Import a CA-Issued SSL Certificate to the Load Balancer

For production Oracle SOA Cloud Service environments, it is recommended that you use a CA-issued SSL certificate. A CA-issued SSL certificate reduces the chances of experiencing a man-in-the-middle attack.

There are multiple CA vendors in the marketplace today, each offering different levels of service at varying price points. Research and choose a CA vendor that meets your service-level and budget requirements.

For a CA vendor to issue you a CA-issued SSL certificate, you need to provide the following information:

Your custom domain name.
Public information associated with the domain confirming you as the owner.
Email address associated with the custom domain for verification.

Create a Certificate Signing Request (CSR) by using the Load Balancer Console and submit the CSR to the CA vendor. After receiving the CA-issued certificate, import it into the load balancer configuration:

In the Oracle SOA Cloud Service Console, click for the desired service instance and select Open Load Balancer Console. Log in to Console using the credentials defined when provisioning your service instance.
If you created your service instance using the Oracle SOA Cloud Service console, the user name and password default to the Oracle WebLogic Server Administration Console user name and password.
Access the load balancer configuration (opc-config) by following the steps below:
1. Once logged in the OTD console, click the icon.
2. Expand the Traffic Director folder.
3. Click the Load Balancer configuration (opc-config).
Perform these steps to generate a CSR:
1. Click Traffic Director Configuration and select Security > Manage Certificates.
2. Click Generate Keypair.
3. Enter an Alias for the new certificate.
4. Set the Common Name to your custom domain name. For example, example.com.
5. Complete the remaining fields and click OK.
6. Select your new certificate and click Generate CSR.
Save the generated CSR text, including the header line -----BEGIN NEW CERTIFICATE REQUEST----- and footer line -----END NEW CERTIFICATE REQUEST-----.
For example:
```
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC9jCCAd4CAQAwYDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQwwCgYDVQQH
EwNTQ0ExDzANBgNVBAoTBk9yYWNsZTEPMA0GA1UECxMGT3JhY2xlMRQwEgYDVQQD
I+XY7ByYRma1XlM1cYoMUiKSnRHdllUZMRwYHu4AZvrEMIhKjB6YiC0F
-----END NEW CERTIFICATE REQUEST-----
```
The CSR includes the public key and other information that the CA vendor needs to verify the identity of the load balancer server.
Submit the CSR to your CA vendor to request a new CA-issued SSL certificate.

For more information about submitting the CSR, refer to your CA vendor documentation.

Your CA vendor uses the CSR information to validate the domain and provides you with a valid SSL certificate, typically via email.
Return to the Load Balancer Console for your service instance.
Perform these steps to import the CA-issued certificate:
1. Click Traffic Director Configuration and select Security > Manage Certificates.
2. Click Import.
3. Verify that Certificate Type is set to Certificate.
4. Select the Alias of the certificate you generated earlier.
5. You can paste the certificate text directly in the Paste Certificate String Here field, or click Choose File and select the certificate on your local file system. If you opt to paste the certificate text, be sure to include the headers BEGIN CERTIFICATE and END CERTIFICATE, including the beginning and ending hyphens.
6. Click OK.

For more information about managing load balancer certificates, see "Managing Certificates" in Administering Oracle Traffic Director (12.2.1.4 | 12.2.1.3 | 12.2.1.2).