uploadWafCertificate — Adding your SSL certificate to Firewall & CDN

The uploadWafCertificate method uploads the user’s SSL/TLS certificate for use with the Firewall & CDN instead of a SiteLock-generated certificate.

Firewall & CDN doesn’t support uploading RSA 4096-bit keys. The public key of your custom SSL/TLS certificate must be less than 4096 bits.

The API endpoint is:

https://api.sitelock.com/v1/partner

Request format

SiteLockOnlineRequest: This element is used to delineate the full API request.
- authentication: The partner’s username, password, and branding
  - username: The partner’s API username
  - password: The partner’s API password
  - partner: (Optional) The brand name to use in messaging
- uploadWafCertificate: The method name
  - site_id: The ID of the site for which to upload the certificate
  - certificate: The contents of a certificate file. See the type element for acceptable certificate file formats. The certificate must be Base64 encoded before uploading.
  - type: The acceptable file formats:
    
    pem: The PEM file format. Requires the private_key element.
    
    cer: The CER file format. Requires the private_key element.
    
    pfx: The PFX file format. Requres the passphrase element.
  - private_key: The private key for use with PEM and CER certificates. The file must be Base64 encoded.
  - passphrase: The passphrase for use with PFX certificates

Example request

<SiteLockOnlineRequest>
    <authentication>
        <user>Username</user>
        <password>Password</password>
    </authentication>
    <uploadWAFCertificate>
        <site_id>1234</site_id>
        <certificate>[base64 encoded file data]</certificate>
        <type>pem</type>
        <private_key>[base64 encoded private key file data for pem- and cer-encoded certificates]</private_key>
        <passphrase>[passphrase for pfx-encoded files]</passphrase>
    </uploadWAFCertificate>
</SiteLockOnlineRequest>

Response format

SiteLockOnlineResponse: This element is used to delineate the full API response.
- uploadWafCertificate: The method name
  - message: The detailed success or error message
  - status: Either ok or error

Example success response

If the request is successful, status will be ok.

<SiteLockOnlineResponse>
    <uploadWAFCertificate>
        <message>Successfully uploaded.</message>
        <status>ok</status>
    </uploadWAFCertificate>
</SiteLockOnlineResponse>

Example error response

The uploadWAFCertificate request may fail under several conditions, including plan restrictions, certificate formatting issues, or mismatched site data. The response includes a status, message, and optionally an error code that provides more detail on the cause of failure.

Below you can find examples and explanations of common error responses.

Example 1: Plan restriction

The request fails because the current plan does not support uploading SSL certificates.

<SiteLockOnlineResponse>
    <uploadWAFCertificate>
        <code>-98</code>
        <message>The plan does not support uploading SSL Certificates.</message>
        <status>error</status>
    </uploadWAFCertificate>
</SiteLockOnlineResponse>

Example 2: Invalid certificate input

This may occur if the certificate format is incorrect, required fields are missing, or the certificate does not match the site’s domain.

<SiteLockOnlineResponse>
    <uploadWAFCertificate>
        <code>2</code>
        <message>Invalid input</message>
        <status>error</status>
    </uploadWAFCertificate>
</SiteLockOnlineResponse>

Other common error messages

Depending on the issue, you may receive one of the following messages:

Message Example	Description
Invalid Certificate	The certificate may be malformed, expired, or not Base64-encoded.
The Certificate does not match your site	The uploaded certificate’s common name does not match the configured domain.
Invalid passphrase	The passphrase provided does not match the encrypted private key.
Missing intermediate certificate	The uploaded certificate chain is incomplete. Please include all intermediates.
SSL certificates [4096] bit is no longer supported ECC certificate [384] bit is not supported	We only accept these two types: RSA certificate with 2048-bit ECC certificate with 256-bit
The certificate has expired	The certificate is no longer valid. Please upload a new one.
The certificate is not yet valid	The certificate’s validity start date is in the future.

Message Example

Description

Invalid Certificate

The certificate may be malformed, expired, or not Base64-encoded.

The Certificate does not match your site

The uploaded certificate’s common name does not match the configured domain.

Invalid passphrase

The passphrase provided does not match the encrypted private key.

Missing intermediate certificate

The uploaded certificate chain is incomplete. Please include all intermediates.

SSL certificates [4096] bit is no longer supported

ECC certificate [384] bit is not supported

We only accept these two types:

RSA certificate with 2048-bit
ECC certificate with 256-bit

The certificate has expired

The certificate is no longer valid. Please upload a new one.

The certificate is not yet valid

The certificate’s validity start date is in the future.

[4096] and [384] represent the actual key size detected during validation and are dynamically inserted into the message.

These errors may occur due to one or more of the following reasons:

The uploaded key size exceeds supported limits (e.g., RSA 4096-bit, ECC 384-bit).
The certificate does not match the domain associated with the site.
One or more required fields (certificate, private_key, or passphrase) are missing or empty.
The certificate chain is incomplete or improperly formatted.
The user’s plan does not support uploading custom SSL certificates.

Refer to the message and code fields in the API response for guidance.