Follow

INITIAL SSL Workflow: How to Upload SSL Certificates, Create SSL Profiles, and Add SSL Profiles to Proxy

Description

How Silverline Uses SSL

  • Silverline currently supports full SSL termination or SSL pass thru with a Standard TCP Proxy.  
  • Full SSL Termination:
    • Silverline allows proxy customers the option of terminating their SSL encrypted traffic inside of the service. 
    • The SSL sessions are terminated within Silverline infrastructure using proxy certificates and keys (SSL Front-End Profile). Then, Silverline creates a separate SSL session and use it to communicate back to your backend server (SSL Backend Profile).
  • SSL pass thru:

 

Environment

  • Silverline WAF
  • Silverline DDoS
  • Proxy / Proxies
  • SSL Certificates
  • SSL Profiles

 

Procedure

SSL configuration must be done in this order:

  1. Upload SSL Certificate
  2. Create Front End SSL Profile
  3. Create Back End SSL Profile (optional)
  4. Add SSL Profiles to Proxy

Then see Next Steps for how to create WAF Policies and attach to proxy.

 

Upload SSL Certificate

Requirements

  • SSL Certificate
    • Certificates may be imported either from file, or by pasting them into the page in their base 64 encoded format.
    • Important: Certificates and private keys must be in a PEM format (.crt extension).  If the certificate is in a PKCS12, PKCS7, or other formats, the certificate will need to be converted: How To: Convert PKCS12/PKCS7 SSL Certificates Into PEM Format
  • SSL Key
  • If applicable, SSL Intermediate Certificates - What is Intermediate SSL Certificate?
  • If your company policies don’t allow you to export SSL certificates, contact the SOC. We can provide a CSR - How to Request CSR(s)

Procedure

  1. In the Silverline Portal, navigate to Config > Proxy Configuration > SSL Management.
  2. On the Certificate and Keys tab (default view), click Add.
  3. Fill in the desired name for the Certificate/Key pair.
  4. Then upload the SSL certificate with header in file:
    • -----BEGIN CERTIFICATE-----
  5. Upload the SSL Key (usually a .key extension) with header in file:
    • -----BEGIN PRIVATE KEY-----
    • -----BEGIN RSA PRIVATE KEY-----
    • -----BEGIN ENCRYPTED PRIVATE KEY----- (for such is needed passpharse)
  6. Finally, if applicable, upload the SSL intermediate certificates. 
  7. Click Save.

 

Create Front End SSL Profile

Front End SSL profiles establish SSL connection to Silverline from incoming traffic.

  1. In the Silverline Portal, navigate to Config > Proxy Configuration > SSL Management.
  2. Navigate to the Front End SSL Profiles tab.
  3. Click Add.
  4. Enter a Name for the profile. 
  5. If this is the first profile you have created, leave the Profile Type as Parent
    • How to Create Child Profiles - If you want to create more profiles based on a master profile:
      1. Select "Child of" in the Profile Type field,
      2. Then select the Parent profile to base the Child profile.
      3. NOTE: Children ALWAYS inherit SSL Ciphers from their parent.  This is to ensure all profiles in a family of profiles can be used in an a SNI SSL proxy deployment.
  6. Choose the SSL Certificate that you just uploaded. The name that appears in this drop-down will be the name you gave the Certificate/Key pair in the last step.
  7. Choose the SSL Cipher.
  8. Optional: Configure Advanced SSL Settings. We recommend leaving these alone unless you have specific requirements for them. -- What are the Advanced SSL Settings?
  9. Click Save

 

Create SSL Back End Profile (Optional)

Back End SSL profiles establish SSL connection from Silverline to your backend

Note: No configuration of Back End SSL Profile is required

  • Many customers use the default Back End Profile
  • If the ciphers from the backend profile are not compatible with any ciphers on the backend server, then likely SSL fails to complete.
  1. In the Silverline Portal, navigate to Config > Proxy Configuration > SSL Management.
  2. Navigate to the Back End SSL Profiles tab.
  3. Click Add.
  4. Configure. Options are similar to the Front End Profile (see above steps for Front End Profiles)
  5. Click Save.

 

Add SSL Profiles to a Proxy

Note: These steps show the minimum configurations to add a SSL profile and deploy proxy. For more detailed steps showing all proxy configuration options, see How to Configure a Proxy for HTTP / SSL HTTP / WAF Proxy Service Type
  1. Navigate to Config > Proxy Config > Proxy Management.
  2. Click Add.
  3. FQDN Name (required) - URL of the protected site
    • Multiple URLs can leverage the same proxy
  4. Backend IP or DNS name (required)- IP or DNS Name of your web server or load balancer.
    • If you have a backend server in your own data center, you’ll put in that IP address.
    • If you have a cloud-based backend like AWS, you’ll put in the CNAME.
  5. Click the name of the Service.
  6. Select the HTTP and HTTPS tab.
  7. Under SSL Certificates, choose Use SSL Profile.
  8. Then choose the Front End SSL Profile you just created.
  9. Click Save. This takes you back to the Proxy Management page.
  10. Check the box next to the proxy you just configured. Then click Deploy Selected. This queues the proxy for deployment. Deployment takes a few minutes.
  11. Once the proxy is deployed, you’ll see an automatically assigned IP address appear under Assigned Front End IP Address.
    • Once your proxies are deployed and tested, and you’ve also configured your on-premises setup, you will direct your application’s DNS to this Assigned Front End IP Address rather than to your backend server. This is how you direct your application’s inbound traffic to run through the Silverline infrastructure.
    • Note: If you want to use an IPV6 Front End, ask the SOC to enable IPV6 on your account and make sure the toggle for Use IPV6 Front-End is turned to On. 

 

Next Steps 

For WAF

  1. Create WAF Policy -- Download: WAF Technical Questionnaire for WAF Setup
  2. How to Attach WAF Policy to Proxy
  3. Create a L7 DDoS Profile
  4. How to Add L7 DDoS Profile to Proxy

 

For DDoS

  1. Create a L7 DDoS Profile
  2. How to Add L7 DDoS Profile to Proxy

Related Content 

 

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request