Updated on 2024-11-27 GMT+08:00

Adding an SSL Certificate

If the API group contains HTTPS-compatible APIs, add an SSL certificate for the independent domain name bound to the group. An SSL certificate is used for data encryption and identity authentication. It supports one-way and two-way authentication.

  • One-way authentication: When connecting to a server, a client verifies whether the server is correct.
  • Two-way authentication: When connecting to a server, a client verifies the server and the server also verifies the client.

Constraints

  • Only SSL certificates in PEM format can be added.
  • The added SSL certificates support only the RSA, ECDSA, and DSA encryption algorithms.
  • Certificate chains are not supported.

Creating an SSL Certificate

  1. Log in to the ROMA Connect console. On the Instances page, click View Console of an instance.
  2. In the navigation pane on the left, choose API Connect > API Policies. On the SSL Certificates tab, click Create SSL Certificate.
  3. In the displayed dialog box, configure the SSL certificate information.
    Table 1 SSL certificate configuration

    Parameter

    Description

    Name

    Enter an SSL certificate name. Using naming rules facilitates future search.

    Scope

    Specify the scope to view the SSL certificate.

    • Current instance: The SSL certificate can be viewed only in the current instance.
    • All: The SSL certificate can be viewed in all instances under the current account.

    Content

    Enter the SSL certificate content in PEM format.

    Open the PEM certificate file in the certificate to upload in text, and copy the certificate content to content.

    If the certificate is not in PEM encoding format, convert the format by referring to Converting the Certificate Format to PEM.

    Key

    Enter the SSL certificate key in PEM format.

    Open the KEY/PEM private key file in the certificate to be uploaded in text, and copy the private key to Key.

    CA

    When two-way authentication is used, a CA certificate is required to verify the client certificate. After configuring a CA certificate, bind an SSL certificate to the independent domain name to enable two-way authentication.

    Open (in text mode) the CA certificate file (.pem format) of the certificate to be uploaded and copy the content to CA.

    If the certificate is not PEM-coded, convert the format by referring to Converting the Certificate Format to PEM.

  4. Click OK. The SSL certificate is added.

    Replace expired certificates immediately to reduce security risks.

Converting the Certificate Format to PEM

Format

Converting with OpenSSL

CER/CRT

Rename the certificate file cert.crt to cert.pem directly.

PFX

  • Obtain a private key. For example, run the following command to convert cert.pfx into key.pem:

    openssl pkcs12 -in cert.pfx -nocerts -out key.pem

  • Obtain a certificate. For example, run the following command to convert cert.pfx into cert.pem:

    openssl pkcs12 -in cert.pfx -nokeys -out cert.pem

P7B

  1. Convert a certificate. For example, run the following command to convert cert.p7b into cert.cer:

    openssl pkcs7 -print_certs -in cert.p7b -out cert.cer

  2. Rename the certificate file cert.cer to cert.pem.

DER

  • Obtain a private key. For example, run the following command to convert privatekey.der into privatekey.pem:

    openssl rsa -inform DER -outform PEM -in privatekey.der -out privatekey.pem

  • Obtain a certificate. For example, run the following command to convert cert.cer into cert.pem:

    openssl x509 -inform der -in cert.cer -out cert.pem