After you obtain a new or renewed SSL certificate, update it in Anti-DDoS Proxy to ensure that HTTPS traffic continues to be processed correctly. An expired or mismatched certificate causes connection errors for your users.
Prerequisites
A website that supports HTTPS is added to Anti-DDoS Proxy.
The certificate is uploaded to the Certificate Management Service console.
Supported certificate types
| Region | Supported certificate types |
|---|---|
| Anti-DDoS Proxy (Chinese Mainland) | Certificates that use internationally accepted algorithms, and ShangMi (SM) certificates (SM2 algorithm only) |
| Anti-DDoS Proxy (Outside Chinese Mainland) | Certificates that use internationally accepted algorithms only |
If your website supports both certificates that use internationally accepted algorithms and SM certificates, you must upload certificates of both types.
Certificate file format requirements
When you manually upload a certificate, the certificate file must be in one of the following formats:
PEM, CER, or CRT: Open the file in a text editor and copy the content directly.
PFX or P7B: Convert the file to PEM format before uploading. For more information, see Convert the format of a certificate or How do I convert an SSL certificate to the PEM format?
If the file includes multiple certificates (such as a certificate chain), concatenate their contents and paste the combined content into the Certificate File field.
Update a certificate that uses internationally accepted algorithms
Log on to the Website Config page in the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance.
Anti-DDoS Proxy (Chinese Mainland): Choose the Chinese Mainland region.
Anti-DDoS Proxy (Outside Chinese Mainland): Choose the Outside Chinese Mainland region.
On the Website Config page, find the domain name that you want to manage and click Edit in the Actions column.
On the Modify Website Configurations tab, click Modify next to the certificate.
Choose one of the following methods to update the certificate:
Upload: Specify a value for Certificate Name, then paste the certificate file content into the Certificate File field and the private key content into the Private Key field. > Note: > - If the certificate file is in PEM, CER, or CRT format, open it in a text editor and copy the content. For PFX or P7B formats, convert the file to PEM format first. For more information, see Convert the format of a certificate or How do I convert an SSL certificate to the PEM format? > - If the file includes multiple certificates (such as a certificate chain), concatenate their contents and paste the combined content into the Certificate File field.
Select Existing Certificate: If you have applied for a certificate from Certificate Management Service (Original SSL Certificate) or have uploaded a certificate to Certificate Management Service, you can directly select the certificate.
Click Next and follow the instructions to complete the modification.
Update an SM certificate (Chinese Mainland only)
SM certificates are available only for Anti-DDoS Proxy (Chinese Mainland).
SM certificate considerations
Anti-DDoS Proxy (Chinese Mainland) has been verified to process SM requests from 360 browser and Haitai browser.
If clients do not support Server Name Indication (SNI), Anti-DDoS Proxy (Chinese Mainland) returns the default SM certificate, and the client displays the message "The server certificate cannot be trusted."
Procedure
Log on to the Website Config page in the Anti-DDoS Proxy console.
In the top navigation bar, select the Chinese Mainland region.
On the Website Config page, find the domain name that you want to manage and click Edit in the Actions column.
On the Modify Website Configurations tab, configure the certificate in the SM Certificate section.
Configure the following settings:
Allow Access Only from SM Certificate-based Clients: This switch is turned off by default.
On: Only processes requests from clients with an installed SM certificate.
When this option is enabled, the TLS suite, mutual authentication, and OCSP stapling configurations for certificates that use internationally accepted algorithms do not apply.
Off: Processes requests from clients with an installed SM certificate and those with a certificate that uses internationally accepted algorithms.
SM Certificate: You must upload an SM certificate to Certificate Management Service before you can select it.
SM Cipher Suites for HTTPS Support: The following cipher suites are enabled by default and cannot be modified:
ECC-SM2-SM4-CBC-SM3
ECC-SM2-SM4-GCM-SM3
ECDHE-SM2-SM4-CBC-SM3
ECDHE-SM2-SM4-GCM-SM3
Click Next and follow the instructions to complete the modification.