Managing SSL Certificates
This topic is part of the setup and maintenance of a load balancer. For more information about managing load balancers, see Managing a Load Balancer.
Warning
Avoid entering confidential information when assigning descriptions, tags, or friendly names to your cloud resources through the Oracle Cloud Infrastructure Console, API, or CLI.
Required IAM Policy
To use Oracle Cloud Infrastructure, you must be given the required type of access in a An IAM document that specifies who has what type of access to your resources. It is used in different ways: to mean an individual statement written in the policy language; to mean a collection of statements in a single, named "policy" document (which has an Oracle Cloud ID (OCID) assigned to it); and to mean the overall body of policies your organization uses to control access to resources. written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you've been granted and which A collection of related resources that can be accessed only by certain groups that have been given permission by an administrator in your organization. you should work in.
For administrators: For a typical policy that gives access to load balancers and their components, see Let network admins manage load balancers.
Also, be aware that a policy statement with inspect load-balancers
gives the specified group the ability to see all information about the load balancers. For more information, see Details for Load Balancing.
If you're new to policies, see Getting Started with Policies and Common Policies.
Working with SSL Certificates
To use SSL with your load balancer, you must add one or more certificate bundles to your system. The certificate bundle you upload includes the public certificate, the corresponding private key, and any associated Certificate Authority (CA) certificates. For the easiest workflow, upload the certificate bundles you want to use before you create the listeners or backend sets you want to associate them with.
Load balancers commonly use single domain certificates. However, load balancers with listeners that include request routing configuration might require a subject alternative name (SAN) certificate (also called multi-domain certificate) or a wildcard certificate. The Load Balancing service supports each of these certificate types.
- The Load Balancing service does not generate SSL certificates. It can only import an existing certificate that you already own. The certificate can be one issued by a vendor, such as Verisign or GoDaddy. You can also use a self-signed certificate that you generate with an open source tool, such as OpenSSL or Let's Encrypt. Refer to the corresponding tool's documentation for instructions on how to generate a self-signed certificate.
- If you submit a self-signed certificate for backend SSL, you must submit the same certificate in the corresponding CA Certificate field.
Oracle Cloud Infrastructure accepts x.509 type certificates in PEM format only. The following is an example PEM encoded certificate:
-----BEGIN CERTIFICATE----- <Base64_encoded_certificate> -----END CERTIFICATE-----
Converting to PEM format
If you receive your certificates and keys in formats other than PEM, you must convert them before you can upload them to the system. You can use OpenSSL to convert certificates and keys to PEM format. The following example commands provide guidance.
Certificate or certificate chain from DER to PEM
openssl x509 -inform DER -in <certificate_name>.der -outform PEM -out <certificate_name>.pem
Private key from DER to PEM
openssl rsa -inform DER -in <private_key_name>.der -outform PEM -out <private_key_name>.pem
Certificate bundle from PKCS#12 (PFX) to PEM
openssl pkcs12 -in <certificate_bundle_name>.p12 -out <certificate_bundle_name>.pem -nodes
Certificate bundle from PKCS#7 to PEM
openssl pkcs7 -in <certificate_bundle_name>.p7b -print_certs -out <certificate_bundle_name>.pem
Uploading Certificate Chains
If you have multiple certificates that form a single certification chain, you must include all relevant certificates in one file before you upload them to the system. The following example of a certificate chain file includes four certificates:
-----BEGIN CERTIFICATE----- <Base64_encoded_certificate> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <Base64_encoded_certificate> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <Base64_encoded_certificate> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <Base64_encoded_certificate> -----END CERTIFICATE-----
Submitting Private Keys
Tip
Oracle recommends a minimum length of 2048 bits for your RSA private key.
If your private key submission returns an error, the three most common reasons are:
- You provided an incorrect passphrase.
- Your private key is malformed.
- The system does not recognize the encryption method used for your key.
Private key consistency
If you receive an error related to the private key, you can use OpenSSL to check its consistency:
openssl rsa -check -in <private_key>.pem
This command verifies that the key is intact, the passphrase is correct, and the file contains a valid RSA private key.
Decrypting a private key
If the system does not recognize the encryption technology used for your private key, decrypt the key. Upload the unencrypted version of the key with your certificate bundle. You can use OpenSSL to decrypt a private key:
openssl rsa -in <private_key>.pem -out <decrypted_private_key>.pem
Updating an Expiring Certificate
To ensure consistent service, you must update (rotate) expiring certificates:
-
Update your client or backend server to work with a new certificate bundle.
Note
The steps to update your client or backend server are unique to your system. -
Upload the new SSL certificate bundle to the load balancer
- Open the navigation menu. Under the Core Infrastructure group, go to Networking and click Load Balancers.
- Click the name of the Compartment that contains the load balancer you want to modify, and then click the load balancer's name.
- Click the load balancer you want to configure.
- In the Resources menu, click Certificates, and then click Add Certificate.
-
In the Add Certificate dialog box, enter the following:
- Certificate Name: Required. Specify a friendly name for the certificate bundle. It must be unique within the load balancer, and it cannot be changed in the Console. (It can be changed using the API.) Avoid entering confidential information.
-
Choose SSL Certificate File: Required. Drag and drop the certificate file, in PEM format, into the SSL Certificate field.
Alternatively, you can choose the Paste SSL Certificate option to paste a certificate directly into this field.
Important
If you submit a self-signed certificate for backend SSL, you must submit the same certificate in the corresponding CA Certificate field. -
Specify CA Certificate: Optional. (Recommended for backend SSL termination configurations.) Select (check) this box if you want to provide a CA certificate.
-
Choose CA Certificate File: Drag and drop the CA certificate file, in PEM format, into the CA Certificate field.
Alternatively, you can choose the Paste CA Certificate option to paste a certificate directly into this field.
-
-
Specify Private Key: Optional. (Required for SSL termination.) Select (check) this box if you want to provide a private key for the certificate.
-
Choose Private Key File: Drag and drop the private key, in PEM format, into the Private Key field.
Alternatively, you can choose the Paste Private Key option to paste a private key directly into this field.
- Enter Private Key Passphrase: Optional. Specify the private key passphrase.
-
- Click Add Certificate.
-
Edit listeners or backend sets (as needed) so they use the new certificate bundle
Editing a listener:
-
Open the navigation menu. Under the Core Infrastructure group, go to Networking and click Load Balancers.
- Choose the Compartment that contains the load balancer you want to modify, and then click the load balancer's name.
- In the Resources menu, click Listeners.
- For the listener you want to edit, click the Actions icon (three dots), and then click Edit Listener.
- In the Certificate Name drop-down list, choose the new certificate bundle.
- Click Submit.
Editing a backend set:
Warning
Updating the backend set temporarily interrupts traffic and can drop active connections.-
Open the navigation menu. Under the Core Infrastructure group, go to Networking and click Load Balancers.
- Click the name of the Compartment that contains the load balancer you want to modify, and then click the load balancer's name.
- In the Resources menu, click Backend Sets, and then click the name of the backend set you want to edit.
- Click Edit Backend Set.
- In the Edit Backend Set dialog box, select (check) Use SSL.
- In the Certificate Name drop-down list, choose the new certificate bundle.
- Click Save Changes.
-
-
(Optional) Remove the expiring SSL certificate bundle
Important
You cannot delete an SSL certificate bundle that is associated with a listener or backend set. Remove the bundle from any additional listeners or backend sets before deleting.-
Open the navigation menu. Under the Core Infrastructure group, go to Networking and click Load Balancers.
- Click the name of the Compartment that contains the load balancer you want to modify, and then click the load balancer's name.
- Click the load balancer you want to configure.
- In the Resources menu, click Certificates.
- For the certificate you want to delete, click the Actions icon (three dots), and then click Delete.
- Confirm when prompted.
-
Configuring SSL Handling
With Oracle Cloud Infrastructure Load Balancing, you can:
- Terminate SSL at the load balancer. This configuration is frontend SSL. Your load balancer can accept encrypted traffic from a client. There is no encryption of traffic between the load balancer and the backend servers.
- Implement SSL between the load balancer and your backend servers. This configuration is backend SSL. Your load balancer does not accept encrypted traffic from client servers. Traffic between the load balancer and the backend servers is encrypted.
- Implement end to end SSL. Your load balancer can accept SSL encrypted traffic from clients and encrypts traffic to the backend servers.
Terminating SSL at the Load Balancer
To terminate SSL at the load balancer, you must create a listener at a port such as 443, and then associate an uploaded certificate bundle with the listener.
Implementing Backend SSL
To implement SSL between the load balancer and your backend servers, you must associate an uploaded certificate bundle with the backend set.
- If you want to have more than one backend server in the backend set, sign your backend servers with an intermediate CA certificate. The intermediate CA certificate must be included as part of the certificate bundle.
- Your backend services must be able to accept and terminate SSL.
Implementing End to End SSL
To implement end to end SSL, you must associate uploaded certificate bundles with both the listener and the backend set.
Using the Console
- Open the navigation menu. Under the Core Infrastructure group, go to Networking and click Load Balancers.
- Click the name of the Compartment that contains the load balancer you want to modify, and then click the load balancer's name.
- Click the load balancer you want to configure.
- In the Resources menu, click Certificates, and then click Add Certificate.
-
In the Add Certificate dialog box, enter the following:
- Certificate Name: Required. Specify a friendly name for the certificate bundle. It must be unique within the load balancer, and it cannot be changed in the Console. (It can be changed using the API.) Avoid entering confidential information.
-
Choose SSL Certificate File: Required. Drag and drop the certificate file, in PEM format, into the SSL Certificate field.
Alternatively, you can choose the Paste SSL Certificate option to paste a certificate directly into this field.
Important
If you submit a self-signed certificate for backend SSL, you must submit the same certificate in the corresponding CA Certificate field. -
Specify CA Certificate: Optional. (Recommended for backend SSL termination configurations.) Select (check) this box if you want to provide a CA certificate.
-
Choose CA Certificate File: Drag and drop the CA certificate file, in PEM format, into the CA Certificate field.
Alternatively, you can choose the Paste CA Certificate option to paste a certificate directly into this field.
-
-
Specify Private Key: Optional. (Required for SSL termination.) Select (check) this box if you want to provide a private key for the certificate.
-
Choose Private Key File: Drag and drop the private key, in PEM format, into the Private Key field.
Alternatively, you can choose the Paste Private Key option to paste a private key directly into this field.
- Enter Private Key Passphrase: Optional. Specify the private key passphrase.
-
- Click Add Certificate.
Important
You cannot delete an SSL certificate bundle that is associated with a listener or backend set. Remove the bundle from any listeners or backend sets before deleting.
-
Open the navigation menu. Under the Core Infrastructure group, go to Networking and click Load Balancers.
- Click the name of the Compartment that contains the load balancer you want to modify, and then click the load balancer's name.
- Click the load balancer you want to configure.
- In the Resources menu, click Certificates.
- For the certificate you want to delete, click the Actions icon (three dots), and then click Delete.
- Confirm when prompted.
Using the API
For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.
Use these API operations to manage load balancer certificates:
About Oracle | Contact Us | Legal Notices | Terms of Use | Privacy | Document Conventions |
Copyright © , Oracle and/or its affiliates. All rights reserved.