Anti-DDoS:Update the SSL certificate of a website added to Anti-DDoS Proxy

Usage notes

• Anti-DDoS Proxy (Chinese Mainland)

  • Supports certificates that use internationally accepted algorithms and ShangMi (SM) certificates (only the SM2 algorithm is supported).

    Note

    Anti-DDoS Proxy (Chinese Mainland) has been verified to process SM requests from 360 browser and Haitai browser.

  • If your website supports both certificates that use internationally accepted algorithms and SM certificates, you must upload certificates of both types.

  • If clients do not support server name indication (SNI), Anti-DDoS Proxy (Chinese Mainland) returns the default SM certificate, and the client displays the message "The server certificate cannot be trusted."

• Anti-DDoS Proxy (Outside Chinese Mainland)

  Supports only certificates that use internationally accepted algorithms.

Update an SSL certificate

1. Log on to the Website Config page in the Anti-DDoS Proxy console.

2. In the top navigation bar, select the region of your instance.

   • Anti-DDoS Proxy (Chinese Mainland): Choose the Chinese Mainland region.

   • Anti-DDoS Proxy (Outside Chinese Mainland): Choose the Outside Chinese Mainland region.

3. On the Website Config page, find the domain name that you want to manage and click Edit in the Actions column.

4. Update the certificate that uses internationally accepted algorithms.

   On the Modify Website Configurations tab, click Modify next to the certificate.

   • Upload: Specify Certificate Name, then paste the certificate file content to the Certificate File field, and the private key file content to the Private Key field.

     Note

     • If the certificate file is in PEM, CER, or CRT format, open it in a text editor and copy the content. For other formats like PFX or P7B, convert the file to PEM format first, then copy the content. For information about how to convert the format of a certificate file, see Convert the format of a certificate or How do I convert an SSL certificate to the PEM format?

     • If the file includes multiple certificates (like a certificate chain), concatenate their contents and paste the combined content into the Certificate File field.

   • Select Existing Certificate: If you have applied for a certificate from Certificate Management Service (Original SSL Certificate) or have uploaded a certificate to Certificate Management Service, you can directly select the certificate.

5. Update the SM certificate.

   On the Modify Website Configurations tab, configure the certificate in the SM Certificate section.

   • Allow Access Only from SM Certificate-based Clients: This switch is turned off by default.

     • On: Only processes requests from clients with an installed SM certificate. 

       Note

       When enabled, TLS suite, mutual authentication, and OCSP stapling configurations for certificates using internationally accepted algorithms will not apply.

     • Off: Processes requests from clients with an installed SM certificate and those with a certificate using internationally accepted algorithms.

   • SM Certificate: You must upload an SM certificate to Certificate Management Service before selecting it.

   • SM Cipher Suites for HTTPS Support: The following cipher suites are enabled by default and cannot be modified.

     • ECC-SM2-SM4-CBC-SM3

     • ECC-SM2-SM4-GCM-SM3

     • ECDHE-SM2-SM4-CBC-SM3

     • ECDHE-SM2-SM4-GCM-SM3

6. Click Next and follow the instructions to complete the modification.

FAQ

• How do I handle the mismatch between a certificate and its private key?

• How does Anti-DDoS Proxy ensure the security of an uploaded certificate and its private key? Does Anti-DDoS Proxy decrypt HTTPS traffic and record the content of HTTPS requests?