Creating, Modifying, or Deleting a Certificate

Scenarios

To enable authentication for securing data transmission over HTTPS, you can create certificates for load balancers. You can also modify and delete certificates.

Note

  • A certificate can be bound to only one type of load balancer. Ensure that you have selected the correct type.

Creating a Certificate

  1. Log in to the management console.

  2. In the upper left corner of the page, click image1 and select the desired region and project.

  3. Click image2 in the upper left corner to display Service List and choose Network > Elastic Load Balancing.

  4. In the navigation pane on the left, choose Certificates.

  5. Click Create Certificate. In the Create Certificate dialog box, configure the parameters.

    • Certificate Name

    • Certificate Type

      • Server certificate: used for SSL handshake negotiations if an HTTPS listener is used. Both the certificate content and private key are required.

      • CA certificate: issued by a certificate authority (CA) and used to verify the certificate issuer. If HTTPS mutual authentication is required, HTTPS connections can be established only when the client provides a certificate issued by a specific CA.

    • Certificate Content: The content must be in PEM format. This parameter is mandatory when Certificate Type is set to Server certificate or CA certificate.

      Click Upload and select the certificate to be uploaded. Ensure that your browser is of the latest version.

      The format of the certificate body is as follows:

      -----BEGIN CERTIFICATE-----
      Base64-encoded certificate
      -----END CERTIFICATE-----
      
    • Private Key: This parameter is mandatory when Certificate Type is set to Server certificate.

      Click Upload and select the private key to be uploaded. Ensure that your browser is of the latest version.

      The value must be an unencrypted private key. The private key must be in PEM format. The format is as follows:

      -----BEGIN PRIVATE KEY-----
      [key]
      -----END PRIVATE KEY-----
      
    • Note

      If there is a certificate chain, you need to configure the certificates in the following sequence: sub-certificate (server certificate), intermediate certificate, and root certificate. If the root certificate has been preset on the server and is not contained in the issued certificates, first configure the sub-certificate (server certificate) and then the intermediate certificate.

      For example, if a CA issued a private key private.key and two certificates: a sub-certificate (server certificate) server.cer and an intermediate certificate mid.crt, paste the content of server.cer in the Certificate text box, press Enter, then paste the content of mid.crt in the Certificate text box, and paste the content of private.key in the Private Key text box to make the entire certificate chain take effect. The format of the certificate body in a certificate chain is as follows:

      Certificate body

      -----BEGIN CERTIFICATE-----
      Content of the server certificate server.cer
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      Content of the intermediate certificate mid.crt
      -----END CERTIFICATE-----
      

      Private key

      -----BEGIN PRIVATE KEY-----
      Content of the private key private.key
      -----END PRIVATE KEY-----
      
    • Domain Name

      • If the created certificate will be used for SNI, you can specify a domain name for each certificate, and the domain name must be the same as that in the certificate.

        Note

        • A domain name can contain only letters, digits, and hyphens (-) and cannot start or end with a hyphen (-).

        • A domain name consists of more than one label separated by periods. Each label can contain a maximum of 63 characters, and a domain name can contain a maximum of 100 characters.

      • You can also specify multiple domain names for each certificate if the certificate will be used for SNI. The domain names must be the same as those in the certificate.

        Note

        • An SNI certificate can have up to 100 domain names separated by commas (,).

        • SNI certificates of a dedicated load balancer's listener can have up to 200 domain names.

        • SNI certificates of a shared load balancer's listener can have up to 30 domain names.

        • A domain name can contain only letters, digits, and hyphens (-) and cannot start or end with a hyphen (-).

        • A domain name consists of more than one label separated by periods. Each label can contain a maximum of 63 characters.

        • A domain name can contain a maximum of 100 characters, and the total length of domain names cannot exceed 10,000 characters.

    • Description

  1. Click OK.

Modifying a Certificate

  1. Log in to the management console.

  2. In the upper left corner of the page, click image3 and select the desired region and project.

  3. Click image4 in the upper left corner to display Service List and choose Network > Elastic Load Balancing.

  4. In the navigation pane on the left, choose Certificates.

  5. Locate the certificate and click Modify in the Operation column.

  6. Modify the parameters as required.

  7. Click OK.

Deleting a Certificate

Only certificates that are not in use can be deleted.

  1. Log in to the management console.

  2. In the upper left corner of the page, click image5 and select the desired region and project.

  3. Click image6 in the upper left corner to display Service List and choose Network > Elastic Load Balancing.

  4. In the navigation pane on the left, choose Certificates.

  5. Locate the certificate and click Delete in the Operation column.

  6. Click Yes.