This topic describes how to upload or sync local SSL certificates (international standard or SM certificates) and Private Certificate Authority (PCA) certificates to the Certificate Management Service console. It also explains how to share SSL certificates between different Alibaba Cloud accounts for free.
Upload an SSL certificate
If you have an SSL certificate that was issued by a third-party service provider and uses international or SM2 standards, you can upload it to the Certificate Management Service console for management.
Before you upload an SSL certificate, prepare the following files:
An SSL certificate file in PEM format (with a .pem or .crt extension) and the corresponding private key file in PEM format (with a .key extension). If your certificate is in a different format, you can use a tool to convert its format. For more information, see Convert the format of a certificate.
To upload an SM certificate that uses the SM2 algorithm, you must prepare the signing certificate file, the signing certificate private key file, the encryption certificate, and the encryption private key file. If you are unsure about the certificate's algorithm, you can view the certificate details. For more information, see View certificate details.
To better protect your certificate data, certificates that you upload to the Certificate Management Service console cannot be downloaded.
Log on to the Certificate Management Service console.
In the left-side navigation pane, choose .
On the Manage Uploaded Certificates tab, click Manage Uploaded Certificates.
In the Manage Uploaded Certificates panel, configure the parameters and click OK.
Different parameters are required for certificates that use the Internationally Accepted Algorithm or the SM2 Algorithm. Configure the parameters as described in the following tables.
Internationally Accepted Algorithm
Parameter
Description
Certificate Algorithm
Select Internationally Accepted Algorithm. International standard algorithms are encryption algorithms, such as RSA and ECC, that are widely reviewed, tested, and recognized by organizations like the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
Certificate Name
Set a name for the certificate that you want to upload.
The name can contain letters, periods (.), digits, underscores (_), and hyphens (-).
Certificate File
Enter the content of the certificate file in PEM format.
Format for the certificate file content:
If your business scenario only requires the server certificate to be trusted, the certificate file must contain the server certificate (①) and the intermediate certificate (②). If your server certificate and intermediate certificate are in separate files, you can enter the content of the intermediate certificate in the Certificate Chain configuration item.
If your business scenario requires both the client and server certificates to be trusted, the certificate file must contain the server certificate (①), the intermediate certificate (②), and the root certificate (③). If your server certificate, intermediate certificate, and root certificate are in three separate files, you must concatenate the intermediate and root certificates in the order shown in the diagram and enter the combined content in the Certificate Chain configuration item.
Methods to enter the content:
Manual entry: Open the certificate file in PEM or CRT format with a text editor, copy the content, and then paste it into the text box.
Upload and Parse File (Recommended): Click Upload and Parse File, and select the certificate file stored on your local computer. The file content is automatically parsed into the text box.
Certificate Key
Enter the content of the certificate private key in PEM format.
Format for the private key content:
RSA
ECC
Methods to enter the content:
Manual entry: Open the certificate private key file in KEY format with a text editor, copy the content, and then paste it into the text box.
Upload and Parse File: Click Upload and Parse File, and select the certificate private key file stored on your local computer. The file content is automatically parsed into the text box.
Select Existing CSR: You can select a CSR that was created or uploaded through the Certificate Management Service console. The system automatically matches the CSR with the corresponding certificate file. For more information about CSR operations, see Manually create or upload a CSR.
NoteIf you receive a "The certificate and private key do not match" message after you upload the certificate files, your private key file might contain RSA characters. You can use the
openssl rsa -in <original_private_key_file_name> -out <custom_new_private_key_file_name>command to convert the file before you upload it again.Certificate Chain
Optional. Enter the intermediate certificate or root certificate in PEM format. If your certificate file contains the complete certificate chain, you can leave this parameter empty.
Format for the certificate chain content:
Intermediate certificate or root certificate
Intermediate certificate (①) and root certificate (②)
Methods to enter the content:
Manual entry: Open the certificate chain file in PEM or CRT format with a text editor, copy the content, and then paste it into the text box.
Upload and Parse File (Recommended): Click Upload and Parse File and select the certificate chain file stored on your local computer. The file content is automatically parsed into the text box.
Resource Group
Optional. Select an associated resource group.
Tag Key, Tag Value
Optional. Set custom tags.
SM2 Algorithm
Parameter
Description
Certificate Algorithm
Select SM2 Standard. This standard refers to the Chinese domestic cryptographic algorithm certified by the State Cryptography Administration of China. Certificate Management Service currently supports the SM2 asymmetric algorithm.
Certificate Name
Set a name for the certificate that you want to upload.
The name can contain letters, digits, underscores (_), and hyphens (-).
Certificate File
Enter the content of the signing certificate file in PEM format.
You can open the certificate file in PEM or CRT format with a text editor, copy the content, and then paste it into the text box. You can also click Upload and Parse File below the text box and select the signing certificate file that is stored on your computer to upload its content to the text box.
Certificate Key
Enter the content of the signing certificate private key in PEM format.
You can open the signing certificate private key file in KEY format with a text editor, copy the content, and then paste it into the text box. You can also click Upload and Parse File below the text box and select the signing certificate private key file that is stored on your computer to upload its content to the text box.
Encryption Certificate
Enter the content of the encryption certificate file in PEM format.
You can open the encryption certificate file in PEM or CRT format with a text editor, copy the content, and then paste it into the text box. You can also click Upload and Parse File below the text box and select the encryption certificate file that is stored on your computer to upload its content to the text box.
Encryption Private Key
Enter the content of the encryption certificate private key in PEM format.
You can open the encryption certificate private key file in KEY format with a text editor, copy the content, and then paste it into the text box. You can also click Upload and Parse File below the text box and select the encryption certificate private key file that is stored on your computer to upload its content to the text box.
Resource Group
Optional. Select an associated resource group.
Tag Key, Tag Value
Optional. Set custom tags.
After the certificate is uploaded, it appears in the certificate list. If you no longer need to manage the certificate in the Certificate Management Service console, find the certificate and click Delete in the Actions column.
ImportantThe delete operation only removes the certificate from the uploaded certificate list and does not affect its validity period. Deleted certificates cannot be recovered. Proceed with caution.
Batch sync PCA certificates to SSL certificates
You can use Certificate Management Service to batch sync issued PCA certificates to SSL certificates. This eliminates the need for manual uploads. Follow these steps:
Log on to the Certificate Management Service console.
In the left-side navigation pane, choose . On the PCA Certificate Management page, select the region where your PCA resides.
Click the Private CAs tab. Expand the target root CA in the list. Click Certificates in the Actions column of the intermediate CA.
In the certificate list, select the certificates that you want to sync and click Batch Upload Certificates. In the dialog box that appears, click OK. After the synchronization is complete, the status of the certificates changes to Uploaded in the Status column.
After the synchronization is complete, navigate to the tab to view the synchronized PCA certificates in the list.
Share an SSL certificate
If you have multiple Alibaba Cloud accounts that are registered under the same real-name verified individual or enterprise, you can share certificates between these accounts. Shared certificates can be deployed to Alibaba Cloud products for free.
Sharing restrictions
You cannot share SSL certificates in the following scenarios:
Certificates requested from an Alibaba Cloud account on the China site (aliyun.com) cannot be shared with an Alibaba Cloud account on the international site (alibabacloud.com). Similarly, certificates requested from an account on the international site cannot be shared with an account on the China site.
A shared certificate in an Alibaba Cloud account cannot be shared again with another Alibaba Cloud account. For example, if you have three Alibaba Cloud accounts (a, b, and c), and you share a certificate from account a to account b, you cannot then share that certificate from account b to account c.
Certificates that are uploaded locally cannot be shared.
If you cannot share a certificate due to these restrictions, you can download the certificate from the source account and then upload it to the destination account. For more information, see Download an SSL certificate and Upload an SSL certificate.
Procedure
Log on to the Certificate Management Service console.
In the left-side navigation pane, choose .
On the Official Certificate tab, find the issued certificate that you want to share, and then click More in the Actions column.
On the Share Certificate tab, enter the Alibaba Cloud account ID of the destination account in the Account ID text box, and then click Confirm and Share.
After the certificate is shared, log on to the Certificate Management Service console using the destination Alibaba Cloud account. On the SSL Certificate Management page, click the Manage Uploaded Certificates tab to view the shared certificate. A shared certificate is indicated by the
icon in the Status column.
To-do items for uploaded certificates
To-do item reminder pop-up
When you navigate to the Uploaded tab, if any of your uploaded certificates have issues such as Expiration Notification Disabled, Remaining Amount/Required Amount, No Cloud Services Deployed, or Pending Renewal, a Action Items pop-up window appears to remind you to resolve them.
Handle to-do items
The pop-up window displays the number of to-do items and available actions. You can perform the following operations:
Notifications are disabled.
View: Filters the certificate list to show certificates with the Notifications are disabled. status. You can then click the Notification button below the list to enable reminders.
Remaining Amount/Required Amount: Displays your current message reminder resource quota. If the quota is insufficient, you can click Purchase to obtain additional message reminder resources.
One-click Notification: Filters the certificate list to show certificates with the Notifications are disabled. status. You can then click the Notification button below the list to enable reminders.
NoteEnabling message reminders consumes your message reminder quota. If your current quota is insufficient, you must purchase message reminder resources.
No Cloud Services Deployed
View: Filters the certificate list to show only certificates with the Undeployed status. You can click the Notification button below the list to enable reminders.
Deploy: Guides you to create a cloud product deployment task to deploy the certificate. For more information about cloud product deployment, see Deploy a certificate to an Alibaba Cloud service using the console (cloud product deployment).
To Be Renewed
View: Filters the certificate list to show certificates with the To Be Renewed status. You can then click Update in the Actions column for each certificate to complete the renewal.
Renew: Filters the certificate list to show certificates with the To Be Renewed status. You can then click Update in the Actions column for each certificate to complete the renewal.
Pop-up frequency control
If you do not want to handle these to-do items immediately, you can select Do Not Remind Me Again for 7 Days and then click Close to suppress the reminder for seven days.
Proactively view to-do items
You can click to open the Uploaded Certificate-related Pending Items pop-up window at any time.
Risk warning for uploaded certificates
If you upload a private CA certificate with a long validity period (more than one year), the system displays a risk warning in the Validity Period column for that certificate. You can hover over the Risk Of Leakage tag and follow the instructions in the tooltip to resolve the issue.
We recommend that you set the validity period of a private CA certificate to no more than one year to reduce the risk of private key leakage.
References
For information about certificate hosting for uploaded certificates, see Enable certificate hosting.