# Certificates
## Overview
This section allows admins to manage SSL Certificates. There are four kinds of certificates, each with its own tab:
* **Server Certificates**, so that clients (end users) can communicate with Link11 WAAP using HTTPS.
* **CA Certificates**, so that Link11 WAAP can validate clients for mTLS communication.
* **Server-to-Backend mTLS Certificates**, so that customer origins can validate Link11 WAAP for mTLS communication.
* **Server-to-Backend CA Certificates**, so that Link11 WAAP can validate customer origins for mTLS communication.
Server Certificates are necessary for end users to communicate securely with Link11 WAAP. The other types of certificates are optional, and are only necessary for using mTLS (mutual TLS).
Here is a diagram of the different types of certificates:
Out of the box, Link11 offers management of Server Certificates.
**To enable management of the other types of certificates** so that their tabs appear in the interface, follow the instructions here: [How do I enable mTLS](https://waap.docs.link11.com/using-the-product/how-do-i.../enable-mtls-mutual-tls).
## Usage within applications and APIs
Server Certificates can be attached to [Load Balancers](https://waap.docs.link11.com/console-walkthrough/sites/ssl/load-balancers), or to domains via [Server Groups](https://waap.docs.link11.com/console-walkthrough/sites/server-groups).
Similarly, CA Certificates are also used in Server Groups. However, they are only available in the interface when using AWS NLB (Network Load Balancing). When using a Link11 load balancer, please contact support.
Server-to-Backend mTLS/CA Certificates are used in [Backend Services](https://waap.docs.link11.com/console-walkthrough/backend-services#server-to-backend-mtls-certificate).
## Administration
The list of currently defined Certificates is displayed in each tab. From here, new certificates can be generated, or existing ones can be edited.
{% hint style="info" %}
When adding new certificates, publishing your changes is necessary to make the new certificates available for use in the system.
{% endhint %}
All four types of certificates are administered using the same procedures, described below.
### Securing private keys
By default, Link11 WAAP offers admins the ability to auto-replace certificates using Let's Encrypt, and to download certificates in PFX format. To remove these features from the web console and API, [contact support](https://waap.docs.link11.com/support).
## Generating a Certificate
Selecting the **+ New button** displays the *Upload Certificate* dialog:
When adding a certificate, a name for use within the interface can be specified. If this field is left blank, the system will generate a name automatically.
Certificates can be added manually, or L11WAAP can parse a PFX file.
{% hint style="info" %}
When using a GCP load balancer, the certificate must meet these requirements:
* It must be in [PEM format](http://ospkibook.sourceforge.net/docs/OSPKI-2.4.7/OSPKI-html/sample-ca-cert.htm).
* It cannot be protected by a passphrase. Google Cloud stores the private key in its own encrypted format.
* Its encryption algorithm must be either RSA-2048 or ECDSA P-256.
To create a new private key, use one of the following [OpenSSL](https://www.openssl.org/docs/) commands.
* Create an RSA-2048 private key:
```
openssl genrsa -out $PRIVATE_KEY_FILE 2048
```
* Create an ECDSA P-256 private key:
```
openssl ecparam -name prime256v1 -genkey -noout -out $PRIVATE_KEY_FILE
```
...where $PRIVATE\_KEY\_FILE is the path and filename for the new private key file.
{% endhint %}
## Editing/Configuring a Certificate
When an existing Certificate is edited, the *Edit Certificate* dialog appears:
### Editable parameters and controls
#### **Certificate Name**
The certificate's current name within the interface can be edited.
#### **Auto Replacement by Let's Encrypt**
Let's Encrypt is a free certificate authority service. L11WAAP integrates with it, and offers this service by default.
Once a day, L11WAAP will check each application it protects. If that application's certificate is going to expire in the coming week, and its *Auto Replacement by Let's Encrypt* option for that certificate is enabled, L11WAAP will generate a new certificate using Let's Encrypt, and will attach all of its sites to the new certificate.
{% hint style="info" %}
This feature can be disabled in the web console and API if desired. Contact support to do this.
{% endhint %}
#### Attach To Application
This tab includes a list of Server Groups. Selecting one will connect this Certificate to it.
#### Replace Existing Certificate
This tab includes a list of Certificates defined within the system. Selecting one and then clicking **Save** will result in all sites/applications being transferred from the selected Certificate over to the Certificate you're currently editing.
#### **Download PFX**
This will download the certificate information as a file in PFX format.
{% hint style="info" %}
This feature can be disabled in the web console and API if desired. Contact support to do this.
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://waap.docs.link11.com/console-walkthrough/sites/ssl/certificates.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
