After you create and enable a private certificate authority (CA) in the SSL Certificates Service console, you can apply for a private certificate by using a private intermediate CA. The private certificate can be used for identity authentication and data encryption and decryption of internal applications in enterprises. This topic describes how to apply for a private certificate by using a private CA.

Prerequisites

  • A private CA is created and enabled. For more information about related operations, see Create a private CA and Enable a private CA.
  • The number of remaining certificates for a private intermediate CA is not 0.

Background information

A private root CA is used only to issue certificates for private intermediate CAs. Therefore, you must create private intermediate CAs under the private root CA. For more information about related operations, see Create a private CA.

Only private intermediate CAs can be used to apply for private certificates. Private certificates are terminal entity certificates, including server certificates and client certificates. You can perform the following steps to apply for a private certificate by using a private intermediate CA.

Procedure

  1. Log on to the SSL Certificates Service console.
  2. In the left-side navigation pane, click Private Certificates.
  3. Find the private intermediate CA that you want to use, and then click Apply for Certificate in the Actions column.
  4. In the Apply for Certificate panel, configure the information about the certificate. Apply for a private certificate
    The following table describes the related parameters.
    Parameter Description
    Certificate Type The type of the private certificate. Valid values:
    • Server Certificate: A server certificate must be installed on an application server.
    • Client Certificate: A client certificate must be installed on a client browser that accesses an application.

    Trusted communication can be established between the server and the client only after private certificates are separately installed on the server and the client.

    Common Name (CN) The common name of the entity of the private certificate.

    For a server certificate, you can enter a website domain name or server IP address. For a client certificate, you can enter a user email address or URI.

    Validity Period The validity period of the private certificate.

    The validity period cannot exceed the service duration of the Private Certificate Authority (PCA) service that you purchase. For example, if the service duration of PCA that you purchase is one month, the validity period of a private certificate issued by your private CA cannot exceed 31 days. If your certificate needs a longer validity period, we recommend that you renew the PCA service to extend its service duration. For more information about related operations, see Renew a private CA.

    SAN The subject alternative name (SAN) attribute of the private certificate. If you need to apply the certificate to multiple entities, you can add the information about other entities by using SAN attributes.

    For a server certificate, you can enter a website domain name or server IP address. For a client certificate, you can enter a user email address or URI.

    You can add up to 10 SAN attributes.

  5. Click Confirm.
    The certificate is immediately issued after the certificate request is submitted. To view the information about the issued certificate, you can click Certificates in the Actions column of the private CA list to go to the Certificates page.

What to do next

Export a private certificate: You can export issued private certificates to an on-premises computer and distribute them to certificate entities for installation and use.

Related operations

Revoke a private certificate: Before a private certificate expires, if you no longer want to use the private certificate, you can revoke it.