Billable items of PCA and the rules for certificate expiration, renewal, and refunds - Certificate Management Service

Private Certificate Authority (PCA) allows you to build a private certificate platform within your enterprise by performing visualized operations. PCA helps you implement application identity authentication and data encryption and decryption within your enterprise. This topic describes the billable items of PCA and the rules for certificate expiration, renewal, and refunds.

Billable items

Billable item	Billing method	Price	Billing rule
Private root CA	Yearly or monthly subscription	The prices of private root CAs vary based on certificate algorithms. The following algorithms are supported: Rivest-Shamir-Adleman (RSA), SM, and elliptic curve cryptography (ECC). The SM algorithms are developed and approved by the State Cryptography Administration of China. The actual price on the buy page of a private root CA shall prevail.	The price of a private root CA is calculated based on the following formula: Unit price in USD per month × Subscription duration. By default, a private root CA consists of 1 private root CA, 1 private intermediate CA, and a quota for 10 private certificates.
Private intermediate CA	Yearly or monthly subscription	The prices of private intermediate CAs vary based on certificate algorithms. The following algorithms are supported: RSA, SM, and ECC. The actual price on the buy page of a private intermediate CA shall prevail.	The price of a private intermediate CA is calculated based on the following formula: Unit price in USD per month × Subscription duration.
Private certificate	Subscription	The prices of private certificates vary based on the certificate algorithms and the number of purchased certificates. The actual price in the Purchase Certificate panel of the Private Certificates page in the Certificate Management Service console shall prevail.	The price of a private certificate is calculated based on the following formula: Unit price in USD × Number of purchased private certificates. Note If the number of purchased private certificates exceeds a threshold, you are not charged for the excess private certificates. For more information about the threshold, contact your account manager.

Expiration

After a private root CA expires, you can no longer enable the private root CA or apply for a private certificate from a private intermediate CA of the private root CA. To prevent impacts on your business, we recommend that you renew your private root CA and private intermediate CAs within 30 calendar days before they expire. If the private root CA and private intermediate CAs have expired, you must reactivate the CAs.

Renewal policy

You can renew a private root A or a private intermediate CA within 30 calendar days before the CA expires. You can renew the private root CA or private intermediate CA in the Certificate Management Service console. You cannot renew an expired private root CA or private intermediate CA. If you want to continue using the private root CA or private intermediate CA, you must reactivate the CA in the Certificate Management Service console.

Renewal

Important

You can renew a private root CA or private intermediate CA only within 30 calendar days before the CA expires.

Log on to the Certificate Management Service console.
In the left-side navigation pane, click Private Certificates.
On the Private CAs tab, find the private CA that you want to renew and click Renew in the Actions column.
The private CA that you need to renew varies based on how you create the private CA.
- If the private root CA and the private intermediate CA are created together, you need to only renew the private root CA. The validity periods of both the private root CA and the private intermediate CA are extended.
- If the private intermediate CA is separately purchased, you must renew the private root CA in advance to ensure that the private root CA is valid. Then, you can renew the private intermediate CA to extend its validity period.
On the Renew page, confirm the specifications, configure the Subscription Duration parameter, read and select Terms of Service, click Buy Now, and then complete the payment.
After you complete the payment, you can log on to the Certificate Management Service console and go to the Private Certificates page. On the Private Certificates page, you can view the new expiration time of the private root CA or private intermediate CA in the Expire On column.

Reactivation

If you want to continue using PCA after your private root CA and private intermediate CA expire, you must separately reactivate the private root CA and private intermediate CA in the Certificate Management Service console.

Log on to the Certificate Management Service console.
In the left-side navigation pane, click Private Certificates.
On the Private CAs tab, find the required CA and click Reactivate in the Actions column.
On the buy page, configure the specifications and click Buy Now. On the page that appears, read and select Terms of Service. Then, complete the payment.
Important
- When you reactivate a private root CA, you can configure only the Certificate Algorithm and Subscription Duration parameters. When you reactivate a private intermediate CA, you can configure only the Subscription Duration parameter.
- If a private CA is in the Disabled state before it is reactivated, you must enable the private CA after it is reactivated. Then, you can continue to use PCA. For more information about how to enable a private CA, see Enable a private CA. If a private CA is in the Enabled state before it is reactivated, you can directly use PCA after the private CA is reactivated.
Optional. Return to the Certificate Management Service console to view the expiration time of the reactivated private root CA.