Certificates

To use SSL with your WAF policy, you must add a certificate bundle. The certificate bundle you upload includes the public certificate and the corresponding private key. Self-signed certificates can be used for the internal communication within Oracle Cloud Infrastructure.

Working with SSL Certificates

Oracle Cloud Infrastructure accepts third-party and self-signed certificates in PEM format only. The following is an example PEM encoded certificate:


-----BEGIN CERTIFICATE-----
<Base64_encoded_certificate>
-----END CERTIFICATE-----

Obtaining Third-Party SSL Certificates

You can purchase an SSL certificate from a trusted Certificate Authority such as Symantec, Thawte, RapidSSL, or GeoTrust. The certificate issuer will provide an SSL certificate that includes a certificate, intermediate certificate, and private key. Use this information, including the intermediate certificate, when adding an SSL certificate to Oracle Cloud Infrastructure.

Converting to PEM format

If you receive your certificates and keys in formats other than PEM, you must convert them before you can upload them to the system. You can use OpenSSL to convert certificates and keys to PEM format.

Uploading Certificate Chains

If you have multiple certificates that form a single certification chain, you must include all relevant certificates in one file before you upload them to the system. The following example of a certificate chain file includes four certificates:

-----BEGIN CERTIFICATE-----
<Base64_encoded_certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Base64_encoded_certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Base64_encoded_certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Base64_encoded_certificate>
-----END CERTIFICATE-----

Submitting Private Keys

If your private key submission returns an error, the most common reasons are your private key is malformed or the system does not recognize the encryption method used for your key.

Private key consistency

If you receive an error related to the private key, you can use OpenSSL to check its consistency:

openssl rsa -check -in <private_key>.pem

This command verifies that the key is intact, the passphrase is correct, and the file contains a valid RSA private key.

Decrypting a private key

If the system does not recognize the encryption technology used for your private key, decrypt the key. Upload the unencrypted version of the key with your certificate bundle. You can use OpenSSL to decrypt a private key:

openssl rsa -in <private_key>.pem -out <decrypted_private_key>.pem

Using the Console

To create a WAF certificate
  1. Open the navigation menu. Under Governance and Administration, go to Security and click Web Application Firewall.
  2. Click Certificates.
  3. Click Create WAF Certificate.
  4. In the Create WAF Certificate dialog box, enter the following:
    • Name: A unique name for the certificate. Avoid entering confidential information.
    • SSL Certificate: Drag and drop, select, or paste a valid SSL certificate in PEM format. You must also include intermediate certificates (the website certificate must be first). The following is an example:

      -----BEGIN CERTIFICATE-----
      <Base64_encoded_certificate>
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      <Intermediate_Base64_encoded_certificate>
      -----END CERTIFICATE-----
    • Private Key: Drag and drop, select, or paste a valid private key in PEM format in this field. The private key cannot be protected by a passphrase. The following is an example:

      -----BEGIN PRIVATE KEY-----
      <Base64_encoded_private_key>
      -----END PRIVATE KEY-----
    • Self Signed Certificate: Enable this field when using a self-signed certificate to show an SSL warning in the browser.
    • Tags: If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, then skip this option (you can apply tags later) or ask your administrator.
  5. Click Create.
To delete a WAF certificate
  1. Open the navigation menu. Under Governance and Administration, go to Security and click Web Application Firewall.
  2. Click Certificates.
  3. Select the check box for the certificate you want to delete.
  4. Click Delete.
  5. In the confirmation dialog box, click Delete.
To edit the name of a WAF certificate
  1. Open the navigation menu. Under Governance and Administration, go to Security and click Web Application Firewall.
  2. Click Certificates.
  3. Click the name of the certificate you want to edit.
  4. Click Edit.
  5. In the Edit WAF Certificate dialog box, update the Name field. Avoid entering confidential information.
  6. Click Save Changes.
To manage tags for a WAF certificate
  1. Open the navigation menu. Under Governance and Administration, go to Security and click Web Application Firewall.
  2. Click Certificates.
  3. Click the name of the WAF certificate you want to manage tags for. 
  4. Click the Tags tab to view or edit existing tags. Or click Add tag(s) to add new ones.

For more information, see Resource Tags.

To move a WAF certificate to a different compartment
  1. Open the navigation menu. Under Governance and Administration, go to Security and click Web Application Firewall.
  2. In the List Scope section, select a compartment.
  3. Click Certificates.
  4. Find the WAF certificate in the list, click the Actions icon (three dots), and then click Move Resource.
  5. Choose the destination compartment from the list.
  6. Click Move Resource.
To add a certificate to a WAF policy
  1. Open the navigation menu. Under Governance and Administration, go to Security and click Web Application Firewall.
  2. Click the name of the WAF Policy where you want to view certificate settings. The WAF Policy overview appears.

  3. Click Settings.
  4. Click General Settings.
  5. Click Edit.
  6. In the Edit Settings dialog box, enter the following:
    • Enable HTTPS Support: Click this check box to enable all communications between the browser and web app to be encrypted.
      • Certificate Source: Choose one of the following methods:
        • Choose Certificate: Select an existing certificate from the drop down menu. Click Change Compartment to select a certificate from another compartment.
        • Upload or Paste Certificate and Private Key
          • Drag and drop, select, or paste a valid SSL certificate in PEM format. You must also include intermediate certificates (the website certificate must be first). The following is an example:

            -----BEGIN CERTIFICATE-----
            <Base64_encoded_certificate>
            -----END CERTIFICATE-----
            -----BEGIN CERTIFICATE-----
            <Intermediate_Base64_encoded_certificate>
            -----END CERTIFICATE-----
          • Private Key: Drag and drop, select, or paste a valid private key in PEM format in this field. The private key cannot be protected by a passphrase. The following is an example:

            -----BEGIN PRIVATE KEY-----
            <Base64_encoded_private_key>
            -----END PRIVATE KEY-----
      • Self Signed Certificate: Enable this field when using a self-signed certificate to show an SSL warning in the browser.
      • HTTP to HTTPS Redirect: When enabled, all HTTP traffic is automatically redirected to HTTPS.
      • TLS Protocols Support: Select a TLS protocol from the drop down list.
        Caution

        TLS versions 1 and 1.1 have been deprecated and cannot be used in policy configurations. If you use these versions, a validation error might occur. Use versions 1.2 or 1.3 instead.
      • Enable SNI: Server Name Indication (SNI) is an extension of the TLS protocol, which allows multiple secure hostnames to be served from a single IP address.
      • Advanced Options
        • Enable Response Buffering: Enable or disable buffering of the response from the origin.
        • Cache Control Respected: Enable or disable automatic content caching based on the response cache-control header.
        • Behind CDN: Enable this to allow the collection of IP addresses from the client request if WAF is connected to a CDN.
  7. Click Save Changes.
To edit a certificate in a WAF policy
  1. Open the navigation menu. Under Governance and Administration, go to Security and click Web Application Firewall.
  2. Click the name of the WAF Policy where you want to view certificate settings. The WAF Policy overview appears.

  3. Click Settings.
  4. Click General Settings.
  5. Click Edit.
  6. In the Edit Settings dialog box, make the necessary updates to the certificate.
  7. Click Save Changes.