Quickly Applying for and Using an OV SSL Certificate

Scenarios

• Cloud Certificate Manager (CCM) provides domain SSL certificates. You can purchase them as required. There are three types of domain name certificates: DV, OV, and EV. OV wildcard-domain SSL certificates are widely used to provide encryption protection for all subdomain names and are widely used by the Ministry of Foreign Affairs, State Grid, and Huawei Cloud.
• This topic walks you through on how to quickly apply for and use an SSL certificate in CCM. Let's apply for a wildcard-domain OV SSL certificate from GlobalSign.
• A wildcard-domain certificate can protect only subdomains of the same level. For example, a level-2 wildcard domain name *.example.com can protect test.example.com, but cannot protect a level-3 subdomain name such as test.test.example.com.

Procedure

Preparations

1. Sign up with Huawei Cloud and complete real-name authentication.

   Before purchasing a certificate, sign up for a HUAWEI ID and enable Huawei Cloud services and complete real-name authentication first.

2. Ensure that your account has sufficient balance or has a valid payment method configured.
3. The account for purchasing a certificate has the SCM Administrator/SCM FullAccess, BSS Administrator, and DNS Administrator permissions.
   • BSS Administrator: has all permissions on account center, billing center, and resource center. It is a project-level role, which must be assigned in the same project.
   • DNS Administrator: has full permissions for DNS.

   For details, see Permission Management.

Step 1: Purchase an SSL Certificate

1. Log in to the management console.
2. Click in the upper left corner of the page and choose Security & Compliance > Cloud Certificate Management Service. The SSL certificate manager page is displayed.
3. In the upper right corner of the page, click Buy Certificate to go to the certificate purchase page.
4. On the Buy CCM page, set the following parameters, as shown in Figure 1.

   Table 1 Parameters for purchasing an OV SSL certificate

   Parameter	Example	Description
   Billing Mode	One-time	SSL certificates are a single-time product.
   Type	SSL certificate - domain name	-
   Domain Type	Wildcard	You can associate Single domain, Multiple domain, or Wildcard with a certificate as required. For more information, see Domain Name Types Supported in SCM.
   Domain Quantity	1	If the Domain Type value is Single domain or Wildcard, you can only associate one domain name with a certificate. If the Domain Type value is Multiple domains, The number of domain names ranges from 2 to 250. Set the number of domain names as required.
   Certificate Type	OV	CCM provides three types of SSL certificates: OV, DV, and EV. Different types of certificates apply to different application scenarios, trust levels, and security levels. For details, see Certificate Types.
   Certificate Authority	GlobalSign	CCM supports the following certificate authorities: DigiCert, GeoTrust, and GlobalSign. For details about the types of certificates that can be issued by each CA, see Certificate Authority.
   Region	All	-
   Validity Period	1 year	Select the validity period as required. The longer the subscription period, the higher the discount.
   Quantity	1	Set the value as required.
   Tags	Not added	Tags are used to identify SSL certificates, facilitating cloud resource classification and management.

   Figure 1 Parameters for purchasing an OV SSL certificate

   

5. Click Next.
6. Confirm the order information and agree to the CCM statement by selecting I have read and agree to the Cloud Certificate Manager Statement. Click Pay.
7. On the displayed page, select a payment method.

   After the payment is successful, you can go to the SSL Certificate Manager > SSL Certificates page to view certificates you purchased.

Step 2: Apply for an SSL Certificate

After you purchase a certificate, you still need to associate a domain name with it, provide certain details, and then submit it for approval. The CA will not issue the certificate until all of the submitted details have been reviewed.

1. Log in to the management console.
2. Click in the upper left corner of the page and choose Security & Compliance > Cloud Certificate Management Service. The SSL certificate manager page is displayed.
3. In the Operation column that contains the certificate to be applied for, click Apply for Certificate.
   Figure 2 Applying for a Certificate

   

4. On the displayed page, set parameters such as domain name, enterprise, and applicant. For details, see Submitting an SSL Certificate Application.
   Figure 3 Certificate application details page

   

5. After confirming that the entered information is correct, read through the Cloud Certificate Manager Statement, Privacy Statement, and the authorization statement, and check the box to agree to the disclaimer and statements.
6. Click Submit.

   The system will submit your application to the CA. During the approval process, make sure that you can be reached by phone and that you regularly check for emails from the CA.

Step 3: Verify the Domain Ownership

The CA will handle your application within 2 to 3 working days and send a verification email to you. You need to verify the domain name as required to prove the domain name ownership. This section uses DNS verification as an example.

1. Log in to the management console.
2. Click in the upper left corner of the page and choose Security & Compliance > Cloud Certificate Management Service. The SSL certificate manager page is displayed.
3. In the SSL certificate list, locate the row that contains the certificate to be applied for, and click Verify Domain Name in the Operation column.
   Figure 4 Domain ownership verification

   
   

4. On the Verify Domain Name page, view the content for Host Record, Record Type, and Record Value. Figure 5 shows an example.
   If Host Record, Record Type, and Record Value are not displayed, log in to the mailbox to view. The mailbox is the one you provide during certificate application.

   Figure 5 Viewing a host record
   

5. Go to the DNS service provider of your domain name and add a record. For details, see Manual DNS Verification.
6. Check whether the domain name verification takes effect. For details, see Manual DNS Verification.
7. Review the DNS verification result.

   If you have verified the domain name ownership, the CA will take 2 to 3 working days to verify your information. You can proceed to the organization verification step only after the application is approved.

Step 4: Verify the Organization

If you apply for an OV SSL certificate, the CA sends an organization verification email after domain name ownership is verified. The CA validates your organization identity by contacting you through the method you select.

• If you purchase a certificate again from the same CA within 13 months and the certificate information is not changed, organization verification is not required.
• After the organization verification completes, it takes some time for CA to complete the verification.

1. Log in to the mailbox you left when applying for a certificate.
2. Open the organization verification email from the CA.
3. Reply to the email from the CA to select an organization verification method.
4. Cooperate with the CA and complete the verification by the method you select.

Step 5: Issue an SSL Certificate

Your SSL certificates will be issued after the CA approves your application. The certificate approval time depends on how quickly you respond with requested information from the CA. The CA contacts you through the reserved email address and phone number. Ensure you can be contacted through the information you leave when applying for the certificate.

Generally, the CA manually reviews the information about an OV SSL certificate after the organization verification is complete. If the information is correct, the review takes three to five working days. After the CA approves the certificate, it issues the certificate. The certificate takes effect upon issuance. The OV SSL certificate application is complete.

Using OV SSL Certificates

After applying for a certificate, you can deploy the certificate to other Huawei Cloud services in one-click mode or download the certificate and deploy it on a server.