Preventing Expiration of Oracle Cloud Infrastructure Public Load Balancer SSL Certificate

Steps to Ensure Continuous Data Traffic and Security for OCI Public Load Balancer's SSL Certificate

Question

An Oracle Cloud Infrastructure (OCI) Public Load Balancer's SSL certificate is expiring soon.

You noticed the Load Balancer is configured with SSL Termination only.

When the certificate expires, data traffic can be interrupted and security compromised.

What steps do you need to take to prevent this situation? (Choose the best answer.)

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

A.

https://docs.cloud.oracle.com/en-us/iaas/Content/Balance/Tasks/managingcertificates.htm

The correct answer to prevent interruption of data traffic and compromised security is option C: Add the new SSL certificate to the Load Balancer, update listeners and backend sets so they can use the new certificate bundle.

Here is a detailed explanation of each option:

Option A: Add the new SSL certificate to the Load Balancer and update backend servers to use the new certificate bundle. This option is not sufficient because updating only the backend servers will not update the Load Balancer listeners that terminate SSL connections. Therefore, the Load Balancer will not be able to decrypt the SSL traffic and forward it to the backend servers, causing an interruption in data traffic.

Option B: Add the new SSL certificate to the Load Balancer and update listeners to use the new certificate bundle. This option is better than option A because it updates the Load Balancer listeners, allowing them to decrypt the SSL traffic and forward it to the backend servers. However, it does not update the backend sets, which may still be configured to use the old certificate bundle. This can cause a security issue since the backend servers will receive unencrypted traffic.

Option C: Add the new SSL certificate to the Load Balancer, update listeners and backend sets so they can use the new certificate bundle. This option is the best because it updates both the Load Balancer listeners and the backend sets, ensuring that all traffic is encrypted with the new certificate bundle. This option also prevents any interruption in data traffic and avoids a potential security issue.

Option D: Add the new SSL certificate to the Load Balancer, update backend servers to work with a new certificate and edit listeners so they can use the new certificate bundle. This option is similar to option B but requires an additional step of updating the backend servers to work with the new certificate. However, it still does not update the backend sets, which can lead to a security issue.

Option E: Add the new SSL certificate to the Load Balancer and implement end-to-end SSL so it can encrypt the traffic from clients all the way to the backend servers. This option is not necessary for this scenario since SSL termination is already enabled on the Load Balancer, and the question only asks to update the SSL certificate. Additionally, implementing end-to-end SSL may add additional complexity and overhead to the network infrastructure.