SSL Management

3/14/2012: Added the ability to provide SSL offloading to the local Load Balancing service in Softlayer. The load balancing service allows you to manage the offload capability, as well as, access the SSL certificate manager. In order to utilize SSL offloading, a load balancer must be purchased that offers the capability.

The SoftLayer_Security_Certificate service provides access to the new certificate manager. There are no restrictions on the number or origin of certificates, so please feel free to use it as a centralized storage location for all of your SSL certificates.

The following examples assume instantiation of the client as follows:

$client = SoftLayer_SoapClient::getClient('SoftLayer_Security_Certificate', null, $apiUsername,  $apiKey);

Creating Certificates

Entering a new SSL certificate into the certificate manager is accomplished by sending a SoftLayer_Security_Certificate templateObject to SoftLayer_Security_Certificate::createObject. We do not need to define common name, organization name or validity dates as the certificate manager will extrapolate them from the provided certificate. This method will ensure the information is correct by attempting validation between the certificate, private key and intermediate certificate if provided.

$templateObject = new stdClass;
 
// Populate the certificate and private key.
// Please include -----BEGIN/END ----- delimiters
$templateObject->certificate = Enter Security Certificate Here>;
$templateObject->privateKey = Enter Private Key Here>;
 
// If the certificate authority issues provided an intermediate certificate
// you will need to include it here.
$templateObject->intermediateCertificate = Enter Intermediate Certificate Here>;
 
// Optional
$templateObject->certificateSigningRequest = Enter CSR Here>;
 
try { 
    $newCertificate = $client->createObject($templateObject);
    print_r($newCertificate);
} catch (Exception $e) {
    print "Certificate creation failed: " . $e->getMessage();
}

Editing Certificates

SSL certficiate manager entries can be modified with SoftLayer_Security_Certificate::editObject. Please keep in mind that certificates will only be available for modification if there are no services associated with them. As with createObject you need to pass a SoftLayer_Security_Certificate templateObject but this time with only the changed properties defined.

$client->setInitParameter($certificateId);
$certificate = $client->getObject();
 
if ($certificate->associatedServiceCount > 0) {
    print("Please disassociate this certificate with all services before modifying");
    return;
}
 
$templateObject = new stdClass;
$templateObject>notes = ‘Let this be noted!;
 
try { 
    $result = $client->editObject($templateObject);
    print_r($result);
} catch (Exception $e) {
    print "Certificate modification failed: " . $e->getMessage();
}

Load Balancer Integration

If you have singed up for the SSL offloading service it is not inconceivable that associating your newly created SSL certificate with your load balancer may be advantageous. After purchasing a load balancer with SSL offload capability and adding your certificate SoftLayer_Network_Application_Delivery_Controller_LoadBalancer_VirtualIpAddress::editObject will be used to update your load balancer with the new certificate ID. This is accomplished by populating the securityCertificateId property in your templateObject.

$virtualIpAddressClient = SoftLayer_SoapClient::getClient('SoftLayer_Network_Application_Delivery_Controller_LoadBalancer_VirtualIpAddress', $virtualIpAddressId, $apiUsername,  $apiKey);
 
$templateObject = new stdClass;
$templateObject->securityCertificateId = $certificateId;
try { 
    $result = $virtualIpAddressClient->editObject($templateObject);
    print_r($result);
} catch (Exception $e) {
    print "Certificate association failed: " . $e->getMessage();
}

SoftLayer_Network_Application_Delivery_Controller_LoadBalancer_VirtualIpAddress::startSsl and SoftLayer_Network_Application_Delivery_Controller_LoadBalancer_VirtualIpAddress::stopSsl are used to toggle the SSL offloading service and the bool property sslActiveFlag will show the current state of the offloading service. The toggleSsl function below will use the current state of sslActiveFlag to determine the approprate API call. If necessary you can also use the sslEnabledFlag to determine if a specific VIP has SSL offloading available for use.

function toggleSsl() {
    $virtualIpAddressClient = SoftLayer_SoapClient::getClient('SoftLayer_Network_Application_Delivery_Controller_LoadBalancer_VirtualIpAddress', $virtualIpAddressId, $apiUsername,  $apiKey);
    $action = ($virtualIpAddressClient::getObject()->sslActiveFlag) ? 'stopSsl' : 'startSsl';
 
    try { 
        $result = $virtualIpAddressClient->$action();
        print_r($result);
    } catch (Exception $e) {
        print "$action failed: " . $e->getMessage();
    }
}