SSL Certificates Service provides the Private Certificate Authority (PCA) service. This service allows you to build your certificate authority (CA) by performing simple operations in the console. Then, you can issue and manage self-signed private certificates to authenticate applications and encrypt and decrypt data within your enterprise.

Scenarios

PCA is applicable to internal use and compliance use in enterprises.
  • Internal use in enterprises: PCA is generally used in scenarios where you need to encrypt and decrypt internal application data by using cryptographic technology, but not to meet regulatory and industry specifications. The cryptographic technology of PCA enables secure data transmission, data encryption and decryption, and identity authentication between internal applications such as the internal office automation (OA) and human resources (HR) systems.
  • Compliance use in enterprises: PCA is generally used to meet requirements of cryptographic technology compliance and digital authentication services. For example, PCA can be used in bank-enterprise direct link and digital signature scenarios.

Billing methods

PCA supports only the subscription method. Before you can use PCA, you must purchase this service for a specific period on a monthly basis.

For more information about PCA pricing, see price calculations in Buy page of PCA.

Process

Step Procedure Reference Cancellation
1 Create a private CA by purchasing PCA.

If you purchase PCA for the first time, you must create a private root CA. You can obtain a private root CA and a private intermediate CA. You can create multiple private intermediate CAs for a private root CA.

Create a private CA After a private CA is created, if the private CA is in the Disabled state, you can click the More icon and then select Refund to claim a refund for the private CA. If the refund is successful, you can click Delete in the Actions column to delete the private CA from the private CA list.

For more information, see Refund a private CA.

Notice If a private CA is enabled, you cannot claim a refund for this private CA.
2 Enable the private CA.

If you enable the private CA for the first time, you must enable the private root CA and then enable the private intermediate CA.

Enable a private CA If a private CA is in the Enabled state, you can click the More icon and then select Revoke to revoke the private CA. After you revoke the CA, you can click Delete in Actions column to delete the private CA from the private CA list.

For more information, see Revoke a private CA.

Notice You cannot claim a refund for a private CA in the revoked state.
3 Apply for a private certificate from the enabled private intermediate CA.

A root CA only issues certificates for intermediate CAs. Only intermediate CAs can issue private certificates, such as server certificates and client certificates.

Apply for a private certificate If a private certificate is in the Normal state, you can click Revoke in the Actions column to revoke the private certificate. After the private certificate is revoked, you can click Delete in the Actions column to delete the private certificate from the private certificate list.

For more information, see Revoke a private certificate.

4 Export and distribute the private certificate to a specified user for installation and use.

A server certificates must be installed on a server, and a client certificate must be installed on a client browser.

Export a private certificate None.
5 Renew the private CA.

If you want to use the private CA after it expires, you can renew it to extend its service life.

Renew a private CA None.