INITIAL SSL Workflow: How to Upload SSL Certificates, Create SSL Profiles, and Add SSL Profiles to Proxy

Description

• This articles shows:
  • how to upload new SSL certificate and keys,
  • then how to create new SSL Front End Profile with the uploaded certificate/key pair
• To manage existing SSL certificates or Profiles, see: How to Manage Existing SSL Certificates and SSL Profiles

How Silverline Uses SSL

• Silverline currently supports full SSL termination or SSL pass thru with a Standard TCP Proxy.  
• Full SSL Termination:
  • Silverline allows proxy customers the option of terminating their SSL encrypted traffic inside of the service. 
  • The SSL sessions are terminated within Silverline infrastructure using proxy certificates and keys (SSL Front-End Profile). Then, Silverline creates a separate SSL session and use it to communicate back to your backend server (SSL Backend Profile).
• SSL pass thru:
  • In the pass thru mode, Silverline cannot inspect the payload
  • Transparent SSL profiles are used for ssl pass thru
  • For more info, see What are Transparent SSL Profiles?

 

Environment

• Silverline WAF
• Silverline DDoS
• Proxy / Proxies
• SSL Certificates
• SSL Profiles

 

Procedure

SSL configuration must be done in this order:

1. Upload SSL Certificate
2. Create Front End SSL Profile
3. Create Back End SSL Profile (optional)
4. Add SSL Profiles to Proxy

Then see Next Steps for how to create WAF Policies and attach to proxy.

 

Upload SSL Certificate

Requirements SSL Certificate Certificates may be imported either from file, or by pasting them into the page in their base 64 encoded format. Important: Certificates and private keys must be in a PEM format (.crt extension).  If the certificate is in a PKCS12, PKCS7, or other formats, the certificate will need to be converted: How To: Convert PKCS12/PKCS7 SSL Certificates Into PEM Format SSL Key If applicable, SSL Intermediate Certificates - What is Intermediate SSL Certificate? If your company policies don’t allow you to export SSL certificates, contact the SOC. We can provide a CSR - How to Request CSR(s)

Procedure

1. In the Silverline Portal, navigate to Config > Proxy Configuration > SSL Management.
2. On the Certificate and Keys tab (default view), click Add.
3. Fill in the desired name for the Certificate/Key pair.
4. Then upload the SSL certificate with header in file:
   
   • -----BEGIN CERTIFICATE-----
5. Upload the SSL Key (usually a .key extension) with header in file:
   • -----BEGIN PRIVATE KEY-----
   • -----BEGIN RSA PRIVATE KEY-----
   • -----BEGIN ENCRYPTED PRIVATE KEY----- (for such is needed passpharse)
6. Finally, if applicable, upload the SSL intermediate certificates. 
7. Click Save.

 

Create Front End SSL Profile

Front End SSL profiles establish SSL connection to Silverline from incoming traffic.

1. In the Silverline Portal, navigate to Config > Proxy Configuration > SSL Management.
2. Navigate to the Front End SSL Profiles tab.
3. Click Add.
4. Enter a Name for the profile. 
5. If this is the first profile you have created, leave the Profile Type as Parent. 
   • How to Create Child Profiles - If you want to create more profiles based on a master profile:
     1. Select "Child of" in the Profile Type field,
     2. Then select the Parent profile to base the Child profile.
     3. NOTE: Children ALWAYS inherit SSL Ciphers from their parent.  This is to ensure all profiles in a family of profiles can be used in an a SNI SSL proxy deployment.
6. Choose the SSL Certificate that you just uploaded. The name that appears in this drop-down will be the name you gave the Certificate/Key pair in the last step.
7. Choose the SSL Cipher.
   • We recommend choosing a SOC-curated SSL Cipher: Q&A: What are the SOC Curated Ciphers that Silverline Uses in SSL Profiles?
     • Typically recommend: high - SOC curated, because a high SSL Cipher suite will usually get you an A-rating with SSL Server Tests like Qualys SSL Labs -- see How To Get A or A+ on Qualys SSL Labs
   • Q&A: What are the SSL ciphers that are supported in Silverline?
   • How To Configure custom - Static SSL Ciphers For Front End And Back End SSL Profiles
8. Optional: Configure Advanced SSL Settings. We recommend leaving these alone unless you have specific requirements for them. -- What are the Advanced SSL Settings?
9. Click Save. 

 

Create SSL Back End Profile (Optional)

Back End SSL profiles establish SSL connection from Silverline to your backend

Note: No configuration of Back End SSL Profile is required Many customers use the default Back End Profile If the ciphers from the backend profile are not compatible with any ciphers on the backend server, then likely SSL fails to complete.

1. In the Silverline Portal, navigate to Config > Proxy Configuration > SSL Management.
2. Navigate to the Back End SSL Profiles tab.
3. Click Add.
4. Configure. Options are similar to the Front End Profile (see above steps for Front End Profiles)
5. Click Save.

 

Add SSL Profiles to a Proxy

Note: These steps show the minimum configurations to add a SSL profile and deploy proxy. For more detailed steps showing all proxy configuration options, see How to Configure a Proxy for HTTP / SSL HTTP / WAF Proxy Service Type

1. Navigate to Config > Proxy Config > Proxy Management.
2. Click Add.
3. FQDN Name (required) - URL of the protected site
   • Multiple URLs can leverage the same proxy
4. Backend IP or DNS name (required)- IP or DNS Name of your web server or load balancer.
   • If you have a backend server in your own data center, you’ll put in that IP address.
   • If you have a cloud-based backend like AWS, you’ll put in the CNAME.
5. Click the name of the Service.
6. Select the HTTP and HTTPS tab.
7. Under SSL Certificates, choose Use SSL Profile.
   • Note that if you skipped creating the SSL Profiles first, this option won’t appear. Go back to Create Front End SSL Profile.
8. Then choose the Front End SSL Profile you just created.
   • Note: A single proxy can host multiple SSL Profiles. See How to Configure your Proxy to Host Multiple SSL Domains (Service Name Indication or SNI)
9. Click Save. This takes you back to the Proxy Management page.
10. Check the box next to the proxy you just configured. Then click Deploy Selected. This queues the proxy for deployment. Deployment takes a few minutes.
11. Once the proxy is deployed, you’ll see an automatically assigned IP address appear under Assigned Front End IP Address.
    • Once your proxies are deployed and tested, and you’ve also configured your on-premises setup, you will direct your application’s DNS to this Assigned Front End IP Address rather than to your backend server. This is how you direct your application’s inbound traffic to run through the Silverline infrastructure.
    • Note: If you want to use an IPV6 Front End, ask the SOC to enable IPV6 on your account and make sure the toggle for Use IPV6 Front-End is turned to On. 

 

Next Steps 

For WAF

1. Create WAF Policy -- Download: WAF Technical Questionnaire for WAF Setup
2. How to Attach WAF Policy to Proxy
3. Create a L7 DDoS Profile
4. How to Add L7 DDoS Profile to Proxy

 

For DDoS

1. Create a L7 DDoS Profile
2. How to Add L7 DDoS Profile to Proxy

Related Content 

• WAF Onboarding Video 3: Configuring WAF Services - Adding SSL Certificates, Proxies, and WAF Policies
• How to Manage Existing SSL Certificates and SSL Profiles
  • How to: Update an SSL certificate on an existing Frontend SSL profile
  • Q&A: Are SSL Profile Changes Queued and Deployed Automatically?
• How to Configure a Proxy for HTTP / SSL HTTP / WAF Proxy Service Type
• How to Attach WAF Policy to Proxy
• How to Configure New L7 DDoS Profiles
• How to Add L7 DDoS Profile to Proxy