Modify the SSL certificate and TLS security policy of Anti-DDoS Proxy instances

Updated at:
Copy as MD

By default, Anti-DDoS Proxy returns its built-in SSL certificate to clients. If your service requires a specific certificate or a stricter TLS configuration — for compliance, internal PKI requirements, or client compatibility — upload a custom SSL certificate and configure a Transport Layer Security (TLS) security policy for your instance.

Limitations

This feature has the following restrictions:

  • Address type: Applies only to Anti-DDoS Proxy instances that use an IPv4 address.

  • Certificate algorithm: The SSL certificate must use internationally accepted algorithms.

  • Custom cipher suites: Available only on the Enhanced function plan.

TLS version support by instance type

TLS versionChinese Mainland — StandardChinese Mainland — EnhancedOutside Chinese Mainland — StandardOutside Chinese Mainland — Enhanced
DefaultTLS 1.0 and laterTLS 1.0 and laterTLS 1.1 and laterTLS 1.1 and later
Other supported versionsTLS 1.2 and laterTLS 1.1 and later; TLS 1.2 and later; TLS 1.3TLS 1.0 and later; TLS 1.2 and laterTLS 1.0 and later; TLS 1.2 and later; TLS 1.3

Prerequisites

Before you begin, ensure that you have:

  • Added a website to Anti-DDoS Proxy. For more information, see Add websites.

Modify the SSL certificate and TLS security policy

  1. Log on to the Anti-DDoS Proxy console.

  2. In the top navigation bar, select the region of your instance:

    • Anti-DDoS Proxy (Chinese Mainland): Select Chinese Mainland.

    • Anti-DDoS Proxy (Outside Chinese Mainland): Select Outside Chinese Mainland.

  3. In the left-side navigation pane, choose Provisioning > Website Config.

  4. In the upper-right corner of the page, click Default SSL/TLS Settings for Anti-DDoS.

  5. In the Default SSL/TLS Settings for Anti-DDoS panel, find the instance IP address and click Modify in the Actions column.

  6. In the Modify panel, configure the SSL certificate. Under SSL Certificate, choose one of the following options:

    • Select Existing Certificate (recommended): Select a certificate from the SSL Certificate drop-down list. This option is available if you have already uploaded a certificate to Certificate Management Service. For more information, see Upload an SSL certificate.

    • Upload: Provide the certificate content manually. Configure the following fields:

      FieldDescription
      Certificate NameA name to identify the certificate.
      Certificate FileThe certificate content in PEM format. If the file is in PEM, CER, or CRT format, open it in a text editor and paste the content here. If the file is in PFX, P7B, or another format, convert it to PEM first. If the file includes a certificate chain, concatenate all certificates in the chain before pasting.
      Private KeyThe content of the private key file.

      For certificate format conversion, see Convert the format of a certificate or How do I convert an HTTPS certificate to the PEM format?.

  7. Configure the TLS security policy.

    • TLS Version: Select the minimum TLS version based on your requirements. See the support table in Limitations for available versions by instance type.

    • Cipher Suites: Select a preset cipher suite group or define a custom selection. The following table shows the available options and their trade-offs:

      OptionSecurity levelCompatibilityRecommended for
      All cipher suites (default)LowHighServices that must support older clients or browsers
      Strong cipher suitesHighLowServices that restrict clients to modern TLS implementations
      Enhanced cipher suitesVery highVery lowServices with strict security or compliance requirements
      Custom Cipher SuiteConfigurableConfigurableEnhanced function plan only. Select one or more suites from the full list.
      • All cipher suites (default)

        All cipher suites (19 suites): ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, AES128-GCM-SHA256, AES256-GCM-SHA384, AES128-SHA256, AES256-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, AES128-SHA, AES256-SHA, DES-CBC3-SHA

      • Strong cipher suites

        Strong cipher suites (10 suites): ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES256-SHA

      • Enhanced cipher suites

        Enhanced cipher suites (4 suites): ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384

      • Custom Cipher Suite

        If you select this option, you must select one or more cipher suites from all cipher suites.

        Note

        Only Anti-DDoS Proxy instances that use the Enhanced function plan support Custom Cipher Suite.

    Important

    Configure TLS settings only after uploading an SSL certificate. Use the same TLS security policy as the domain name. For details, see Configure a custom TLS security policy.

  8. Click OK to save the configuration.

After saving, the Certificate Configuration Status column displays Custom Certificate. To revert to the default certificate and TLS settings, click Reset.

What's next