After you create and enable a private Certificate Authority (CA) in the Certificate Management Service console, you can request private certificates from an intermediate CA. These certificates are used for identity authentication, data encryption, and decryption for your internal applications. This topic describes how to manage private certificates.
Background information
Only private intermediate CAs can issue private certificates. Private certificates are end-entity certificates, such as server certificates and client certificates. A trusted communication channel can be established between a server and a client only after private certificates are installed on both.
Initial configuration
When you configure a private certificate for the first time, follow these steps:
Prerequisites
You have purchased and enabled a private CA. For more information, see Purchase and enable a private CA.
Purchase private certificates
If the number of certificate resources included with your private root CA is insufficient, you can purchase more certificates for the root CA. This increases the total number of certificates that all intermediate CAs under the root CA can issue.
Log in to the Certificate Management Service console.
In the navigation pane on the left, choose . On the PCA Certificate Management page, select the region where the PCA service is located.
On the Private CAs tab, find the target root CA and click Purchase Certificate in the Actions column.
In the Purchase Certificate panel, enter the number of certificates that you want to purchase, click Purchase, and then complete the payment.
NoteFor a single root CA, if the cumulative number of certificates that you purchase exceeds a specific threshold, Certificate Management Service waives the fee for the excess certificates. For more information about the threshold, contact your account manager.
Allocate private certificates
Root CAs cannot issue certificates. Only intermediate CAs can issue private certificates. Before you request a private certificate, you must allocate certificate resources from the root CA to an intermediate CA. The root CA and the intermediate CA must meet the following conditions to allocate certificates:
The root CA and the intermediate CA are in the Enabled state.
The root CA has available certificate resources.
Log in to the Certificate Management Service console.
In the navigation pane on the left, choose . On the PCA Certificate Management page, select the region where the PCA service is located.
On the Private CAs tab, find the target root CA and click Assign Certificate in the Remaining/Total Certificates column.
In the Assign Certificate panel, select the intermediate CA to which you want to allocate certificates, set the Remaining Certificate Quota for the intermediate CA, and then click OK.
Request a private certificate
You can request a private certificate from an intermediate CA only if its Remaining Certificate Quota value is not 0.
Log in to the Certificate Management Service console.
In the navigation pane on the left, choose . On the PCA Certificate Management page, select the region where the PCA service is located.
On the Private CAs tab, find the target intermediate CA and click Apply for Certificate in the Actions column.
In the Apply for Certificate panel, enter the required certificate information and click Confirm.
After you submit the request, private CA certificates are issued immediately. After the private certificate is issued, you can click Certificates in the Actions column for the intermediate CA to view information about the issued certificate on the Certificates page.
Server Certificate: Used to install on an application server.
Client Certificate: Used to install on a client that accesses an application.
If the service duration is less than 1 year, the certificate validity period cannot exceed the service duration of your PCA service. For example, if you purchased a 1-month PCA service, the maximum validity period of a certificate you can issue is 31 days. If you need a longer certificate validity period, renew the PCA service to extend its duration. For more information about renewal, see Renewal policy.
If the service duration is 1 year or longer, the certificate validity period can range from 1 to 100 years.
If the certificate needs to be applied to multiple entities, you can add information about the other entities using the SAN extension.
For a server certificate, you can enter a service domain name or a server IP address. For a client certificate, you can enter a user's mailbox address or a Uniform Resource Identifier (URI).
You can add up to 10 SAN extensions.
Configuration item | Description |
Certificate Type | |
Common Name (CN) | The common name of the private certificate entity. |
Validity Period | The validity period of the private certificate. The certificate validity period is related to the service duration of your purchased intermediate CA. Details are as follows: |
SAN | The Subject Alternative Name (SAN) extension of the private certificate. Note A Subject Alternative Name (SAN) is an extension defined in the SSL X.509 standard. An SSL certificate that uses the SAN field can extend the domain names that the certificate supports, which allows one certificate to support multiple domain names. A Uniform Resource Identifier (URI) is used to identify the Alibaba Cloud resource to which the certificate belongs. For example, a URI can identify an Elastic Computing Service (ECS) instance where the private certificate is deployed. |
More | To add a certificate name, company, and department information to the certificate, click More to configure them. |
Include CRL Address | This feature is enabled by default. For more information about Certificate Revocation Lists (CRLs), see CRL service. |
Download a private certificate
After an intermediate CA issues a private certificate, you can download the certificate and distribute it to the corresponding entity for installation and use.
Log in to the Certificate Management Service console.
In the navigation pane on the left, choose . On the PCA Certificate Management page, select the region where the PCA service is located.
On the Private CAs tab, find the target intermediate CA and click Certificates in the Actions column.
On the Certificates page, find the target private certificate and click Download in the Actions column.
In the Download Certificate dialog box, select a certificate format and click Confirm and Download.
Install a private certificate
After you download the private certificate, you must install the server certificate on the application server and the client certificate in the client browser. The procedure for installing a server certificate is the same as that for an SSL certificate that you purchase from Certificate Management Service. For more information, see Deploy an SSL certificate.
Revoke a private certificate
If you no longer need a private certificate before it expires, you can revoke it in the Certificate Management Service console.
After a private certificate is revoked or deleted, it is no longer trusted within your internal environment and cannot be recovered or re-enabled. Perform this operation with caution.
Log in to the Certificate Management Service console.
In the navigation pane on the left, choose . On the PCA Certificate Management page, select the region where the PCA service is located.
On the Private CAs tab, find the target intermediate CA and click Certificates in the Actions column.
On the Certificates page, find the target private certificate and click Revoke in the Actions column.
In the Confirmation dialog box, click Revoke.
After you confirm the revocation, the private certificate is immediately revoked. The certificate's Status changes to Revoke. You can then delete the private certificate from the certificate list.