Applications that accept traffic using the HTTPS protocol – which is recommended for all modern applications – must have a valid SSL certificate. Without a valid certificate, users accessing the application will see an ominous "certificate warning" page, as shown here.
Your users will not encounter the certificate warning page because WAF-as-a-Service can automatically obtain SSL certificates for your applications – no need to request, install, renew, or pay for anything. This feature is enabled by default when you set up an application in WAF-as-a-Service. You can also choose to turn it off and upload your own certificate at any point.
How Automatic Certificates Work with Barracuda WAF-as-a-Service
For security purposes, you must change your DNS A records to obtain a certificate. Changing the records is proof that you own the domain in question or are authorized to act on its behalf.
These steps describe the flow of working with automatic certificates and WAF-as-a-Service. Only Step 1 requires you to perform an action.
- Change your DNS A records to the IP addresses allocated by Barracuda. Refer to the instructions described in Getting Started.
- Barracuda verifies your DNS A records have been changed.
- Within two minutes of the DNS A records change, Barracuda obtains an SSL certificate on your behalf and installs it on your application.
All encrypted HTTPS traffic will now use this certificate. The certificate is typically valid for 90 days, though this is subject to change.
- Fifteen days before your certificate expires, Barracuda verifies again that your DNS A records are still correct. If they are, Barracuda renews your certificate for another 90 days, so it never expires.
Keep Your DNS A Records Updated
As explained above, automatic certificates are renewed by Barracuda well in advance so they do not expire. However, if you change your DNS A records to a value other than the IP address allocated by Barracuda, Barracuda will not be able to renew your certificate. In this case, Barracuda will continue to monitor your DNS A records, and as soon as they are correct again, Barracuda will renew the certificate. If you do not change your DNS A records back before the certificate expires, the certificate will be allowed to expire. The certificate will only be renewed two minutes after you change your records to the correct values, as explained in the steps above.
If You Cannot Change Your DNS A Records
If you need valid certificates, but cannot change your DNS A records, you must purchase or obtain an SSL certificate from a trusted Certificate Authority (CA). You can then upload this certificate to Barracuda WAF-as-a-Service and use it instead of the automatic certificate process described in this article.
To upload a certificate from a trusted CA:
- Within Barracuda WAF-as-a-Service, select the application that requires a certificate.
- In the left panel, select Endpoints.
- Find the Endpoint that is serving traffic using HTTPS (denoted by a lock icon next to the port number). Click the dots in the More column and select Edit Endpoint.
If you have more than one endpoint serving traffic using HTTPS, perform the following steps for each endpoint.
- Scroll down and switch the Automatic Certificate to the off position. Two fields appear: Private Key and Certificate.
- Copy the Private Key and Certificate values provided by your Certificate Authority (CA) and paste them in the corresponding fields. If your Certificate Authority (CA) provided you with both a certificate and an intermediate certificate, in the Certificate field, paste the certificate value, then on a new line, paste the intermediate certificate.
- Click Save.