Cloud WAF certificate management
IMPORTANT:
This guide only applies to Next-Gen WAF customers with access to the Next-Gen WAF control panel. If you have access to the Next-Gen WAF product in the Fastly control panel, you can only deploy the Next-Gen WAF with the Edge WAF and On-Prem WAF deployment methods.
Before you begin
Before uploading your TLS/SSL certificate, ensure that your private key is not password protected and your certificate information is PEM formatted. Any number of certificates can be uploaded, but no more than 48 unique certificates can be applied to a single Cloud WAF instance.
Viewing certificates and their details
To view a summary of all TLS certificates protecting your site (also known as workspace) with Cloud WAF:
Log in to the Next-Gen WAF control panel.
- From the Corp Manage menu, select Cloud WAF Certificates. The Certificates page for your site's Cloud WAF appears displaying a summary table that lists the name, domains, status, and expiration details for all certificates at your site.
- (Optional) Click View at the right of a specific site in the summary table to view additional details for a particular TLS certificate.
Adding certificates
HINT: If TLS connections terminate at the Edge before requests are sent to Cloud WAF, then uploading a TLS certificate is optional. Always upload and use certificates if traffic is direct to the Cloud WAF using HTTPS.
You can use the Next-Gen WAF API to automate adding certificates or the Next-Gen WAF control panel to add a certificate. To upload a certificate using the control panel, complete the following steps:
Log in to the Next-Gen WAF control panel.
- From the Corp Manage menu, select Cloud WAF Certificates.
- Click Add certificate. A page where you can add certificate details appears.
- Fill out the certificate details as follows:
- In the Name field, enter a meaningful name that can help you manage the certificate and distinguish it from any others that may exist.
- In the Certificate body field, enter the body of the unencrypted, PEM-formatted server certificate provided by your certification authority. RSA 2048 and 4096 certificates can be used.
- In the Certificate chain field, enter the certificate chain, which is also known as the intermediate certificate. The certificate chain is not required for self-signed certificates.
- In the Private key field, enter your certificate's private key.
- Click Upload certificate. The newly uploaded certificate appears on the Certificates page in the summary table.
After uploading your certificate, be sure to create a Cloud WAF instance to protect your origin. Keep in mind that, for requests coming from Fastly’s Edge, you can use a Fastly-managed TLS certificate instead when you create a Cloud WAF instance. In this case, uploading a TLS certificate is optional.
Deleting a certificate
WARNING: Deleting a certificate does not remove it from routes (domains) in existing deployments. To prevent serving old certificates, update those routes (domains) to use a different certificate before deleting the old one.
You can delete certificates that aren't in use, as long as they are not attached to any provisioned Cloud WAF instances.
Log in to the Next-Gen WAF control panel.
- From the Corp Manage menu, select Cloud WAF Certificates.
- Click View to the right of the certificate that you want to delete. The view certificate page appears.
- Click Remove certificate in the upper-right corner of the page.
Updating routes with a new certificate
To update a certificate on a given deployment, you must remove the certificate from all routes (domains) in the deployment and replace it with the new certificate. If the old certificate is still valid and exists on any routes (domains) in a Cloud WAF deployment, it can still be served by all other matching routes in that deployment.
