Deploy an SSL certificate to an Alibaba Cloud service through the console - Certificate Management Service

You can create a deployment task in the Certificate Management Service console to deploy a single SSL certificate to a cloud service or deploy multiple SSL certificates to multiple cloud services at once. You can specify when you want a deployment task to run. The system starts the deployment task at the specified time. This topic describes the supported Alibaba Cloud services, applicable scenarios, and deployment process.

Note

The first time you use the deployment feature, you must complete authorization based on the on-screen instructions. After you complete authorization, you can create a deployment task. For more information, see Authorize Certificate Management Service to access Alibaba Cloud resources.
For more information about how to deploy a certificate to a cloud server such as an Elastic Compute Service (ECS) instance or a Simple Application Server, see Deploy a certificate to an Alibaba Cloud simple application server or ECS instance in the Certificate Management Service console.

If you encounter issues when you deploy a certificate, contact your account manager.

Prerequisites

You understand the supported cloud services and application scenarios for deployment tasks.

Supported cloud services and application scenarios for deployment tasks

Important

Description of deployment task scenarios:

Deploy a certificate for the first time: You can perform the related operations in the Certificate Management Service console when you deploy a certificate for the first time.
Update an existing certificate: You can update a certificate that is already deployed in the Certificate Management Service console.

Category	Service	Deployment task scenario	Certificate configuration scenario	References
Container	Container Service for Kubernetes (ACK)	Update an existing certificate	ACK managed and dedicated clusters Update AlbConfig certificate configuration Update Secret certificates Important Do not manually modify certificates deployed to Secret in Container Service for Kubernetes.	For the first-time certificate deployment, see: Nginx Ingress ALB Ingress - Configure HTTPS certificates for encrypted communication MSE Ingress - Configure HTTPS certificates
Serverless	Serverless App Engine - Gateway Routing	Update an existing certificate	Configure HTTPS for gateway routing in Application Load Balancer (ALB) and Classic Load Balancer (CLB)	For the first-time certificate deployment, see: Configure gateway routing for an application (ALB) Configure gateway routing for an application (CLB)
Serverless	Function Compute	Update an existing certificate	Configure HTTP functions	For more information about how to deploy a certificate for the first time, see Configure a custom domain name.
Middleware	Microservices Engine - Cloud-native Gateway	Update an existing certificate	Configure cloud-native gateway routing	For more information about how to deploy a certificate for the first time, see Create a domain name.
Middleware	API Gateway	Update an existing certificate	Configure API access over HTTPS domain names	For more information about how to deploy a certificate for the first time, see Call APIs through an HTTPS domain name.
Networking and CDN	Global Accelerator (GA)	Update an existing certificate	Configure access acceleration by using HTTPS domain names	For the first-time certificate deployment, see the following information: Accelerate access to HTTP websites over HTTPS Use a GA instance to accelerate multiple domain names over HTTPS
	Application Load Balancer (ALB) Network Load Balancer (NLB)	Update an existing certificate	Configure an HTTPS listener to forward HTTPS requests by using a server certificate Note You must deploy a client certificate in the Server Load Balancer (SLB) console. For more information about how to deploy a client certificate, see Configure end-to-end HTTPS encryption for data transfers.	For the first-time certificate deployment, see the following information: ALB: Add an HTTPS listener NLB: Add a TCP/SSL listener
	Application Load Balancer (ALB) Network Load Balancer (NLB)	Update an existing certificate
	Alibaba Cloud CDN	Deploy a certificate for the first time Update an existing certificate	Configure HTTPS secure acceleration	For more information about how to configure an SSL certificate in the CDN console, see Configure an SSL certificate
	Dynamic Content Delivery Network (DCDN)	Deploy a certificate for the first time Update an existing certificate	Configure HTTPS secure acceleration	For more information about how to configure an SSL certificate in the DCDN console, see Configure an SSL certificate
Storage	Object Storage Service (OSS)	Update an existing certificate	Configure OSS access over HTTPS Note If you want to map a CDN-accelerated domain name to your OSS bucket, you must replace the existing certificate in the Alibaba Cloud CDN console.	For more information about how to deploy a certificate for the first time, see Host a certificate for a custom domain name.
Security	Web Application Firewall (WAF	Update an existing certificate	CNAME access scenario	For the first-time certificate deployment, see: WAF 3.0: Add a domain name to WAF 3.0 WAF 2.0: Add a domain name to WAF 2.0
Security	Anti-DDoS	Update an existing certificate	Add domain names to Anti-DDoS	For more information about how to deploy a certificate for the first time, see Update an SSL certificate.
AI and Machine Learning	Platform for AI (PAI)	Update an existing certificate	Elastic Algorithm Service (EAS): Use a custom domain name for the dedicated gateway	For more information about how to deploy a certificate for the first time, see Use a custom domain name for the dedicated gateway.

Note

If you want to deploy a certificate to other Alibaba Cloud services or if you want to deploy an SM certificate (only CDN, DCDN, and Anti-DDoS products support), contact your account manager or refer to the related service documentation. The following list provides references for deploying certificates to specific cloud services:

Alibaba Cloud CDN (SM certificate deployment): For more information about how to deploy an SM certificate to CDN, see SetCdnDomainSMCertificate.
Dynamic Content Delivery Network (DCDN) (SM certificate deployment): For more information about how to deploy an SM certificate to DCDN, see Enable SM for HTTPS.
Anti-DDoS (SM certificate deployment): For more information about how to deploy an SM certificate to Anti-DDoS, see Update an SSL certificate.

For Server Load Balancer (SLB) and Global Accelerator (GA) services, you can update an existing certificate by using a deployment task only if the domain name bound to the new certificate is the same as or includes the domain name bound to the existing certificate.
For example, if you deployed Certificate 1 to which the single domain name example.com is bound to a GA instance, you can deploy Certificate 2 to the instance to replace Certificate 1 by using a deployment task only if the domain name bound to Certificate 2 is or includes example.com. Otherwise, the deployment task fails. The domain name bound to Certificate 2 can be example.com, www.example.com, or *.example.com.
Before you deploy a certificate to Container Service for Kubernetes (ACK), you must log on to the ACK console with your Alibaba Cloud account and grant the AliyunCASDefaultRole role permissions to manage the target cluster as an O&M engineer. Otherwise, the Certificate Management Service console cannot identify the Namespace (cluster namespace).
1. Go to the ACK Authorization Management page, and on the RAM Role tab, enter AliyunCASDefaultRole and click Manage Permissions.
2. On the Permission Management tab, add O&M Engineer permissions for the target cluster.

A certificate is purchased and issued. The supported certificate types include official certificates, uploaded and shared SSL certificates, and private certificates.
Important
- To deploy an uploaded certificate, you need to purchase a deployment quota package. If you have already purchased deployment quota, the deployment will consume the purchased quota. Deploying other types of certificates does not consume deployment quota.
- Certificates that are shared among different Alibaba Cloud accounts can be deployed free of charge. The deployment quota is not consumed. The accounts must belong to the same individual or enterprise user who has passed real-name verification.
- The amount of deployment quota to be consumed is determined based on the number of resources that match your uploaded certificate. If the deployment task fails, the amount of deployment quota that is consumed by the deployment task is recovered.
The name of an issued certificate does not contain Chinese characters. The following figure shows a certificate whose name contains Chinese characters:

Procedure

Deploy a single certificate to an Alibaba Cloud service

Log on to the Certificate Management Service console.
In the left-side navigation pane, choose Certificate Management > SSL Certificate Management.
On the SSL Certificate Management page, click the required tab, find your certificate, and then click Deploy in the Actions column.
Certificates issued by the Private CA service are synchronized to the Uploaded Certificate tab, where you can perform operations.
On the Create Task page, select Select Resource in the Select Resource step and click Preview and Submit.
- The system intelligently matches cloud service resources for which certificates are already configured based on your certificate. You can click OK in the Prompt message to add the matched cloud service resources to the Selected Resources section. You can also adjust the added cloud service resources based on your business requirements.
- The system automatically identifies and synchronizes the resources of all cloud services. If you cannot find the required resources, perform the following operations:
  - In the Total Resources section, check whether the resources are synchronized. If the resources are being synchronized (as shown in gray), wait until the resources are synchronized. The time required for resource synchronization varies based on the number of resources within your cloud services.
  - If you cannot find the required resources after the synchronization is complete, check whether the prerequisites for certificate deployment are met.
In the Task Preview panel, confirm the information about the certificate and cloud service resources and click Submit.
The preview panel displays the number of certificates that match the cloud service and the amount of deployment quota to be consumed. If the number of certificates is 0, no cloud service resources match your certificate. In this case, the deployment task fails. Check the certificate that you selected.

Deploy multiple certificates to multiple Alibaba Cloud services at a time

Log on to the Certificate Management Service console.
In the left-side navigation pane, choose Deployment and Resource Management > Deployment to Cloud Services.

On the Deployment to Cloud Services page, click Create Task. Then, perform the following steps to deploy multiple certificates:

In the Configure Basic Information step, configure the following parameters and click Next.

Parameter	Description
Task Name	Specify a name for the deployment task.
Contact	Select a contact to receive notifications for the deployment task. You can select up to 10 contacts.
Deployed At	Deploy: If you select this option, your certificates are immediately deployed to the Alibaba Cloud services. Custom Time: If you select this option, you must specify the point in time at which you want the deployment task to run. The system starts the deployment task at the specified point in time.

In the Select Certificate step, select the required certificates for your cloud service resources and click Next.
- Certificates issued by the Private CA service are synchronized to the Uploaded Certificate tab, where you can select them.
- You can select certificates of only one certificate type for a single deployment task.
In the Select Resource step, select cloud services and resources and click Preview and Submit.
Note
You cannot create a deployment task to associate multiple server certificates with a single SLB listener.
- The system intelligently matches cloud service resources for which certificates are already configured based on your certificates. You can click OK in the Prompt message to add the matched cloud service resources to the Selected Resources section. You can also adjust the added cloud service resources based on your business requirements.
- The system automatically identifies and synchronizes the resources of all cloud services. If you cannot find the required resources, perform the following operations:
  - In the Total Resources section, check whether the resources are synchronized. If the resources are being synchronized (as shown in gray), wait until the resources are synchronized. The time required for resource synchronization varies based on the number of resources within your cloud services.
  - If you cannot find the required resources after the synchronization, check whether the prerequisites for first deployment are met. For more information, see Prerequisites.
In the Task Preview panel, confirm the information about the certificates and cloud services and click Submit.
The preview panel displays the number of certificates that match the cloud service resources and the amount of deployment quota to be consumed. If the number of certificates is 0, no cloud service resources match your certificates. In this case, the deployment task fails. Check the certificates that you selected.

What to do next

View the details of the deployment task

On the Deployment To Cloud Services page, find the deployment task and click Details in the Actions column.
On the task details page, view the certificate deployment status of resources on each cloud service tab. If a certificate fails to be deployed to a resource, you can view the cause in the Actions column.
If no cause is provided, contact your account manager.

Roll back the deployment task

Warning

After you roll back a deployment task, the consumed deployment quota is not returned.

After the deployment task is complete, you can perform the following steps to roll back the deployment task if the deployed certificates do not meet your requirements or if you want to undo the deployment for other reasons:

On the Deployment To Cloud Services page, find the deployment task and click Details in the Actions column.
On the task details page, click the related cloud service tab, find the required resource, and then click Roll Back in the Actions column.
After the rollback is complete, the status of the deployment task changes to Rolled Back.

Delete the deployment task

Warning

After you delete a deployment task, it cannot be restored. Proceed with caution.

On the Deployment To Cloud Services page, find the deployment task and click Delete in the Actions column. You can also select multiple deployment tasks and click Delete below the task list.