SSL

Administration of certificates

Introduction

This section allows you to manage your SSL Certificates. You can create, edit, attach, and remove certificates. The certificates themselves can be uploaded and stored into Reblaze's cloud, or a cloud load balancer.

A note on certificates and sites

If you are reading this Manual as part of an initial evaluation of Reblaze, and if you have large numbers of certificates to manage, you should know that Reblaze treats certificates differently than most other security solutions.

It's not unusual for some companies (especially SaaS platforms) to have dozens or even hundreds of certificates to manage. Unfortunately, most security solutions treat each SSL Certificate as a separate "site," and they charge their customers on a per-site basis. Thus, these solutions can be extremely expensive.

Contrary to this, Reblaze does not treat certificates as sites. A certificate is merely a certificate. For customers with tens or hundreds of certificates to manage, Reblaze's monthly pricing can be one or two orders of magnitude less than its competitors'.

Section Overview

The SSL Management interface is split into 2 tabs: Load balancers and Certificate store.

The Load balancers list shows the load balancers for the current site, and the certificates that are attached to them. Certificate store is where certificates are managed.

Load Balancers

Fig. 1. Load balancers list

Entry parameters

For each load balancer shown in the list, the displayed parameters are:

Parameter

Description

Name

A unique identifier for use elsewhere in the interface.

#Of Certs

Number of certificates attached to the load balancer / Max number of certificates can be attached to a load balancer of this type (as shown in Table 1 below)

Cloud Provider

AWS, Azure, GCP or a custom cloud provider.

DNS Name

The balancer's dns name.

Region

The cloud vendor region name (from Table 2 below)

Type

Load balancer type (from Table 1 below)

Load balancer type

Max number of certificates

gcp

15

application

25

classic

1

Table 1: Max number of certificates depending on the load balancer type

GCP

AWS

Azure

Digital Ocean

asia-east1 asia-east2 asia-northeast1 asia-northeast2 asia-northeast3 asia-south1 asia-southeast1 asia-southeast2 australia-southeast1 europe-north1 europe-west1 europe-west2 europe-west3 europe-west4 europe-west6 northamerica-northeast1 southamerica-east1 us-central1 us-east1 us-east4 us-west1 us-west2 us-west3 us-west4

us-east-2 us-east-1 us-west-1 us-west-2 af-south-1 ap-east-1 ap-south-1 ap-northeast-3 ap-northeast-2 ap-southeast-1 ap-southeast-2 ap-northeast-1 ca-central-1 eu-central-1 eu-west-1 eu-west-2 eu-south-1 eu-west-3 eu-north-1 me-south-1 sa-east-1

eastasia southeastasia centralus eastus eastus2 westus northcentralus southcentralus northeurope westeurope japanwest japaneast brazilsouth australiaeast australiasoutheast southindia centralindia westindia canadacentral canadaeast uksouth ukwest westcentralus westus2 koreacentral koreasouth francecentral francesouth australiacentral australiacentral2 uaecentral uaenorth southafricanorth southafricawest switzerlandnorth switzerlandwest germanynorth germanywestcentral norwaywest norwayeast

NYC1 NYC2 NYC3 AMS2 AMS3 SFO1 SFO2 SFO3 SGP1 LON1 FRA1 TOR1 BLR1

Table 2: Cloud vendor regions

Administration

The Filter by name input control at the top accepts regular expressions, and quickly filters the list to show matching entries.

Selecting an entry in the list expands it to show that load balancer's details: a default certificate, and a list of any additional attached certificates.

Fig. 2. Load balancer details

The expanded list provides several buttons to perform administrative actions.dnnd

  • To change the default certificate for the load balancer, select the Set default button next to the name of the desired certificate.

  • To remove a certificate from the list, select the Detach button next to its name.

  • To attach a certificate from the certificate store, select Attach certificate. See discussion below.

Attaching a certificate

Additional certificates can be attached to a load balancer until it reaches its full capacity, i.e. the maximum number of certificates shown in Table 1. (Full capacity is indicated when the "# Of Certs" column contains two similar numbers, e.g., "15 / 15". Also, the Attach certificate button will change to the message "You have reached the max certificates quota for the load balancer.")

To attach a certificate, select the Attach certificate button. This will open a modal window with a list of unattached certificates from the certificate store:

Fig. 3. Unattached certificates list

The Filter by name input control at the top accepts regular expressions, and quickly filters the list to show matching entries.

To attach a certificate, press the Attach button next to its name. The certificate will disappear from this list ail appear in the list of the certificates attached to the load balancer (see Figure 2).

Certificate store

This tab displays certificates according to the site to which they are attached.

Fig. 4. Certificate store

The Filter by name input control at the top accepts regular expressions, and quickly filters the list to show matching entries.

For each entry, the displayed parameters are:

Parameter

Description

Name

A unique identifier for use elsewhere in the interface.

AWS

Whether the certificate is loaded to AWS (see explanation below).

GCP

Whether the certificate is loaded to GCP (see explanation below).

Expiration Date

When the certificate expires.

Linked To

This field is populated when this certificate is chosen for use in the Proxy Settings section.

Certificates are loaded console. After that they can be loaded to a cloud provider. The AWS/GCP columns indicate which provider has the certificate. It can be none, one, or both.

Generating a new certificate

Reblaze provides the capability to generate an SSL Certificate for free using the Let's Encrypt service. This can be done using the "Generate Certificate" button on the Planet Overview page.

Adding an existing certificate to Reblaze

SSL certificates can be added to Reblaze in two ways:

  • Uploading a PFX file.

  • Manually entering the certificate information.

In both cases, begin by clicking the "+" button. This dialog will appear:

Fig. 5. Adding a certificate

To upload a PFX file, select "Extract pfx file." Otherwise, enter the Private Key, Certificate body and Intermediate chain values into their respective text boxes.

Editing and managing existing certificates

To remove an existing certificate, click on its trash icon to the right of its entry in the list. You can delete a certificate if it's not linked to a site. However, you cannot remove the last certificate on a load balancer.

To edit a certificate, click on its edit icon to the right of its entry in the list. This dialog will appear:

Fig. 6. Editing a certificate

The following options are offered:

  • Attach to application - Select an application/site and attach it to this certificate.

  • Replace existing certificates - When this is chosen, a "Select Certificate" dropdown list will appear. Selecting one and then clicking "Save" will result in all sites/applications being transferred from the selected certificate over to the certificate you're currently editing.

  • Auto Replacement by Let's Encrypt: See discussion below.

  • Download PFX: Download the certificate information as a file in PFX format.

When managing certificates through one of these options (except for "Download PFX"), you must click the Save button to preserve your changes.

Automated replacement using Let's Encrypt

Let's Encrypt is a free certificate authority service. Reblaze integrates with it, and offers this service by default.

Once a day, Reblaze will check each application it protects. If that application's certificate is going to expire in the coming week, and itsAuto Let's Encrypt Replacement option for that certificate is enabled, Reblaze will generate a new certificate using Let's Encrypt, and will attach all of its sites to the new certificate.

Last updated