Updating a Certificate

If you set Client Protocol to HTTPS when you add a website to WAF, upload a certificate and use it for your website.

  • If your website certificate is about to expire, purchase a new certificate before the expiration date and update the certificate associated with the website in WAF.

  • If you plan to update the certificate associated with the website, associate a new certificate with your website on the WAF console.

Prerequisites

  • The website to be protected has been added to WAF.

  • Your website uses HTTPS as the client protocol.

Constraints

  • Each domain name must have a certificate associated. A wildcard domain name can only use a wildcard domain certificate. If you only have single-domain certificates, add domain names one by one in WAF.

  • Only .pem certificates can be used in WAF. If the certificate is not in .pem, before uploading it, convert it to .pem by referring to Step 6.

Impact on the System

  • It is recommended that you update the certificate before it expires. Otherwise, all WAF protection rules will fail to take effect, and there can be massive impacts on the origin server, even more severe than a crashed host or website access failures.

  • Updating certificates does not affect services. The old certificate still works during the certificate replacement. The new certificate will take over the job once it has been uploaded and successfully associated with the domain name.

Procedure

  1. Log in to the management console.

  2. Click image1 in the upper left corner of the management console and select a region or project.

  3. Click image2 in the upper left corner and choose Web Application Firewall under Security.

  4. In the navigation pane, choose Website Settings.

  5. In the Protected Website column, click the domain name of the website to go to the basic information page.

  6. Click image3 next to the certificate name. In the Update Certificate dialog box, import a new certificate or select an existing certificate.

    • If you select Import new certificate for Update Method, enter a certificate name, and copy and paste the certificate file and private key into the corresponding text boxes.

      Note

      WAF encrypts and saves the private key to keep it safe.

      Only .pem certificates can be used in WAF. If the certificate is not in .pem format, convert it into .pem locally by referring to Table 1 before uploading it.

      Table 1 Certificate conversion commands

      Format

      Conversion Method

      CER/CRT

      Rename the cert.crt certificate file to cert.pem.

      PFX

      • Obtain a private key. For example, run the following command to convert cert.pfx into key.pem:

        openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes

      • Obtain a certificate. For example, run the following command to convert cert.pfx into cert.pem:

        openssl pkcs12 -in cert.pfx -nokeys -out cert.pem

      P7B

      1. Convert a certificate. For example, run the following command to convert cert.p7b into cert.cer:

        openssl pkcs7 -print_certs -in cert.p7b -out cert.cer

      2. Rename certificate file cert.cer to cert.pem.

      DER

      • Obtain a private key. For example, run the following command to convert **privatekey.der** into privatekey.pem:

        openssl rsa -inform DER -outform PEM -in privatekey.der -out privatekey.pem

      • Obtain a certificate. For example, run the following command to convert cert.cer into cert.pem:

        openssl x509 -inform der -in cert.cer -out cert.pem

      Note

      • Before running an OpenSSL command, ensure that the OpenSSL tool has been installed on the local host.

      • If your local PC runs a Windows operating system, go to the command line interface (CLI) and then run the certificate conversion command.

    • If you select Select existing certificate for Update Method, select an existing certificate from the Certificate Name drop-down list.

  7. Click OK.