Help Center/ Elastic Load Balance/ User Guide/ User Guide for Shared Load Balancers/ Security/ Certificate/ Certificate Overview
Updated on 2024-12-12 GMT+08:00
View PDF
Share

Certificate Overview

When you add an HTTPSor TLS listener, you need to bind a server certificate to it. To enable mutual authentication, you also need to bind a CA certificate to the listener. You can purchase a server certificate from Huawei Cloud SSL Certificate Manager (SCM) or upload your own certificates to the ELB console.

Use Cases

When you add an HTTPS or TLS listener to route requests, you need to select SSL Authentication. For one-way authentication, you need to configure a server certificate for the listener. For two-way authentication, you need to configure both a server certificate and a CA certificate.

Table 1 SSL authentication

One-way Authentication

Only backend servers will be authenticated. You need to bind a server certificate to the listener to authenticate the server.

Mutual Authentication

The clients and the load balancer authenticate each other. Only authenticated clients will be allowed to access the load balancer. You need to bind both a server certificate and a CA certificate to the listener to allow the clients and the load balancer to authenticate each other. You do not need to configure two-way authentication on the backend servers.

ELB supports two types of certificates.

Table 2 Certificate types

Server Certificate

Used for SSL handshake negotiations if an HTTPSor TLS listener is used. Both the certificate content and private key are required.

CA Certificate

Also called client CA public key certificate and used to verify the client certificate issuer. If mutual authentication is required, connections can be established only when the client provides a certificate issued by a specific CA.

Precautions

  • A certificate can be used by multiple load balancers but only needs to be uploaded to ELB once.
  • You must specify a domain name for an SNI certificate. The domain name must be the same as that in the certificate. An SNI certificate can have multiple domain names.
  • For each certificate type, a listener can have only one certificate by default, but a certificate can be bound to more than one listener. If SNI is enabled for the listener, multiple server certificates can be bound.
  • Only original certificates are supported. That is to say, you cannot encrypt your certificates.
  • You can use self-signed certificates. However, note that self-signed certificates pose security risks. It is recommended that you use certificates issued by third parties.
  • ELB only supports certificates in PEM format. If you have a certificate in any other format, you must convert it to a PEM-encoded certificate.
  • If a certificate has expired, you need to manually replace or delete it.

Certificate Format

You can copy and paste the certificate body to create a certificate or directly upload a certificate.

A certificate issued by the Root CA is unique, and no additional certificates are required. The configured site is considered trustable by access devices, such as a browser.

The body of the server and CA certificates must meet the requirements as described below.

  • The content must start with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----.
  • Each row contains 64 characters except the last row.
  • There are no empty rows.

The following is an example:

-----BEGIN CERTIFICATE-----
Base64–encoded certificate
-----END CERTIFICATE-----

Private Key Format

When creating a server certificate, you also need to upload the private key of the certificate. You can copy and paste the private key content or directly upload the private key in the required format.

Private keys must be unencrypted and meet the following requirements:

  • The value must be in PEM format.
    • The content must start with -----BEGIN RSA PRIVATE KEY----- and end with -----END RSA PRIVATE KEY-----.
    • The content must start with -----BEGIN EC PRIVATE KEY----- and end with -----END EC PRIVATE KEY-----.
  • There are no empty rows. Each row contains 64 characters except the last row.

The following is an example:

-----BEGIN RSA PRIVATE KEY-----
[key]
-----END RSA PRIVATE KEY-----

Converting Certificate Formats

ELB only supports certificates in PEM format. If you have a certificate in any other format, you must convert it to a PEM-encoded certificate. There are some common methods for converting a certificate from any other format to PEM.

From DER to PEM

The DER format is usually used on a Java platform.

Run the following command to convert the certificate format:

openssl x509 -inform der -in certificate.cer -out certificate.pem

Run the following command to convert the private key format:

openssl rsa -inform DER -outform PEM -in privatekey.der -out privatekey.pem

From P7B to PEM

The P7B format is usually used by Windows and Tomcat servers.

Run the following command to convert the certificate format:

openssl pkcs7 -print_certs -in incertificate.p7b -out outcertificate.cer

From PFX to PEM

The PFX format is usually used by Windows servers.

Run the following command to convert the certificate format:

openssl pkcs12 -in certname.pfx -nokeys -out cert.pem

Run the following command to convert the private key format:

openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes
Parent Topic: Certificate