Help Center/ API Gateway/ User Guide/ Opening APIs/ Adding an SSL Certificate for an API
Updated on 2025-01-10 GMT+08:00

Adding an SSL Certificate for an API

API groups that contain HTTPS-compatible APIs must have their independent domain names bound with SSL certificates. SSL certificates are used for data encryption and identity verification, and support both one-way and two-way authentication.

If no SSL certificate is configured, the request security cannot be ensured.

  • One-way authentication: When connecting to the server, a client verifies whether the server is correct.

  • Two-way authentication: When connecting to a server, a client verifies the server and the server also verifies the client.

Constraints

  • Only SSL certificates in PEM format are supported.
  • SSL certificates support only the RSA and ECDSA encryption algorithms.

Prerequisites

  • You have obtained the SSL certificate.
  • If two-way authentication is used, you need to obtain the CA certificate.

Adding an SSL Certificate

  1. Go to the APIG console.
  2. Select a dedicated gateway at the top of the navigation pane.
  3. In the navigation pane, choose API Management > API Policies.
  4. On the SSL Certificates tab, click Create SSL Certificate.
  5. Configure the certificate according to the following table.

    Table 1 SSL certificate configuration

    Parameter

    Description

    Name

    Enter an SSL certificate name. It is recommended that you enter a name based on naming rules to facilitate search.

    Enter 4 to 50 characters, starting with a letter. Only letters, digits, and underscores (_) are allowed.

    Gateways Covered

    • Current: The certificate will be displayed only for the current gateway.
    • All: The certificate will be displayed for all gateways of the current account and region.

    Algorithm

    Specify the encryption algorithm used by the certificate. Options: RSA or ECC.

    • Rivest–Shamir–Adleman (RSA) is an asymmetric cryptographic algorithm that is widely used around the world. It has the best compatibility among the three algorithms and supports mainstream browsers and all-platform OSs. Generally, RSA uses a 2048-bit or 3072-bit key.
    • Elliptical curve cryptography (ECC) features faster encryption, higher efficiency, and lower server resource consumption compared with RSA. ECC is being promoted in mainstream browsers and is becoming a new-generation mainstream algorithm. Generally, ECC uses a 256-bit key.

    Content

    SSL certificate content in PEM format.

    Open the target PEM certificate file using Notepad or other tools, and copy the certificate content to Content.

    If the certificate is not in PEM format, convert it to this format.

    Key

    SSL certificate key in PEM format.

    Open the KEY or PEM private key file using Notepad or other tools, and copy the private key to Key.

    CA

    For two-way authentication, you need to enter the CA certificate to verify both the server and client certificates. After the CA certificate is uploaded, the independent domain name needs to be bound to an SSL certificate to enable two-way authentication. Open the CA certificate file (.pem format) corresponding to the preceding certificate content as a text file and copy the CA content to CA.

    NOTE:

  6. Click OK.

    After creating a certificate, (Optional) Binding an SSL Certificate to an independent name of an API group.

Converting Certificate Format to PEM

Format

Converting with OpenSSL

CER/CRT

Rename the certificate file cert.crt cert.pem.

PFX

  • Run the private key export command. For example, run the following command to convert cert.pfx into key.pem:

    openssl pkcs12 -in cert.pfx -nocerts -out key.pem

  • Run the certificate export command. For example, run the following command to convert cert.pfx into cert.pem:

    openssl pkcs12 -in cert.pfx -nokeys -out cert.pem

P7B

  1. Run the certificate conversion command. For example, run the following command to convert cert.p7b into cert.cer:

    openssl pkcs7 -print_certs -in cert.p7b -out cert.cer

  2. Rename the certificate file cert.cer cert.pem.

DER

  • Run the private key export command. For example, run the following command to convert privatekey.der into privatekey.pem:

    openssl rsa -inform DER -outform PEM -in privatekey.der -out privatekey.pem

  • Run the certificate export command. For example, run the following command to convert cert.cer into cert.pem:

    openssl x509 -inform der -in cert.cer -out cert.pem

Updating an SSL Certificate

On the certificate list page, locate the certificate to be updated, click Modify in the Operation column, and modify the certificate information.

  • Updating the SSL certificate does not affect API calling.
  • If the certificate to be updated has been bound to an independent domain name, all clients that access the domain name can view the updated certificate.
  • If the updated SSL certificate has been bound to an independent domain name, the client authentication (HTTPS two-way authentication) is disabled by default when a CA certificate is added to the updated content.