Certificates
Administration of SSL certificates
Overview
This section allows admins to manage SSL Certificates. There are four kinds of certificates, each with its own tab:
Server Certificates, so that clients (end users) can communicate with Link11 WAAP using HTTPS.
CA Certificates, so that Link11 WAAP can validate clients for mTLS communication.
Server-to-Backend mTLS Certificates, so that customer origins can validate Link11 WAAP for mTLS communication.
Server-to-Backend CA Certificates, so that Link11 WAAP can validate customer origins for mTLS communication.
Server Certificates are necessary for end users to communicate securely with Link11 WAAP. The other types of certificates are optional, and are only necessary for using mTLS (mutual TLS).
Here is a diagram of the different types of certificates:
Out of the box, Link11 offers management of Server Certificates.
To enable management of the other types of certificates so that their tabs appear in the interface, follow the instructions here: How do I enable mTLS.
Usage within applications and APIs
Server Certificates can be attached to Load Balancers, or to domains via Server Groups.
Similarly, CA Certificates are also used in Server Groups. However, they are only available in the interface when using AWS NLB (Network Load Balancing). When using a Link11 load balancer, please contact support.
Server-to-Backend mTLS/CA Certificates are used in Backend Services.
Administration
The list of currently defined Certificates is displayed in each tab. From here, new certificates can be generated, or existing ones can be edited.
All four types of certificates are administered using the same procedures, described below.
Securing private keys
By default, Link11 WAAP offers admins the ability to auto-replace certificates using Let's Encrypt, and to download certificates in PFX format. To remove these features from the web console and API, contact support.
Generating a Certificate
Selecting the + New button displays the Upload Certificate dialog:
Certificates can be added manually, or L11WAAP can parse a PFX file.
Editing/Configuring a Certificate
When an existing Certificate is edited, the Edit Certificate dialog appears:
Editable parameters and controls
Auto Replacement by Let's Encrypt
Let's Encrypt is a free certificate authority service. L11WAAP integrates with it, and offers this service by default.
Once a day, L11WAAP will check each application it protects. If that application's certificate is going to expire in the coming week, and its Auto Replacement by Let's Encrypt option for that certificate is enabled, L11WAAP will generate a new certificate using Let's Encrypt, and will attach all of its sites to the new certificate.
Attach To Application
This tab includes a list of Server Groups. Selecting one will connect this Certificate to it.
Replace Existing Certificate
This tab includes a list of Certificates defined within the system. Selecting one and then clicking Save will result in all sites/applications being transferred from the selected Certificate over to the Certificate you're currently editing.
Download PFX
This will download the certificate information as a file in PFX format.
Last updated
Was this helpful?