If you want to use Web Application Firewall (WAF) to protect HTTPS requests that are destined for your website, you must upload correct and valid HTTPS certificates that are associated with your website domain in the WAF console. This ensures that the HTTPS requests are properly handled. This topic describes how to manually upload an HTTPS certificate or configure SSL Certificates Service to automatically upload an HTTPS certificate.

Prerequisites

Your website is added to the WAF console, and HTTPS is selected for Protocol Type. For more information, see Add domain names.

Background information

You can upload an HTTPS certificate by using one of the following methods:
  • Manual uploading: You must prepare the following files for your website before you upload the certificate:
    • The public key file in CRT format or the certificate file in PEM format
    • The private key file in KEY format
  • Automatic uploading by using SSL Certificates Service: If the certificate to be uploaded is issued by Alibaba Cloud SSL Certificates Service, you can select the certificate from those issued ones and upload it.

    SSL Certificates Service is a digital server certificate service provided by Alibaba Cloud. This service provides digital server certificates issued by certification authorities (CAs) both inside and outside China on the Alibaba Cloud platform. You can purchase the certificates you need on the Alibaba Cloud platform. Then, deploy these certificates in Alibaba Cloud products to convert your service from HTTP to HTTPS at minimal cost. This enables your websites to implement identity verification and data transmission encryption. For more information, see What is SSL Certificates Service?.

    Certificates can be issued in one of the following methods:

Procedure

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
  3. In the left-side navigation pane, choose Asset Center > Website Access.
  4. On the Website Access page, find the target domain name and click the Upload icon icon next to HTTPS in the Protocol Status column.
    Note HTTPS can be displayed in the Protocol Status column only when you select the HTTPS protocol type during the addition of domain names.
    HTTPS status

    If the HTTPS state is Abnormal, no certificate is uploaded or an uploaded certificate is invalid, for example, the certificate format is incorrect or the certificate does not match a target domain name, after the domain name is added. The HTTPS state will be displayed as Normal when a valid certificate is uploaded to the WAF console.

  5. In the Upload Certificate or Update Certificate dialog box, specify Upload Type to upload an HTTPS certificate.
    Note If a certificate has been uploaded, the Update Certificate dialog box is displayed. The Update Certificate and Upload Certificate dialog boxes have the same configuration items.
    • Manual Upload: Specify Certificate Name, copy the content in the certificate file to the Certificate File field, and copy the content in the private key file to the Private Key File field.Select Manual Upload
      Certificate File is described as follows:
      • If the certificate is in PEM, CER, or CRT format, you can use a text editor to open the certificate file and copy its text content.
      • If the certificate is in another format, such as PFX or P7B, you must covert the certificate file format to PEM. Then, you can use a text editor to open the certificate file and copy its text content. For information about how to convert the format of a certificate file, see How to convert an HTTPS certificate to the PEM format.
      • If the target domain name is associated with multiple certificate files such as a certificate chain, you need to merge the text content in the certificate files and then copy the merged content to the Certificate File field.
    • Select Existing Certificate: Select the certificate to be uploaded from the Certificate drop-down list.Select Existing Certificate

      The Certificate drop-down list is a collection of certificates that have been issued in SSL Certificates Service. You can select the certificate associated with the target domain name in this list. You can click Cloud Security - Certificates Service to go to the SSL Certificates Service console to manage certificates.

    • Purchase Certificate: Click Buy Now to go to the SSL Certificates page to purchase a certificate for the target domain name.Select Purchase Certificate
  6. Click Confirm.

Result

After a correct and valid certificate is uploaded, the HTTPS state is displayed as Normal.