How to configure an SSL certificate in the Alibaba Cloud CDN console for secure HTTPS access - CDN

Alibaba Cloud CDN supports HTTPS secure acceleration. You can deploy an SSL certificate in the Alibaba Cloud CDN console and enable HTTPS secure acceleration to encrypt requests between clients and points of presence (POPs).

Prerequisites

An SSL certificate is prepared for the accelerated domain name.

Note

If you want to purchase an SSL certificate, you can log on to the Certificate Management Service console to purchase a certificate from a certificate authority (CA).
Certificates that are issued by third-party certificate authorities (CAs) must meet the certificate format requirements. For more information, see Certificate formats.

Usage notes

Only certificates in the PEM format are supported. You can convert certificates in other formats to the PEM format. For more information, see Convert certificate formats.
When you upload a certificate that is issued by a third-party CA, use a private key that does not have password protection.
You can view SSL certificates. You cannot view private keys because the keys are considered sensitive information. Keep certificate-related information confidential.
If you do not want to expose your private key to environments other than Alibaba Cloud CDN, you can use the Certificate Signing Request (CSR) tool that is provided by Alibaba Cloud Certificate Management Service to generate a CSR and a private key based on algorithms such as Rivest-Shamir-Adleman (RSA), Elliptic-curve cryptography (ECC), and ShangMi2 (SM2). You can also upload an existing CSR. For more information, see Manage CSRs.
If you want to enable end-to-end data transfer over HTTPS, you need to configure origin fetch over HTTPS. Make sure that the origin servers support HTTPS.

Configure or renew an SSL certificate

Log on to the Alibaba Cloud CDN console.
In the left-side navigation pane, click Domain Names.
On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column.
In the left-side navigation tree of the domain name, click HTTPS.
In the HTTPS Certificate section, click Modify.

In the Modify HTTPS Settings dialog box, turn on HTTPS Secure Acceleration, and configure the parameters.

If you have purchased a certificate from Alibaba Cloud Certificate Management Service, set the Certificate Source parameter to SSL Certificates Service and select the purchased certificate from the Certificate Name drop-down list.
Note
If the certificate that you purchased is unavailable, check whether the domain name that is associated with the purchased certificate is the accelerated domain name.

If you use a certificate that is issued by a third-party CA, set the Certificate Source parameter to Custom Certificate (Certificate+Private Key). After you configure the Certificate Name parameter, configure the Certificate (Public Key) and Private Key parameters. The certificate is saved in Alibaba Cloud Certificate Management Service. You can check the certificate on the SSL Certificates page.

Parameter	Description
Certificate Name	Enter a name for the certificate that you want to upload. The name can contain letters, digits, periods (.), underscores (_), and hyphens (-). Note A certificate name must be unique. You can view existing certificates on the SSL Certificates page. If the system prompts that the certificate already exists, change the certificate name and re-upload the certificate.
Certificate (Public Key)	Enter the content of the PEM-encoded certificate file. You can use a text editor to open the certificate file in the PEM format. Then, copy the content to the Certificate (Public Key) field. For more information, click PEM Encoding Reference below the Certificate (Public Key) field.
Private Key	Enter the content of the PEM-encoded private key file. You can use a text editor to open the certificate file in the KEY format. Then, copy the content to the Private Key field. For more information, click PEM Encoding Reference below the Private Key field. Note If you obtain a private key that starts with "----- BEGIN PRIVATE KEY -----" and ends with "----- END PRIVATE KEY -----", use the OpenSSL tool to run the following command to convert the private key. Then, copy the content of the `new_server_key.pem` file to the Private Key field. `openssl rsa -in old_server_key.pem -out new_server_key.pem`

Click OK.

Check whether HTTPS secure acceleration takes effect

After you upload an SSL certificate, the certificate takes effect within 1 minute. To check whether the SSL certificate takes effect, you can send HTTPS requests to access resources. If the URL is displayed with a lock icon in the address bar of the browser, HTTPS secure acceleration is working as expected. 验证结果

After you configure an SSL certificate, take note of the expiration time of the certificate. You need to configure a new certificate before the certificate expires.

Disable HTTPS secure acceleration

If you no longer require HTTPS secure acceleration, you can disable the feature in the Alibaba Cloud CDN console. Disabling HTTPS secure acceleration immediately takes effect. After you disable HTTPS secure acceleration, you can no longer access resources over HTTPS, and the SSL certificate and the private key are no longer retained.

If you want to re-enable HTTPS secure acceleration, select another SSL certificate.

References

Topic	Description
Configure URL redirection	You can configure the URL redirection feature to forcibly redirect requests from clients to POPs to HTTPS.
Configure HSTS	After you configure HTTP Strict Transport Security (HSTS), clients such as browsers can establish only HTTPS connections to POPs to improve security.
Configure OCSP stapling	POPs cache certificate verification results and then send the results to clients without the need for the clients to verify certificates with the CAs. This reduces the verification time.

FAQ

Related API operations

API operation	Description
CreateCdnCertificateSigningRequest	Creates a certificate signing request (CSR).
DescribeDomainCertificateInfo	Queries the certificate information about an accelerated domain name.
SetDomainServerCertificate	Enables or disables the certificate of a domain name, and modifies the certificate information.
SetCdnDomainCSRCertificate	Configures an SSL certificate for a specified domain name.
DescribeCdnDomainByCertificate	Queries accelerated domain names by SSL certificate.
DescribeCdnCertificateDetail	Queries the detailed information about an SSL certificate.
DescribeCdnCertificateList	Queries information about certificates.
DescribeCertificateInfoByID	Queries the information about a specified SSL certificate.
BatchSetCdnDomainServerCertificate	Enables or disables the certificates of domain names, and modifies the certificate information.
DescribeCdnHttpsDomainList	Queries the information about the SSL certificates within your Alibaba Cloud account.
DescribeUserCertificateExpireCount	Queries the number of domain names whose SSL certificates are about to expire or have already expired.
SetCdnDomainSMCertificate	Enables or disables a ShangMi (SM) certificate for a domain name.
DescribeCdnSMCertificateList	Queries the SM certificates of an accelerated domain name.
DescribeCdnSMCertificateDetail	Queries the details about an SM certificate.