Many Cloud WAF (formerly Incapsula) customers use the secure HTTPS protocol on their websites so that their sessions are encrypted and their users’ data is protected. To do so, the customer must first receive an SSL (Secure Sockets Layer) certificate from a CA (Certificate Authority).
When a customer uses Cloud WAF's web security features, end-users connect to Cloud WAF proxy/CDN servers (called Points of Presence or PoPs), and their messages are relayed from Cloud WAF to the customer site. Therefore, to maintain SSL protection along the entire chain of communication, both Cloud WAF servers and customer servers must have SSL certificates. Cloud WAF servers use the customer’s SSL key when communicating with customer origin servers.
To protect the link between the end-users and cloud WAF servers, there are two options:
- Cloud WAF provides a new SSL certificate for the customer, issued by its CA (certificate authority). This is the more commonly-used option.
- Cloud WAF uses the customer’s own custom SSL certificate, issued by the customer’s chosen CA, to encrypt communications with the end-users. In this case, the customer must provide Cloud WAF with its private key, via a secure portal. Sites with stricter EV (Extended Validation) certificates usually choose this option.
Free plan customers are not eligible for SSL Support. For more information please check our "Pricing and Plans" page.
Cloud WAF must issue a certificate for the second option as well, in order to provide service to users whose browser doesn’t support SNI. (These are mostly older versions of Internet Explorer, or any IE version running on Windows XP).
SSL certificates issued by Cloud WAF are provided at no extra cost.
Registering a Site with SSL Protection
When you register your site as a Cloud WAF customer site, using the Cloud WAF web interface (https://my.imperva.com/admin/login?logout=true), your site is automatically identified as using the HTTPS protocol. The registration wizard will then guide you through the following steps:
Validate your domain ownership either by clicking a link sent via email, or by adding a specific text record to your DNS zone file.
After your site is validated, Cloud WAF requests that a new SSL certificate be generated for your site. There is the option to upload an Imperva generated SSL certificate and/or a custom SSL provided by the customer. The allocation of both for the site is recommended. This is usually completed within several minutes unless the site is marked for extended validation.
At any stage during the registration procedure, you can click the button. If you choose this option, communications between your end-users and the Cloud WAF, and between Cloud WAF and your site, will not be encrypted. This is not recommended for sites that require SSL protection.
- If you would like Cloud WAF to use your own custom SSL certificate, follow the instructions described in this link.
To register a site with SSL protection:
Add the site using Cloud WAF “Add Site” wizard. After you enter the site’s URL, Cloud WAF scans your site details, including identifying SSL protection. If Cloud WAF detects that your site uses the HTTPS protocol, you will see the “HTTPS” value in the Detecting HTTP/HTTPS field, as in the image below.
Click . The following diagram is displayed, illustrating how SSL protection works along the chain of communication to your site.
To request Cloud WAF to issue you a new SSL certificate, click The site validation page is displayed.
There are 2 validation methods:
1. To validate your site by adding a DNS record:
- Click the option on the left (this is selected by default).
- Copy the string in the Value field in the table on the right, and add it as a text record to your DNS zone file.
- Click . Cloud WAF verifies that the text record has been added.
- Go to step 6 of this procedure.
2. To validate your site by email:
- Click the option on the left. The following page is displayed.
- The address dropdown is populated with all the email addresses registered for your site with the "Whois lookup" service. You can click to send test emails to all the addresses listed, so that you can check the ones to which you have access. (The test emails do not contain a validation link.)
Select the email address to which you want Cloud WAF to send a validation link. The button is enabled.
- Click the button. Cloud WAF sends the validation email to this selected address.
- Open the email you received and click on the validation link.
5. After your site has been confirmed and validated, Cloud WAF will begin the process of issuing a new SSL certificate for your site.
6. If for any reason the issuing of the new SSL certificate is not completed promptly, you may see the below message and will receive an email notification when the certificate is issued.
7. Otherwise, when the process is complete, the following message is displayed, indicating that the certificate was issued successfully.
For existing sites:
1. Enter to Sites -> Settings -> General
2. Click Configure and choose the required email address. The address dropdown is populated with all the email addresses registered for your site with the Whois lookup service.
3. The certificate status will be changed and Cloud WAF will send the validation email to the selected address.
4. Open the email you received and click on the validation link. ( For full domains you should receive 2 emails, for the naked domain + wildcard).
Important Note: If you would like to use the DNS validation method, please contact support.