15
SSL Certificate Manager Best Practices Issue 02 Date 2020-03-30 HUAWEI TECHNOLOGIES CO., LTD.
SSL Certificate Manager
Best Practices
Issue 02
Date 2020-03-30
HUAWEI TECHNOLOGIES CO., LTD.
Copyright © Huawei Technologies Co., Ltd. 2020. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without priorwritten consent of Huawei Technologies Co., Ltd. Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respectiveholders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei andthe customer. All or part of the products, services and features described in this document may not bewithin the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,information, and recommendations in this document are provided "AS IS" without warranties, guaranteesor representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.
Issue 02 (2020-03-30) Copyright © Huawei Technologies Co., Ltd. i
Contents
1 Pushing Certificates to WAF................................................................................................. 11.1 Scenario...................................................................................................................................................................................... 11.2 Applying for and Pushing a Certificate............................................................................................................................ 21.3 Adding a Protected Domain Name or Updating a Certificate.................................................................................5
A Change history.......................................................................................................................12
SSL Certificate ManagerBest Practices Contents
Issue 02 (2020-03-30) Copyright © Huawei Technologies Co., Ltd. ii
1 Pushing Certificates to WAF
1.1 ScenarioThis document provides guidance for you to implement HTTPS on websites,monitor HTTPS service traffic, identify and block attacks, such as SQL injectionand CC attacks, and protect web services.
Assume that you have a website with the domain name www.example.com, andthat you need to apply for an SSL certificate and use the purchased WAF tomonitor HTTPS service traffic. This document describes how to apply for acertificate and enable WAF to monitor HTTPS service traffic in this scenario.
Working Principles of an SSL Certificate
An SSL certificate is used in establishing encryption channels between the webserver and browser and between the web server and client. The HTTPS protocol isenabled by configuring and applying SSL certificates to ensure the security of datatransmission over Internet.
Figure 1-1 Working principles of an SSL certificate
WAF Configuration Principles
WAF is designed to keep web applications stable and secure. It examines allHTTPS requests to detect and block attacks, such as Structure Query Language(SQL) injections, cross-site scripting (XSS), webshell upload, command or codeinjections, file inclusion, sensitive file access, third-party vulnerability exploits, CCattacks, malicious crawlers, and cross-site request forgery (CSRF).
SSL Certificate ManagerBest Practices 1 Pushing Certificates to WAF
Issue 02 (2020-03-30) Copyright © Huawei Technologies Co., Ltd. 1
This section describes how to perform the configuration when no proxy is usedbetween the client and WAF. If a proxy is used between the client and WAF,perform the configuration based on the WAF documentation.
Figure 1-2 No proxy configured
● DNS resolves your domain name to the origin server IP address before yoursite is connected to WAF. Therefore, web visitors can directly access the server.
● After your site is connected to WAF, DNS resolves your domain name to theCNAME of WAF. In this way, the traffic passes through WAF. WAF then filtersout illegitimate traffic and only routes legitimate traffic back to the originserver.
1.2 Applying for and Pushing a CertificateYou need to apply for a certificate on the SCM console and push the certificate toWAF after the certificate application is complete.
Figure 1-3 shows the process of applying for and pushing a certificate.
SSL Certificate ManagerBest Practices 1 Pushing Certificates to WAF
Issue 02 (2020-03-30) Copyright © Huawei Technologies Co., Ltd. 2
Figure 1-3 Applying for and pushing a certificate
● Verification of the domain name ownership● If you are managing your domain name on HUAWEI CLOUD, verify the domain
name ownership using Domain Name Service (DNS) on HUAWEI CLOUD.● If you are managing your domain name on another domain management
platform, verify the domain name ownership on the corresponding platform.● Organization verification (required only for OV and EV certificates)
The CA will contact the public phone number of the organization to check whether theorganization has initiated the certificate application.
This section describes how to verify domain names on the HUAWEI CLOUDmanagement platform.
ProcedureThis section describes only the operations that need to be performed on theHUAWEI CLOUD console.
1. You have purchased a certificate.2. Applying for a certificate: After a certificate is purchased, you need to apply
for the certificate and submit it for approval. For details, see Apply for aCertificate.
SSL Certificate ManagerBest Practices 1 Pushing Certificates to WAF
Issue 02 (2020-03-30) Copyright © Huawei Technologies Co., Ltd. 3
3. Verifying a domain name: After the certificate application is submitted, the CAsends an email to your mailbox. You need to verify the domain name. Fordetails, see Verify the Domain Name.
4. Verifying an organization: If you apply for an OV or EV certificate, the CAsends an organization verification email to your email address after domainname verification is complete. The CA contacts the enterprise or organizationbased on the selected verification method to check whether the enterprise ororganization has initiated the certificate application. For details, see Verifythe Organization.
5. Pushing the Certificate.
Pushing the Certificate
Step 1 Log in to the management console.
Step 2 In the navigation pane on the left, click and choose SSL Certificate Managerunder Security to enter the SSL Certificate Manager page.
Step 3 In the row containing the desired certificate, click Push in the Operation column.
Step 4 In the Operation column of the certificate to be pushed, click Push. The certificatepush details page is displayed, as shown in Figure 1-4.
Figure 1-4 Pushing a certificate
Step 5 Select WAF and click on the right of the target project and select the targetregion.
Figure 1-5 Selecting the destination region
Step 6 Click Push Certificate at the lower right corner of the page.
If a message indicating that the certificate is successfully pushed is displayed, theSSL certificate is successfully pushed to the target service.
You need to further configure the certificate on the console of the service toenable HTTPS for it.
Step 7 In the displayed dialog box, click Configure Now. The WAF management page isdisplayed.
You can also click Continue Pushing or in the upper right corner of the page.The certificate push page or SSL certificate management page is displayed. Youcan then access the WAF page to perform the configuration.
----End
SSL Certificate ManagerBest Practices 1 Pushing Certificates to WAF
Issue 02 (2020-03-30) Copyright © Huawei Technologies Co., Ltd. 4
1.3 Adding a Protected Domain Name or Updating aCertificate
After the certificate is successfully pushed, you need to select HTTPS in WAF andselect the pushed certificate.
This section describes how to add a protected domain name or update acertificate in WAF.
Guide descriptions:
● Adding a Protected Domain Name: If your domain name has not beenadded to WAF, perform the operations in this topic. For details, see Adding aDomain Name.
● Updating a Certificate: If your domain names have been added to WAF (theadded domain names correspond to the domain names associated with thecertificate) and Client Protocol is set to HTTPS, you can replace thecertificate with the pushed certificate based on the instructions in this topic.
Adding a Protected Domain Name
If you have not added your domain name to WAF, perform the operations in thistopic.
Prerequisites
● You have obtained an account and its password for logging in to themanagement console.
● The certificate has been pushed.● You have purchased WAF. If you have not purchased WAF, purchase it based
on the instructions in Buying WAF.
Procedure
Step 1 (Optional) Log in to the management console.
Step 2 Access the domain name configuration page.
Figure 1-6 Domains
SSL Certificate ManagerBest Practices 1 Pushing Certificates to WAF
Issue 02 (2020-03-30) Copyright © Huawei Technologies Co., Ltd. 5
Step 3 In the upper left corner of the domain list, click Add Domain Name.
Step 4 On the displayed page, configure the basic information.
Figure 1-7 Configuring the basic information
● Domain Name: Enter the domain name associated with the certificate.● Port: Set this parameter only if Non-standard Port is selected.
If Client Protocol is set to HTTPS, WAF protects services of the standard port443 by default.To configure a port other than port 443, select Non-standard Port and selecta non-standard port from the Port drop-down list.
● Server Configuration: configuration of a web server address. Theconfiguration contains the client protocol, server protocol, server address, andserver port.Set Client Protocol to HTTPS.
● Certificate Name: Click on the right and select the pushed certificate.● Proxy Configured: A website that accessed WAF has used proxies, such as
CDN and cloud acceleration.The default value is No.
For details, see Adding a Domain Name.
Step 5 Click Next. In the upper right corner of the page, Domain name addedsuccessfully is displayed, indicating that the domain name is added.
Step 6 Go to your DNS provider and configure the CNAME record. For details, contactyour DNS provider.● If you use proxy services such as CDN or Advanced Anti-DDoS (AAD), the
process is as shown in Figure 1-8.Go to your DNS provider and change the back-to-source IP address of theproxy to the CNAME address from WAF.
SSL Certificate ManagerBest Practices 1 Pushing Certificates to WAF
Issue 02 (2020-03-30) Copyright © Huawei Technologies Co., Ltd. 6
– To ensure that WAF forwards requests properly, you are advised to perform localverification before modifying the DNS configuration by referring to Testing WAF.
– To prevent other users from configuring your domain names on WAF in advance(this will cause interference on your domain name protection), you are advised toadd the subdomain name and TXT record on your DNS provider. WAF candetermine which user owns the domain name based on the subdomain name andTXT record. For details about the configuration method, see What Are theImpacts If a Subdomain Name and TXT Record Are Not Configured?
Figure 1-8 Connecting a domain name to WAF (using a proxy)
● If no proxies are used, the process is as shown in Figure 1-9.Go to your DNS provider and configure the CNAME record. For details,contact your DNS provider.
To ensure that WAF forwards requests properly, you are advised to perform localverification before modifying the DNS configuration by referring to Testing WAF.
SSL Certificate ManagerBest Practices 1 Pushing Certificates to WAF
Issue 02 (2020-03-30) Copyright © Huawei Technologies Co., Ltd. 7
Figure 1-9 Connecting a domain name to WAF (without using a proxy)
The following describes how to bind the CNAME of HUAWEI CLOUD DNS. Ifthe following configuration is inconsistent with your configuration, useinformation provided by the DNS providers.
a. Access the DNS resolution page, as shown in Figure 1-10.
Figure 1-10 DNS page
b. In the Operation column of the target domain name, click Modify. TheModify Record Set page is displayed.
c. In the displayed Modify Record Set dialog box, change the record value,as shown in Figure 1-11.
▪ Name: Domain name configured in WAF
▪ Type: Select CNAME - Map one domain to another.
SSL Certificate ManagerBest Practices 1 Pushing Certificates to WAF
Issue 02 (2020-03-30) Copyright © Huawei Technologies Co., Ltd. 8
▪ Line: Default
▪ TTL (s): The recommended value is 5 min. A larger TTL value willmake it slower for synchronization and update of DNS records.
▪ Value: Change it to the copied CNAME value from WAF.
▪ Keep other settings unchanged.
About modifying the resolution record:
▪ The CNAME resolution record must be unique for the same host record. Youneed to change the CNAME of the existing resolution record to the WAFCNAME address.
▪ In the same resolution record, different DNS resolution record types mayconflict. For example, for the same host record, the CNAME record conflictswith another record, such as the A record, MX record, or TXT record. If therecord type cannot be directly changed, you can delete the conflicting recordsand add a CNAME record. Deleting other records and adding a CNAME recordshould be completed in as short time as possible. If no CNAME record isadded after the A record is deleted, domain resolution may fail.
For details about the restriction rules of domain name resolution types, see WhyDoes the System Prompt Me that My Record Set Is in Conflict with anExisting One?.
Figure 1-11 Modifying a record set
SSL Certificate ManagerBest Practices 1 Pushing Certificates to WAF
Issue 02 (2020-03-30) Copyright © Huawei Technologies Co., Ltd. 9
d. Click OK.
Step 7 (Optional) Verify that the CNAME of the domain name has been configured.
1. In the Windows OS, choose Start > Run. Then enter cmd and press Enter.2. Run a nslookup command to query the value of CNAME. If the configured
CNAME is displayed, the configuration is successful. An example commandresponse is displayed in Figure 1-12.The domain name www.example.com is used as an example.nslookup www.example.com
Figure 1-12 Querying the CNAME
– By default, WAF detects the access status of each domain name to be protected onan hourly basis.
– Normally, if you have performed domain connection and Access Status isAccessed, the domain name is connected to WAF.
Step 8 After the domain name is connected to WAF, click Next.
Step 9 Click Finish.
----End
Updating a Certificate
If your domain names have been added to WAF (the added domain namescorrespond to the domain names associated with the certificate) and ClientProtocol is set to HTTPS, you can replace the certificate with the pushedcertificate based on the instructions in this topic.
Prerequisites
● You have obtained an account and its password for logging in to themanagement console.
● The certificate has been pushed.● You have purchased WAF. If you have not purchased WAF, purchase it based
on the instructions in Buying WAF.● The protected domain names have been added to WAF, and the protected
domain names correspond to the certificate domain names.● Client Protocol is HTTPS.
Procedure
SSL Certificate ManagerBest Practices 1 Pushing Certificates to WAF
Issue 02 (2020-03-30) Copyright © Huawei Technologies Co., Ltd. 10
Step 1 (Optional) Log in to the management console.
Step 2 Access the domain name configuration page.
Figure 1-13 Domains
Step 3 In the Domain Name column, click the target domain name to go to the BasicInformation page.
Step 4 Click next to the target certificate name. In the displayed dialog box, selectthe pushed certificate.
Step 5 Click OK. Your certificate is updated.
----End
SSL Certificate ManagerBest Practices 1 Pushing Certificates to WAF
Issue 02 (2020-03-30) Copyright © Huawei Technologies Co., Ltd. 11
A Change history
Released On Description
2020-03-30 This issue is the second official issue.Updated the document based on the console stylechange.
2019-09-24 This issue is the first official release.
SSL Certificate ManagerBest Practices A Change history
Issue 02 (2020-03-30) Copyright © Huawei Technologies Co., Ltd. 12
