Certificates
To use SSL with your WAF policy, you must add a certificate bundle. The certificate bundle you upload includes the public certificate and the corresponding private key. Self-signed certificates can be used for the internal communication within Oracle Cloud Infrastructure.
Working with SSL Certificates
Oracle Cloud Infrastructure accepts third-party and self-signed certificates in PEM format only. The following is an example PEM encoded certificate:
-----BEGIN CERTIFICATE-----
<Base64_encoded_certificate>
-----END CERTIFICATE-----Obtaining Third-Party SSL Certificates
You can purchase an SSL certificate from a trusted Certificate Authority such as Symantec, Thawte, RapidSSL, or GeoTrust. The certificate issuer will provide an SSL certificate that includes a certificate, intermediate certificate, and private key. Use this information, including the intermediate certificate, when adding an SSL certificate to Oracle Cloud Infrastructure.
Converting to PEM format
If you receive your certificates and keys in formats other than PEM, you must convert them before you can upload them to the system. You can use OpenSSL to convert certificates and keys to PEM format.
Uploading Certificate Chains
If you have multiple certificates that form a single certification chain, you must include all relevant certificates in one file before you upload them to the system. The following example of a certificate chain file includes four certificates:
-----BEGIN CERTIFICATE-----
<Base64_encoded_certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Base64_encoded_certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Base64_encoded_certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Base64_encoded_certificate>
-----END CERTIFICATE-----Submitting Private Keys
If your private key submission returns an error, the most common reasons are your private key is malformed or the system does not recognize the encryption method used for your key.
Private key consistency
If you receive an error related to the private key, you can use OpenSSL to check its consistency:
openssl rsa -check -in <private_key>.pemThis command verifies that the key is intact, the passphrase is correct, and the file contains a valid RSA private key.
Decrypting a private key
If the system does not recognize the encryption technology used for your private key, decrypt the key. Upload the unencrypted version of the key with your certificate bundle. You can use OpenSSL to decrypt a private key:
openssl rsa -in <private_key>.pem -out <decrypted_private_key>.pemUsing the Console
- Open the navigation menu and click Identity & Security. Under Web Application Firewall, click Policies.
- Click Certificates.
- Click Create WAF Certificate.
- In the Create WAF Certificate dialog box, enter the following:
- Name: A unique name for the certificate. Avoid entering confidential information.
SSL Certificate: Drag and drop, select, or paste a valid SSL certificate in PEM format. You must also include intermediate certificates (the website certificate must be first). The following is an example:
-----BEGIN CERTIFICATE----- <Base64_encoded_certificate> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <Intermediate_Base64_encoded_certificate> -----END CERTIFICATE-----Private Key: Drag and drop, select, or paste a valid private key in PEM format in this field. The private key cannot be protected by a passphrase. The following is an example:
-----BEGIN PRIVATE KEY----- <Base64_encoded_private_key> -----END PRIVATE KEY------ Self Signed Certificate: Enable this field when using a self-signed certificate to show an SSL warning in the browser.
- Tags: If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator.
- Click Create.
- Open the navigation menu and click Identity & Security. Under Web Application Firewall, click Policies.
- Click Certificates.
- Select the check box for the certificate you want to delete.
- Click Delete.
- In the confirmation dialog box, click Delete.
- Open the navigation menu and click Identity & Security. Under Web Application Firewall, click Policies.
- Click Certificates.
- Click the name of the certificate you want to edit.
- Click Edit.
- In the Edit WAF Certificate dialog box, update the Name field. Avoid entering confidential information.
- Click Save Changes.
- Open the navigation menu and click Identity & Security. Under Web Application Firewall, click Policies.
- In the List Scope section, select a compartment.
- Click Certificates.
- Find the WAF certificate in the list, click the Actions icon (three dots), and then click Move Resource.
- Choose the destination compartment from the list.
- Click Move Resource.
- Open the navigation menu and click Identity & Security. Under Web Application Firewall, click Policies.
-
Click the name of the WAF Policy where you want to view certificate settings. The WAF Policy overview appears.
- Click Settings.
- Click General Settings.
- Click Edit.
- In the Edit Settings dialog box, enter the following:
- Enable HTTPS Support: Click this check box to enable all communications between the browser and web app to be encrypted.
- Certificate Source: Choose one of the following methods:
- Choose Certificate: Select an existing certificate from the drop down menu. Click Change Compartment to select a certificate from another compartment.
- Upload or Paste Certificate and Private Key
Drag and drop, select, or paste a valid SSL certificate in PEM format. You must also include intermediate certificates (the website certificate must be first). The following is an example:
-----BEGIN CERTIFICATE----- <Base64_encoded_certificate> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <Intermediate_Base64_encoded_certificate> -----END CERTIFICATE-----Private Key: Drag and drop, select, or paste a valid private key in PEM format in this field. The private key cannot be protected by a passphrase. The following is an example:
-----BEGIN PRIVATE KEY----- <Base64_encoded_private_key> -----END PRIVATE KEY-----
- Self Signed Certificate: Enable this field when using a self-signed certificate to show an SSL warning in the browser.
- HTTP to HTTPS Redirect: When enabled, all HTTP traffic is automatically redirected to HTTPS.
- TLS Protocols Support: Select a TLS protocol from the drop
down list. Caution
TLS versions 1 and 1.1 have been deprecated and cannot be used in policy configurations. If you use these versions, a validation error might occur. Use versions 1.2 or 1.3 instead. - Enable SNI: Server Name Indication (SNI) is an extension of the TLS protocol, which allows multiple secure hostnames to be served from a single IP address.
- Advanced Options
- Enable Response Buffering: Enable or disable buffering of the response from the origin.
- Cache Control Respected: Enable or disable automatic content caching based on the response cache-control header.
- Behind CDN: Enable this to allow the collection of IP addresses from the client request if WAF is connected to a CDN.
- Certificate Source: Choose one of the following methods:
- Enable HTTPS Support: Click this check box to enable all communications between the browser and web app to be encrypted.
- Click Save Changes.
- Open the navigation menu and click Identity & Security. Under Web Application Firewall, click Policies.
-
Click the name of the WAF Policy where you want to view certificate settings. The WAF Policy overview appears.
- Click Settings.
- Click General Settings.
- Click Edit.
- In the Edit Settings dialog box, make the necessary updates to the certificate.
- Click Save Changes.
Using the API
For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.