to view the result.

When traffic passes through intermediate nodes such as CDN and the connection between the client and these nodes needs to be encrypted, you need to deploy the SSL certificate to CDN. This method can protect communication security between users and the CDN and prevent data from being intercepted or tampered during transmission, especially when the website access traffic is heavy or sensitive information needs to be transmitted.

Prerequisites
- You have enabled CDN, added your website to CDN, and configured an SSL certificate for the website in CDN.
  If you have not purchased CDN or the domain name you want to use the certificate for has not been added to CDN, deploying the certificate to CDN may fail.
- You have an SSL certificate that is in Issued or Hosted status.
Constraints
If you select Upload a CSR for CSR when applying for a certificate, the issued certificate cannot be directly deployed to other cloud products through SCM because no private key of the certificate is available on the Huawei cloud. To use a certificate in a cloud product, download the certificate to your local PC first. Then, upload the certificate and private key to the cloud product and complete deployment.
Step
1. Log in to the CCM console.
2. In the navigation pane on the left, choose SSL Certificate Manager > SSL Certificates.
3. Locate the row containing the certificate you want to deploy on other cloud product, and click Deploy in the Operation to go to the certificate deployment details page.
4. On the displayed page, select CDN in the Deployment Details area.
5. Select the domain name you want to deploy the certificate for and click Deploy in the Operation column.
  To deply the certificates for multiple domain names, select all the target domain names and click Batch Update above the domain name list.
6. In the displayed confirmation dialog box, click Confirm.
  After the deployment is successful, a message is displayed, indicating that the deployment is successful. Go to the deployment record page to view the result.

To ensure the security of playback data and transmission information, such as playback records and data transmission in live streams, you need to enable HTTPS encryption in VOD. In HTTPS, key user information is encrypted to prevent session IDs or cookies from being captured by attackers, which may cause sensitive information leakage.

Prerequisites
- You have subscribed to VOD and configured a website domain name that matches the SSL certificate in VOD.
- If you have not subscribed to VOD or the domain name you want to use the certificate for has not been added to VOD, deploying the certificate to VOD may fail.
- You have an SSL certificate that is in Issued or Hosted status.
Constraints
- If you select Upload a CSR for CSR when applying for a certificate, the issued certificate cannot be directly deployed to other cloud products through SCM. To use a certificate for a cloud product, download the certificate to your local PC first. Then, upload it to the cloud product and complete deployment.
Step
1. Log in to the CCM console.
2. In the navigation pane on the left, choose SSL Certificate Manager > SSL Certificates.
3. Locate the row containing the certificate you want to deploy on other cloud product, and click Deploy in the Operation to go to the certificate deployment details page.
4. On the displayed page, select VOD in the Deployment Details area.
5. Select the domain name you want to deploy the certificate for and click Deploy in the Operation column.
  To deply the certificates for multiple domain names, select all the target domain names and click Batch Update above the domain name list.
6. In the displayed confirmation dialog box, click Confirm.
  After the deployment is successful, a message is displayed, indicating that the deployment is successful. Go to the deployment record page to view the result.