Certificates for Web Application Firewall

Describes how certificates are added and managed with the web application firewall policy.

To use SSL with your WAF policy, you must add a certificate bundle. The certificate bundle you upload includes the public certificate and the corresponding private key. Self-signed certificates can be used for the internal communication within Oracle Cloud Infrastructure.

Oracle Cloud Infrastructure accepts third-party and self-signed certificates in PEM format only. The following is an example PEM encoded certificate:


-----BEGIN CERTIFICATE-----
<Base64_encoded_certificate>
-----END CERTIFICATE-----

Obtaining Third-Party SSL Certificates

You can purchase an SSL certificate from a trusted Certificate Authority such as Symantec, Thawte, RapidSSL, or GeoTrust. The certificate issuer provides an SSL certificate that includes a certificate, intermediate certificate, and private key. Use this information, including the intermediate certificate, when adding an SSL certificate to Oracle Cloud Infrastructure.

Converting to PEM Format

If you receive your certificates and keys in formats other than PEM, you must convert them before you can upload them to the system. You can use OpenSSL to convert certificates and keys to PEM format.

Uploading Certificate Chains

If you have multiple certificates that form a single certification chain, you must include all relevant certificates in one file before you upload them to the system. The following example of a certificate chain file includes four certificates:

-----BEGIN CERTIFICATE-----
<Base64_encoded_certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Base64_encoded_certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Base64_encoded_certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Base64_encoded_certificate>
-----END CERTIFICATE-----

Submitting Private Keys

If your private key submission returns an error, the most common reasons are your private key is malformed or the system does not recognize the encryption method used for your key.

Private Key Consistency

If you receive an error related to the private key, you can use OpenSSL to check its consistency:

openssl rsa -check -in <private_key>.pem

This command verifies that the key is intact, the passphrase is correct, and the file contains a valid RSA private key.

Decrypting a Private key

If the system does not recognize the encryption technology used for your private key, decrypt the key. Upload the unencrypted version of the key with your certificate bundle. You can use OpenSSL to decrypt a private key:

openssl rsa -in <private_key>.pem -out <decrypted_private_key>.pem

Supported SSL Cipher Suites

The following SSL cipher suites are supported:

ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-CCM8
ECDHE-ECDSA-AES256-CCM
ECDHE-ECDSA-AES128-CCM8
ECDHE-ECDSA-AES128-CCM
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-CCM8
DHE-RSA-AES256-CCM
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-CCM8
DHE-RSA-AES128-CCM
DHE-DSS-AES256-GCM-SHA384
DHE-DSS-AES128-GCM-SHA256
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-GCM-SHA256

Limitations

Consider the following limitations when adding SSL certificates:
  • Each line except the last must contain exactly 64 printable characters. The final line must contain 64 or fewer printable characters. The text editor might save it differently and might have a different number of characters per line.
  • To check the number of characters per line, use the following command: awk '{ print length }' filename.pem
  • You can't add an SSL certificate for another domain. Only one certificate per WAF policy is supported for the main domain. If you want to apply an SSL certificate for an extra domain, you need to create a separate WAF policy for it.