Implementing & Managing Certificates for APEX in OCI

As part of your deployment of your APEX application(s), you might want to make them accessible outside of your organisation's network to allow employees access to the application(s) when working from home or on-site without the need to connect to VPNs and give users true mobile access.

To do this securely, one thing you will need to add is a certificate to the front end to ensure data transfer between the open internet and the application is secure. You can also link the certificate to your DNS Server to allow the use of readable URLs for your application(s).

Here are the steps taken to add a certificate to our department application to allow our team to access it from anywhere and have the URL like the company URL. Our application is set up as VCN with three subnets. One for the Load Balancer, one for the Compute Instance that holds ORDS and one for the DB.

1. Generate a Private Key and Certificate CSR (Certificate Signing Request) for the domain you want to use.
2. Using the CSR, request a certificate from your certificate authority.
3. Add an entry to your DNS Server that will link your chosen URL to the IP address of the Load Balancer.

These first three steps are done by our IT Infrastructure team, who then provide the certificates and private key. Once you have them, you can apply the certificate to the Load Balancer.

Once logged into the OCI Dashboard, navigate to the Load Balancer. The certificate will be applied to the Certificates Resource. Select 'Load Balancer Managed Certificates' to add yours. 

When adding your certificate, you will need to add a name for it, then add the SSL certificate that came as part of the chain, the CA certificate that your certificate provider provides as part of the chain and the private key generated with the certificate chain.

Once these components have been added, OCI will apply the certificate to the Load Balancer. You will then need to apply it to the Listener, to the ORDS Compute Instance and the Backend Set of the ORDS Compute Instance to ensure the communication to the ORDS service is secure using the certificate loaded onto the Load Balancer.

Once these steps are complete, you will be able to access APEX using the URL linked to the DNS Entry over a secure connection.

This is just one part of the process needed to ensure your APEX Instance and application(s) are secure and available over the internet, so this is not the only thing required to secure your APEX instance. But it is part of the process and enables you to use a URL that is readable and linked to your company URL.

Certificates generally last 12 months, so you will need to replace them with up-to-date ones and will need to schedule these in. If your certificate does expire, the user will get a message notifying them the site is not secure and whether they want to continue or not. When your certificate expires, the process is the same for adding a new up-to-date one, apart from the DNS entry would already be in the DNS Server.

Certificates can be managed within OCI and just applied to the relevant. This is something to investigate and will be the basis of a future blog.

For more information, check out our Oracle APEX Services, and if you liked this blog, check out our other APEX blogs here.

Subscribe to Oracle APEX Insights if you want to stay tuned for more APEX updates.