Oracle Cloud Infrastructure Documentation

Settings

To use SSL with your WAF policy, you must add a certificate bundle. The certificate bundle you upload includes the public certificate and the corresponding private key. Self-signed certificates can be used for the internal communication within Oracle Cloud Infrastructure.

Working with SSL Certificates

Oracle Cloud Infrastructure accepts third-party and self-signed certificates in PEM format only. The following is an example PEM encoded certificate:

-----BEGIN CERTIFICATE-----
<Base64_encoded_certificate>
-----END CERTIFICATE-----

Obtaining Third-Party SSL Certificates

You can purchase an SSL certificate from a trusted Certificate Authority such as Symantec, Thawte, RapidSSL, or GeoTrust. The certificate issuer will provide an SSL certificate that includes a certificate, intermediate certificate, and private key. Use this information, including the intermediate certificate, when adding an SSL certificate to Oracle Cloud Infrastructure.

Converting to PEM format

If you receive your certificates and keys in formats other than PEM, you must convert them before you can upload them to the system. You can use OpenSSL to convert certificates and keys to PEM format.

Uploading Certificate Chains

If you have multiple certificates that form a single certification chain, you must include all relevant certificates in one file before you upload them to the system. The following example of a certificate chain file includes four certificates:

-----BEGIN CERTIFICATE-----
<Base64_encoded_certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Base64_encoded_certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Base64_encoded_certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Base64_encoded_certificate>
-----END CERTIFICATE-----

Submitting Private Keys

If your private key submission returns an error, the most common reasons are your private key is malformed or the system does not recognize the encryption method used for your key.

Private key consistency

If you receive an error related to the private key, you can use OpenSSL to check its consistency:

openssl rsa -check -in <private_key>.pem

This command verifies that the key is intact, the passphrase is correct, and the file contains a valid RSA private key.

Decrypting a private key

If the system does not recognize the encryption technology used for your private key, decrypt the key. Upload the unencrypted version of the key with your certificate bundle. You can use OpenSSL to decrypt a private key:

openssl rsa -in <private_key>.pem -out <decrypted_private_key>.pem

Using the Console

To edit WAF settings

  1. Open the navigation menu. Under Solutions, Platform and Edge, go to Edge Services and click WAF Policies.
  2. Click the name of the WAF Policy you want to view settings for. The WAF Policy overview appears.

  3. Click Settings.
  4. Click Edit.
  5. In the Edit Settings dialog box, enter the following:
    • WAF Origin: Select the name and IP address of the origin.
    • Enable HTTPS Support: When enabled, all communications between the browser and web app are encrypted. Enter the following information:
      • SSL Certificate: Drag and drop, select, or paste a valid SSL certificate in PEM format. You must also include intermediate certificates (the website certificate must be first). The following is an example:
      • -----BEGIN CERTIFICATE-----
        <Base64_encoded_certificate>
        -----END CERTIFICATE-----
        -----BEGIN CERTIFICATE-----
        <Intermediate_Base64_encoded_certificate>
        -----END CERTIFICATE-----
      • Private Key: Drag and drop, select, or paste a valid private key in PEM format in this field. The private key cannot be protected by a passphrase. The following is an example:
      • -----BEGIN PRIVATE KEY-----
        <Base64_encoded_private_key>
        -----END PRIVATE KEY-----
      • Self Signed Certificate: Enable this field when using a self-signed certificate to show an SSL warning in the browser.
      • HTTP to HTTPS Redirect: When enabled, all HTTP traffic is automatically redirected to HTTPS.
  6. Click Save.

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.