Some of our customers are joining Incapsula while already using their own SSL certificate, and wish to maintain the exact same certificate while on our service. These may be EV (Extended Validation) certificates, which enables users to have better visibility over the site's SSL authenticity and encryption, or plainly paid-for certificates already deployed for some time at the customer's site. Customers on our Business and Enterprise plan now have the option to do so on their own via the Incapsula Management Console.
To accommodate the growing need for using custom SSL certificates, Incapsula is now using the relatively new SNI extension of the SSL protocol. This extension is used by all modern browsers, utilizing the fact that a hostname is indicated within the user's request in order to provide validation for the encrypted connection. In a traditional setup, every custom SSL certificate was appointed a specific address on the IP range, and so reaching that address was essential in order for the server to provide the correct certificate. The SNI extension allows us to provide a request by the user with the correct SSL certificate through any IP on the range. Due to the global shortage of IPv4 addresses, we (and a lot of other service providers) have chosen the newest solution available in order to create a mechanism that will cater the needs of current and future customer needs.
The Incapsula Solution
Business and Enterprise customers may upload their own certificate themselves, via the Incapsula Management Console GUI directly or via the API. The following certificate formats are supported:
PFX, PEM and CER.
The uploaded certificate will be visible to all users with browsers that support SNI.
As part of the activation process, Incapsula requires that an SSL website add its domain to an existing Incapsula certificate. This certificate will be presented to any visitor trying to access your website, indicating that the connection is secure.
Once the custom certificate is uploaded, the Incapsula-generated certificate will be presented to browsers which do not support SNI while the custom certificate will be presented to browsers with SNI support.
Browsers that support SNI requests:
- Internet Explorer - 7 or later, on Windows Vista or higher. Does not work on Windows XP.
- Mozilla Firefox - 2.0 or later
- Opera 8.0 or later
- Google Chrome - 6 or later
- Safari 3.0 or later
- MobileSafari in Apple iOS 4.0 or later
- Android default browser on Honeycomb (v3.x) or newer
- Windows Phone 7
Industry thumb rule - approximately 90% of the browsers in the world support SNI.
Uploading a custom certificate
Incapsula now offers customers on the Business and Enterprise plans to upload their own certificates to our service.
The following chapter details the process of custom certificate upload.
Uploading a custom certificate is a two-step process:
- Step 1: Configuring the Incapsula generated certificate
- Step 2: Configuring the custom certificate
We kept SSL settings under the “General” pane in the site settings tab:
Step 1: Configuring the Incapsula generated certificate:
First step would be configuring the Incapsula generated certificate, by clicking “configure” on the "Incapsula Generated Certificate" column:
A popup window opens and the correct email address must be picked form a drop-down list. A validation e-mail will be sent to the address that was specified. Choosing the correct e-mail address is critical, as a certificate cannot be issued unless the link on the validation e-mail is followed.
Soon after an address is chosen, a validation e-mail will be sent to that address.
Once validated, the GUI will show active status:
Step 2: Configuring the custom certificate:
Second step would be configuring the custom certificate by clicking “configure” on the "Custom Certificate" column:
There are two options for providing the certificate:
- Option 1 – Use Existing Certificate: When this option is picked Incapsula will retrieve the certificate for the service (the certificate that your users will see while they are on your site) directly from the website, so that uploading a certificate file is not required. After the certificate is retrieved you will be asked to type a passphrase in order to decrypt it and view its details on screen. After the passphrase is typed correctly certificate details are shown, and you will be able to proceed to uploading the RSA key to complete the process (The RSA key may also require a passphrase to decrypt). This option is suitable for customers who wish to use the exact same certificate that is currently configured for their website also on the Incapsula service.
- Option 2 – Upload a new Certificate: When this option is picked you will be asked to upload a certificate file for the Incapsula service (the certificate that your users will see while they are on your site). The file must be of one of the following formats: PFX, PEM or CER. If the file requires a passphrase to decrypt you will be asked to type it before you can view certificate details. After the certificate is uploaded and its details are shown, you will be able to proceed to upload the RSA key to complete the process (The RSA key may also require a passphrase to decrypt). This option is suitable for customers who wish to use a specific certificate which is different than the one currently configured for their website.
Note: in order to ensure the correct upload of the certificate file, please refrain from having periods (.) in the filename.
You will be able to view the details of the chosen certificate, including:
- Issued to – the specific domain/s to which the SSL certificate was issued
- Issued By – the CA that issued the SSL certificate
- Valid from to
- Certificate Chain
You will see a red “X” next to one or more of the certificate details lines in the following cases:
- Issued to – in case the SSL certificate was issued to a different domain than the one to which it is uploaded
- Issued By – In case the CA that issued the SSL Certificate is not recognized by our system
- Valid from to – In case the validation date of the SSL certificate has already expired
- Certificate Chain – In case the chain is broken (not complete)
These red “X” marks are only intended for you to have a clear view on suspected issues regarding this SSL certificate.
They have no impact on the Custom Certificate Upload process – you will be able to complete the process with any number of red “X” marks.
Option 1 - Use existing certificate:
This is the default option and the system will show you the certificate details retrieved from your site immediately after you clicked “configure”:
Certificate details will be displayed on screen. Next you will be asked to provide an RSA key for the certificate:
The system will then validate whether the key provided matches the certificate. If it does not, it will alert on a mismatch:
Once there's a match, click Next and then Finish to publish the certificate:
Option 2 - Uploading a new certificate:
Pick this option if you wish to upload a certificate file:
Once picked, the browser window will open, where you will be asked to pick the SSL certificate file for upload. If the certificate requires a passphrase to decrypt you will be asked to type it in order to be able to proceed and view the certificate details:
After typing in the correct paraphrase, you will be able to move on to RSA key upload screen. If a passphrase is required for decrypting the key as well you will be asked to type it here:
After typing in the correct paraphrase, click Next and then Finish and the certificate will be published:
If one or more of the details of the certificate were marked with red “X” (see above) you will also see its details on the SSL Support box. For example:
Once the upload is completed and verified, the GUI will show it as active:
By pressing the details link you will be able to see the details of the certificate on record:
Once both certificates are deployed, the site will be fully functional in terms of SSL, and visitors will be able to see the custom certificate when visiting the site.
API examples: (pfx format only)
curl -d api_id=xx116 -d api_key=xxx711c-6xad-4x79-xba-fx5e5b91 -d site_id=5x5168 \
-d certificate="$CERT_B64" -d private_key="$KEY_B64" -d passphrase=Koxx3 \