Modify the SSL certificate and TLS security policy of Anti-DDoS Proxy instances
By default, Anti-DDoS Proxy returns its built-in SSL certificate to clients. If your service requires a specific certificate or a stricter TLS configuration — for compliance, internal PKI requirements, or client compatibility — upload a custom SSL certificate and configure a Transport Layer Security (TLS) security policy for your instance.
Limitations
This feature has the following restrictions:
Address type: Applies only to Anti-DDoS Proxy instances that use an IPv4 address.
Certificate algorithm: The SSL certificate must use internationally accepted algorithms.
Custom cipher suites: Available only on the Enhanced function plan.
TLS version support by instance type
| TLS version | Chinese Mainland — Standard | Chinese Mainland — Enhanced | Outside Chinese Mainland — Standard | Outside Chinese Mainland — Enhanced |
|---|---|---|---|---|
| Default | TLS 1.0 and later | TLS 1.0 and later | TLS 1.1 and later | TLS 1.1 and later |
| Other supported versions | TLS 1.2 and later | TLS 1.1 and later; TLS 1.2 and later; TLS 1.3 | TLS 1.0 and later; TLS 1.2 and later | TLS 1.0 and later; TLS 1.2 and later; TLS 1.3 |
Prerequisites
Before you begin, ensure that you have:
Added a website to Anti-DDoS Proxy. For more information, see Add websites.
Modify the SSL certificate and TLS security policy
Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance:
Anti-DDoS Proxy (Chinese Mainland): Select Chinese Mainland.
Anti-DDoS Proxy (Outside Chinese Mainland): Select Outside Chinese Mainland.
In the left-side navigation pane, choose Provisioning > Website Config.
In the upper-right corner of the page, click Default SSL/TLS Settings for Anti-DDoS.
In the Default SSL/TLS Settings for Anti-DDoS panel, find the instance IP address and click Modify in the Actions column.
In the Modify panel, configure the SSL certificate. Under SSL Certificate, choose one of the following options:
Select Existing Certificate (recommended): Select a certificate from the SSL Certificate drop-down list. This option is available if you have already uploaded a certificate to Certificate Management Service. For more information, see Upload an SSL certificate.
Upload: Provide the certificate content manually. Configure the following fields:
Field Description Certificate Name A name to identify the certificate. Certificate File The certificate content in PEM format. If the file is in PEM, CER, or CRT format, open it in a text editor and paste the content here. If the file is in PFX, P7B, or another format, convert it to PEM first. If the file includes a certificate chain, concatenate all certificates in the chain before pasting. Private Key The content of the private key file. For certificate format conversion, see Convert the format of a certificate or How do I convert an HTTPS certificate to the PEM format?.
Configure the TLS security policy.
TLS Version: Select the minimum TLS version based on your requirements. See the support table in Limitations for available versions by instance type.
Cipher Suites: Select a preset cipher suite group or define a custom selection. The following table shows the available options and their trade-offs:
Option Security level Compatibility Recommended for All cipher suites (default) Low High Services that must support older clients or browsers Strong cipher suites High Low Services that restrict clients to modern TLS implementations Enhanced cipher suites Very high Very low Services with strict security or compliance requirements Custom Cipher Suite Configurable Configurable Enhanced function plan only. Select one or more suites from the full list. - Note
Only Anti-DDoS Proxy instances that use the Enhanced function plan support Custom Cipher Suite.
ImportantConfigure TLS settings only after uploading an SSL certificate. Use the same TLS security policy as the domain name. For details, see Configure a custom TLS security policy.
Click OK to save the configuration.
After saving, the Certificate Configuration Status column displays Custom Certificate. To revert to the default certificate and TLS settings, click Reset.