CertAutoPilot logo CertAutoPilot
Get started

Huawei Cloud module

Uploads a certificate to Huawei Cloud's native certificate store and attaches it to one or more ELB listeners, CDN domains, or WAF hosts. Uses AK/SK (access key + secret key) authentication scoped to the region where your resources live.

01Overview

  • Transport: Huawei Cloud REST APIs, signed with the SDK v4 signing algorithm.
  • Auth: Access Key + Secret Key pair (AK/SK). Generated in My Credentials.
  • Scope: one region per target. Multi-region deployments use separate targets.
  • Supported services:
    • ELB (Elastic Load Balance) — listener HTTPS cert.
    • CDN — domain HTTPS configuration.
    • WAF — host TLS certificate.
  • Rollback: not supported. Old certificate IDs remain; the listener/domain/host just references the new one.

02Prerequisites

  • A Huawei Cloud account + IAM user with AK/SK and the minimum policies:
    • SCM Administrator (or a custom policy granting create/list/delete certificate).
    • One of: ELB ReadOnlyAccess + ELB Update Listener, or CDN ReadOnlyAccess + CDN Domain HTTPS Config, or WAF ReadOnlyAccess + WAF Update Certificate — depending on which service(s) you target.
  • The IDs of the ELB listener / CDN domain / WAF host you will update (looked up from the Huawei console or via CLI).

03Create the module credential

  1. Settings → Distribution → CredentialsNewHuawei Cloud.
  2. Access Key + Secret Key. Stored envelope-encrypted.
  3. Save.

04Create a Huawei Cloud target

  1. Settings → Distribution → TargetsNew. Module: Huawei Cloud.
  2. Fields:
    • Region — e.g. ap-southeast-1, cn-north-4. Must match the region of the target resource.
    • Project ID — required for most services; shown in My Credentials → API Credentials.
    • Credential.
    • Service scope: pick one:
      • ELB — listener ID list. We upload a cert, then update each listener's default_tls_container_ref.
      • CDN — domain name list. We write HTTPS config with the new cert reference.
      • WAF — host ID list. We patch the host's certificate.
    • Certificate name prefix — optional; the cert created in SCM uses this plus a fingerprint suffix.
  3. Save → health check calls GET /v3/<project_id>/scm/certificates?limit=1.

05Execution flow

  1. Create a new certificate in SCM (Single Cloud Manager / certificate store). Name: <prefix>_<fingerprint8>.
  2. For each resource ID in scope, PATCH its config to reference the new SCM cert ID.
  3. Old cert ID remains in SCM — Huawei will reject delete while it's referenced somewhere, and we never delete cross-service.

06Rollback — not supported

Old SCM cert IDs remain. To revert, patch the resource back to the previous cert ID via the Huawei console or CLI. Because SCM keeps history, you can always find the old ID.

07Troubleshooting

"Forbidden"

IAM user lacks a required policy. Check IAM → Users → Permissions and grant either the stock policy or a custom one covering the API call the module just made (visible in the backend logs).

"Resource not found in region X"

Target resource lives in a different region than the target config says. Huawei resources are regional — verify in the console.

"Invalid project ID"

Project IDs differ per region; you can't reuse one across regions. Look up the project ID for the resource's region.