If you add your website to Anti-DDoS Pro or Anti-DDoS Premium and select HTTPS for Protocol, you must upload an SSL certificate. This way, Anti-DDoS Pro or Anti-DDoS Premium can scrub HTTPS traffic. This topic describes how to upload an SSL certificate.

Prerequisites

  • A website that supports HTTPS is added to Anti-DDoS Pro or Anti-DDoS Premium. For more information, see Add a website.
  • The certificate file for the website is prepared.
    If you have uploaded the certificate file to the Certificate Management Service console, you can select the certificate when you upload a certificate in the Anti-DDoS Pro or Anti-DDoS Premium console. If you have not uploaded a certificate file, you must prepare the certificate and private key files of the website. The following files are required:
    • A PEM-encoded certificate authority (CA) certificate file that is in the PEM format or the CRT format
    • A PEM-encoded private key file that is in the KEY format
    Note If you want to upload an SM certificate, you must prepare a signing certificate file and its corresponding private key file as well as an encryption certificate file and its corresponding encryption private key file.

Scenarios

You must upload an SSL certificate in the following scenarios:
  • You select HTTPS for Protocol when you add a domain name to Anti-DDoS Pro or Anti-DDoS Premium.
  • You select HTTPS for Protocol when you add a domain name to Anti-DDoS Pro or Anti-DDoS Premium and upload a certificate. You need to replace the uploaded certificate or update the certificate when it expires.
Note Anti-DDoS Pro supports certificates that use internationally accepted algorithms and SM certificates. Anti-DDoS Premium supports only certificates that use internationally accepted algorithms.

Procedure in the Anti-DDoS Pro console

If your website supports both certificates that use internationally accepted algorithms and SM certificates, you must upload certificates of the two types.

  1. Log on to the Anti-DDoS Pro console.
  2. In the top navigation bar, select Mainland China.
  3. In the left-side navigation pane, choose Provisioning > Website Config.
  4. Upload a certificate that uses internationally accepted algorithms.
    1. On the Website Config page, find the domain name for which you want to upload a certificate, and click the icoin icon to the right of HTTPS Certificate in the Certificate Status column.
    2. In the Upload SSL Certificate and Private Key dialog box, configure the Upload Method parameter and upload your certificate.
      • Select Existing Certificates (recommended)
        If you have uploaded a certificate to Certificate Management Service, you can select the certificate and upload it to Anti-DDoS Pro. Select Existing Certificate

        If you have not uploaded a certificate to Certificate Management Service, you can click Go to the SSL Certificates console and upload your certificate. Then, you can select the certificate and upload it to Anti-DDoS Pro. For more information about how to upload certificates to Certificate Management Service, see Upload a certificate.

      • Manual Upload
        Specify Certificate Name, copy and paste the content of the CA certificate file to the Certificate File field, and then copy and paste the content of the private key file to the Private Key field. Manual Upload
        Note
        • If the certificate file is in the PEM, CER, or CRT format, you can use a text editor to open the certificate file and copy the file content. If the certificate file is in other formats, such as PFX and P7B, you must convert the file into the PEM format and then use a text editor to open the file and copy the file content. For information about how to convert the format of a certificate file, see How do I convert an HTTPS certificate to the PEM format?.
        • If the certificate file includes multiple certificates, such as a certificate chain, you must concatenate the content of these certificates and copy the concatenated content to the Certificate File field.
        Sample content in a CA certificate file
        -----BEGIN CERTIFICATE----- 
        xxxxxxxxxxxxvs6MTXcJSfN9Z7rZ9fmxWr2BFN2XbahgnsSXM48ixZJ4krc+1M+j2kcubVpsE2cgHdj4v8H6jUz9Ji4mr7vMNS6dXv8PUkl/qoDeNGCNdyTS5NIL5ir+g92cL8IGOkjgvhlqt9vc65Cgb4mL+n5+DV9uOyTZTW/MojmlgfUekC2xiXa54nxJf17Y1TADGSbyJbsC0Q9nIrHsPl8YKkvRWvIAqYxXZ7wRwWWmv4TMxFhWRiNY7yZIo2ZUhl02SIDNggIEeg==
        -----END CERTIFICATE-----
        Sample content in a private key file
        -----BEGIN RSA PRIVATE KEY-----
        xxxxxxxxxxxxtZ3UKHJTRgNQmioPQn2bqdKHop+B/dn/4VZL7Jt8zSDGM9sTMThLyvsmLQKBgQCr+ujntC1kN6pGBj2Fw2l/EA/W3rYEce2tyhjgmG7rZ+A/jVE9fld5sQra6ZdwBcQJaiygoIYoaMF2EjRwc0qwHaluq0C15f6ujSoHh2e+D5zdmkTg/3NKNjqNv6xA2gYpinVDzFdZ9Zujxvuh9o4Vqf0YF8bv5UK5G04RtKadOw==
        -----END RSA PRIVATE KEY-----
    3. Click OK.
  5. Upload an SM certificate.
    1. On the Website Config page, find the domain name for which you want to upload a certificate, and click the icoin icon to the right of SM Certificate in the Certificate Status column.
    2. In the Upload SSL Certificate and Private Key dialog box, upload an SM certificate. SM_Upload certificate and private key files_cn
      • If you have uploaded a certificate to Certificate Management Service, you can select the certificate and upload it to Anti-DDoS Pro.

        If you have not uploaded a certificate to Certificate Management Service, you can go to the Certificate Management Service console and upload your certificate. Then, you can select the certificate and upload it to Anti-DDoS Pro. For more information about how to upload certificates to Certificate Management Service, see Upload a certificate.

      • If you have not purchased an SM certificate, you can click Apply Now to go to the Certificate Management Service console and purchase an SM certificate. Then, you can select the certificate and upload it to Anti-DDoS Pro. For more information about how to purchase a certificate, see Purchase an SSL certificate instance.
      Notice
      • After you upload the SM certificate, if you want Anti-DDoS Pro to protect requests from clients on which an SM certificate is installed, you must turn on Enable SM Certificate-based Verification in the TLS Security Settings dialog box. For more information, see Customize a TLS policy.
      • If clients do not support server name indication (SNI), Anti-DDoS Pro returns the default SM certificate, and the message "The server certificate cannot be trusted" is displayed.
    3. Click OK.
  6. Check the status of the certificate.
    After the certificate is uploaded, Normal is displayed in the Certificate Status column.
    If the certificate is updated, you must upload the updated certificate. To upload the updated certificate, log on to the Anti-DDoS Pro console, click Website Config, and then click the Edit icon next to the certificate to upload the updated certificate.
    Warning If the certificate is updated but is not uploaded in the Anti-DDoS Pro console, HTTPS traffic cannot be forwarded to the origin server.

Procedure in the Anti-DDoS Premium console

  1. Log on to the Anti-DDoS Pro console.
  2. In the top navigation bar, select Outside Mainland China.
  3. In the left-side navigation pane, choose Provisioning > Website Config.
  4. On the Website Config page, find the domain name for which you want to upload a certificate, and click the icoin icon in the Certificate Status column. International_Original certificate status
  5. In the Upload SSL Certificate and Private Key dialog box, configure the Upload Method parameter and upload your certificate.
    You can use one of the following methods to upload your certificate:
    • Select Existing Certificates (recommended)
      If you have uploaded a certificate to Certificate Management Service, you can select the certificate and upload it to Anti-DDoS Premium. Select Existing Certificate

      If you have not uploaded a certificate to Certificate Management Service, you can click Go to the SSL Certificates console and upload your certificate. Then, you can select the certificate and upload it to Anti-DDoS Premium. For more information about how to upload certificates to Certificate Management Service, see Upload a certificate.

    • Manual Upload
      Specify Certificate Name, copy and paste the content of the CA certificate file to the Certificate File field, and then copy and paste the content of the private key file to the Private Key field. Manual Upload
      Note
      • If the certificate file is in the PEM, CER, or CRT format, you can use a text editor to open the certificate file and copy the file content. If the certificate file is in other formats, such as PFX and P7B, you must convert the file into the PEM format and then use a text editor to open the file and copy the file content. For information about how to convert the format of a certificate file, see How do I convert an HTTPS certificate to the PEM format?.
      • If the certificate file includes multiple certificates, such as a certificate chain, you must concatenate the content of these certificates and copy the concatenated content to the Certificate File field.
      Sample content in a CA certificate file
      -----BEGIN CERTIFICATE----- 
      xxxxxxxxxxxxvs6MTXcJSfN9Z7rZ9fmxWr2BFN2XbahgnsSXM48ixZJ4krc+1M+j2kcubVpsE2cgHdj4v8H6jUz9Ji4mr7vMNS6dXv8PUkl/qoDeNGCNdyTS5NIL5ir+g92cL8IGOkjgvhlqt9vc65Cgb4mL+n5+DV9uOyTZTW/MojmlgfUekC2xiXa54nxJf17Y1TADGSbyJbsC0Q9nIrHsPl8YKkvRWvIAqYxXZ7wRwWWmv4TMxFhWRiNY7yZIo2ZUhl02SIDNggIEeg==
      -----END CERTIFICATE-----
      Sample content in a private key file
      -----BEGIN RSA PRIVATE KEY-----
      xxxxxxxxxxxxtZ3UKHJTRgNQmioPQn2bqdKHop+B/dn/4VZL7Jt8zSDGM9sTMThLyvsmLQKBgQCr+ujntC1kN6pGBj2Fw2l/EA/W3rYEce2tyhjgmG7rZ+A/jVE9fld5sQra6ZdwBcQJaiygoIYoaMF2EjRwc0qwHaluq0C15f6ujSoHh2e+D5zdmkTg/3NKNjqNv6xA2gYpinVDzFdZ9Zujxvuh9o4Vqf0YF8bv5UK5G04RtKadOw==
      -----END RSA PRIVATE KEY-----
  6. Click OK.
    After the certificate is uploaded, Normal is displayed in the Certificate Status column.
    If the certificate is updated, you must upload the updated certificate. To upload the updated certificate, log on to the Anti-DDoS Premium console, click Website Config, and then click the Edit icon next to the certificate to upload the updated certificate.
    Warning If the certificate is updated but is not uploaded in the Anti-DDoS Premium console, HTTPS traffic cannot be forwarded to the origin server.

FAQ

How do I handle the mismatch between a certificate and its private key?