Certificates

This document includes the following sections. Click on the link to go to the corresponding section to learn more:

To save configuration changes or edits you make to any features and options, you must click Save on the lower-right of the section or page where you are making changes. Click apply changes on the upper-left corner of the page, and then click OK. Your changes will not be stored if you do not properly save your changes.

To go to the previous section, see Get Started with Alert Logic Managed Web Application Firewall (WAF). To go to the next section, see Fortra WAF Data Anonymization.

Certificate management

The certificate configuration section in Fortra WAF provides a dedicated interface for managing SSL/TLS certificates associated with virtual hosts. This section supports both manual and automated certificate workflows.

In addition to the certificate options described in Manage Your SSL Certificates, the certificate configuration section includes support for Automatic Certificate Management Environment (ACME) certificates. When ACME is enabled, certificates can be automatically requested and renewed through compatible Certificate Authorities such as Let’s Encrypt.

The section allows:

Upload and assignment of custom certificates
Configuration of ACME-based certificate provisioning
Setup of automatic renewal parameters
Inspection of certificate status and expiration details

These capabilities are intended to support secure and continuous TLS coverage across WAF-managed services.

ACME protocol

The ACME protocol is designed to automate the certificate issuance and renewal process. It is commonly used with Certificate Authorities (CAs), such as Let’s Encrypt, to obtain publicly trusted SSL/TLS certificates without manual intervention. ACME certificates are domain-validated and support secure HTTPS communication by ensuring that the requesting system controls the domain in question.

In Fortra WAF, ACME support allows certificates to be provisioned and renewed automatically, reducing the need for manual certificate handling and helping to prevent service disruptions due to expired certificates.

Let’s Encrypt certificate transparency logging

Let’s Encrypt publishes certificate transparency logs. This means that every time a certificate is provisioned, a public log of the SAN names for that certificate is also published. The result is that the domain name of any website associated with the certificate will be publicly available. If leaving the domain name obfuscated is desired, it is strongly recommended not to use Let’s Encrypt to provision a certificate for that specific site.

ACME certificate workflow

The ACME integration in Fortra WAF follows this workflow:

Account Registration: An ACME account must be registered with the selected CA. The account registration process is automated by Fortra WAF and includes:
1. Providing a valid email address for registration.
2. Accepting the CA’s terms of service.
3. Generating and storing a private account key used to sign ACME protocol messages.
ACME accounts are created in the ACME Accounts section.
Certificate Request: A certificate is requested in the ACME Certificates section. The issued certificate includes the requested domain names (SANs) and is stored for use with virtual hosts.
Domain Validation: The CA must verify control over the domain before issuing a certificate. Fortra WAF supports:
1. HTTP-01 challenges, where the WAF responds to HTTP requests with a challenge token.
2. DNS-01 challenges, where a DNS TXT record is created for domain validation.
Domain Validation is configured with the Certificate request.
Assignment: Issued certificates are made available for assignment to virtual hosts in the Websites section.
Renewal: Certificates are monitored for expiration. Renewal is initiated automatically using the existing ACME account and challenge configuration.

Certificates configuration

The Certificates page (Services > Websites > Certificates) allows you to manage ACME certificates and assign certificates to websites.

The page is broken into five sections:

ACME Certificates: Create, renew, and revoke certificates
Websites: Assign certificates to websites
ACME Accounts: Create and manage ACME accounts
DNS Providers: Configure DNS-01 challenge settings
Configuration: ACME auto renewal configuration

ACME certificates

The certificates section can be used to create, renew, and revoke certificates. The table lists ACME certificates information along with expiration status, and last performed operation.

More verbose operations on the certificate can be seen in the System > Logs > Daemon log section, which should be the first place to look in case of a failure operation.

To request a new certificate, click Request Certificate. This will open the Request Certificate page.

Request certificate

To request an ACME certificate, the following configuration is required:

Select an existing ACME account.
Choose a challenge provider for domain validation.
Specify an alias to identify the certificate.
Select one or more domains, either from the list of configured virtual hosts or by entering custom domain names.
Optionally enable automatic renewal and inclusion of vhost aliases in the certificate SANs.

Configure the certificate request by completing the request form:

Auto renew: Enables automatic renewal of the certificate before expiration.
Account: Specifies the ACME account to use for the request. Select an ACME account from the drop-down list.
Challenge provider: Defines the method used for domain validation (e.g., HTTP-01 or DNS-01).
- When using the HTTP-01 challenge solver, port 80 to the WAF (and any associated worker nodes) must be open to the internet. This is a direct limitation of Let’s Encrypt.
- Wildcard certificates cannot be issued through the HTTP-01 challenge solver. If a wildcard certificate needs to be requested, only the DNS-01 challenge solver can accomplish this.
Alias: A label used to identify the certificate within the system.
Website Domains: Lists domains associated with existing virtual hosts. Selected domains will be included in the certificate request.
Custom Domains: Allows manual entry of additional domain names. Multiple domains can be entered, separated by commas.
Automatically include vhost aliases in SAN: When enabled, aliases defined for selected virtual hosts are automatically added to the certificate’s Subject Alternative Name (SAN) list.
Certificate SANs Preview: Displays the full list of domain names that will be included in the certificate.
Request certificate: Submits the ACME certificate request using the configured parameters.

It may take up to 10 minutes to provision a single certificate, depending on how many domain names are requested for the certificate.

There is a hard limit of 100 domains per certificate.

Certificate auto-renewal

Certificates can be marked for auto-renewal. By default, auto-renewal runs once every 6 hours (the auto-renew interval) and will automatically renew certificates that are set to expire within 10 days (the auto-renew window). These values can be changed in the Configuration section. The interval cannot be set to less than 1 hour or more than 168 hours (7 days). The window cannot be set to less than 1 day or more than 89 days (Let’s Encrypt will only allow a certificate to be valid for 90 days).

Auto-renewal can also be disabled entirely by unchecking the Auto-renew Enabled checkbox, and then saving the configuration.

A renewal can be run on-demand by clicking Run Auto-Renewal Now.

Websites

The Websites configuration can be used to select a specific certificate for each website. To use a certificate for a website, the domain name of the site must be in the list of domains for the certificate. Once an ACME certificate is selected for a website, it may take a few minutes to propagate the changes for a browser to use the new certificate.

If you desire to use a custom certificate for a website instead of an ACME certificate, click the Manage Custom SSL Settings link to open the ADC configuration page, generate a self-signed or import a certificate, and then save and apply the changes.

ACME accounts

To provision accounts with an ACME provider, an account must be created first. The email address for the account will receive certificate expiration emails from the ACME provider.

Follow the steps below to complete the setup:

Certificate Authority: Select a certificate authority from the drop-down list. The available options are:
1. Let's Encrypt Production: Use this for live, publicly trusted certificates.
2. Let's Encrypt Staging: Use this for testing purposes to avoid rate limits and production certificate issuance.
Alias: Enter a unique alias in the input field to identify the ACME account within the WAF system.
Email: Provide a valid email address in the input field. This address will be used for important notifications from Let's Encrypt.
Key Type: Choose the cryptographic key type from the drop-down list. The default selection is ECDSA256, which is recommended for modern security standards.
Terms of Service Agreement: If you agree to the terms, select the Accept the Let's Encrypt Production Terms of Service agreement checkbox to proceed. This is a required step before account creation.
Create Account: Click Create account to finalize the setup. This button will remain disabled until all required fields are completed, and the Terms of Service checkbox is selected.

Let’s Encrypt environments

The Let’s Encrypt Staging environment is intended for test purposes only. Browsers will not recognize certificates from this environment as valid certificates.

The Let’s Encrypt Production instance has some strict rate limits for provisioning accounts and certificates, so it is encouraged to test configurations with the staging environment when beginning to provision resources.

DNS providers

In this section, DNS Providers can be configured to supply credentials to change DNS records in hosted zones automatically to fulfill the domain challenge checks required by Let’s Encrypt.

Utilizing the DNS-01 challenge type, a TXT record can be automatically placed into a hosted zone of a DNS configuration that provides proof of ownership of a domain name to Let’s Encrypt. This can be utilized to provision wildcard certificates for a domain.

The following DNS providers are supported:

AWS Route53
Azure DNS

AWS Route53

An IAM Access Key and Secret Key are required to provide API access to Route53. Selecting the Use Environment Credentials checkbox to use the same credentials as specified in the Configuration section of the UI. Otherwise, custom credentials can be utilized to change Route53 records.

Region: The region to utilize the IAM credentials. This is required, even though Route53 is a global service. This can typically remain at the default of us-east-1, unless a custom IAM policy is set up in the account where the Route53 records are located.
Use Environment Credentials: Select this checkbox to utilize the credentials specified in the Configuration section of the UI. If the Use delegated IAM role is also checked, the credentials specified in either the environment variables or the EC2 instance profile will be utilized.
Access Key ID: The access key ID of the IAM credentials to use.
Secret Access Key: The secret password of the IAM credentials.
External ID (optional): The external ID to use for the IAM credentials. Refer to the AWS IAM User Guide if you need to utilize an External ID for your credentials.
Assume Role ARN (optional): The ARN of the role to assume. Refer to the AWS IAM User Guide to utilize role assumption for access to Route53 resources.
TTL: The time-to-live for the DNS record.

It is necessary for the IAM User or Role to have access to the Hosted Zone in question.

AWS IAM user authorization

Below is an example policy of least privileged access to add and remove TXT records for any domain starting with _acme-challenge. in a specific hosted zone:

Copy

"Version": "2012-10-17", 
  "Statement": [ 
    { 
      "Effect": "Allow", 
      "Action": "route53:GetChange", 
      "Resource": "arn:aws:route53:::change/*" 
    }, 
    { 
      "Effect": "Allow", 
      "Action": "route53:ListHostedZonesByName", 
      "Resource": [ 
        "arn:aws:route53:::hostedzone/Z11111112222222333333" 
      ] 
    }, 
    { 
      "Effect": "Allow", 
      "Action": [ 
        "route53:ListResourceRecordSets" 
      ], 
      "Resource": [ 
        "arn:aws:route53:::hostedzone/Z11111112222222333333" 
      ] 
    }, 
    { 
      "Effect": "Allow", 
      "Action": [ 
        "route53:ChangeResourceRecordSets" 
      ], 
      "Resource": [ 
        "arn:aws:route53:::hostedzone/Z11111112222222333333" 
      ], 
      "Condition": { 
        "ForAllValues:StringLike": { 
          "route53:ChangeResourceRecordSetsNormalizedRecordNames": [ 
            "_acme-challenge.*" 
          ], 
          "route53:ChangeResourceRecordSetsRecordTypes": [ 
            "TXT" 
          ] 
        } 
      } 
    } 
  ] 
}

Change the Z11111112222222333333 hosted zone to the ID of the hosted zone for your specific deployment.

Azure DNS

Azure DNS requires a Service Principal to have API access to change DNS records:

Private Zone: Set this option to true if the zone record is a Private Zone.
Resource Group: The resource group ID of the DNS zone with domains to provision certificates for.
Use Environment Credentials: Set this option to true to utilize the same credentials as set in the Configuration section of the UI.
ClientID/AppID: This is the ID of the service principal.
Client Secret: The secret password credentials.
TenantID: The tenant ID of the Azure account.
SubscriptionID: The subscription ID of the Azure account.
TTL: The time-to-live of the DNS record.

Configuration

This section contains the general configuration options for the certificates feature:

Auto-renew run interval: Sets how often to run the auto-renewal process. Setting to 0 will turn off the auto-renewal checker.
Auto-renew expiration window: Sets the window of time (1-89 days) to renew a certificate automatically. If a certificate is set to expire within this window, it will automatically renew if Renewal Checker is enabled. Let’s Encrypt ACME certificates cannot be valid for more than 90 days.
The Delete All Resources button can be utilized to remove all configurations, including DNS Providers, ACME Accounts, and ACME Certificates.

Deleting resources

Accounts cannot be deleted if there is a certificate associated with the account. Delete all certificates associated with an account before attempting to delete the account.

Likewise, certificates cannot be deleted if they are attached to one or more websites. It is necessary to disassociate the certificate with all websites it is attached to before attempting to delete a certificate.

However, the Delete all ACME Resources button will delete all resources regardless of whether they are associated with any websites or accounts.

Notes

HTTP-01 challenge port 80 requirements

When using the HTTP-01 challenge solver, port 80 to the WAF (and any associated worker nodes) must be open to the internet. This is a direct limitation of Let’s Encrypt and cannot be configured or adjusted. For more information, see Challenge Types in the Let’s Encrypt’s documentation.

Wildcard certificates

Wildcard certificates cannot be issued through the HTTP-01 challenge solver. If a wildcard certificate needs to be requested, only the DNS-01 challenge solver can accomplish this.