After a private certificate authority (CA) issues a private certificate, you can export the private certificate to an on-premises computer and distribute this certificate to the specified certificate entities for installation and use.

Prerequisites

A private certificate is issued by a private CA. For more information about related operations, see Apply for a private certificate.

Procedure

  1. Log on to the SSL Certificates Service console.
  2. In the left-side navigation pane, click Private Certificates.
  3. Find the private CA that you want to use, and click Certificates in the Actions column.
  4. On the Certificates page, find the certificate that you want to export, and click Details in the Actions column.
  5. In the Certificate Details panel, select View Private Key Content.
  6. In the Password field, set an encryption password for the private key and click Export.
    The encryption password for the private key is used to encrypt the private key of the private certificate that you want to export. When you install the private certificate, you must use this password to decrypt the private key. For example, when you install the private certificate by running OpenSSL commands, you must use this password to decrypt the private key. The encryption password for the private key must be eight characters in length and must contain a mixture of digits, uppercase letters, and lowercase letters.
    After the private certificate is exported, the following information appears in the lower part of the Certificate Details panel: Certificate Information, Certificate Chain Content, and Private Key Content.
  7. Copy and distribute the information about the private certificate to the entity that needs to use the private certificate.
    Server certificates and client certificates are installed in different ways. For more information, see Installation instructions for private certificates.

Installation instructions for private certificates

  • A server certificate must be installed on an application server. The installation operations are the same as those for public certificates purchased by using SSL Certificates Service. For more information, see How can I install SSL certificates?.
    Note If you need more help, contact Customer Services by using the DingTalk service group.
  • A client certificate must be installed on a client browser that accesses an application.
    To install a private certificate, perform the following steps:
    1. Install the certificate chain.
      Note Server certificates are not embedded in browsers. You must install the certificate chain on the client to prevent security warnings.
      1. Create a TXT file, copy and paste the certificate chain content to the file, and then save the file in the .cert format.
      2. Distribute the .cert file to the user who wants to install the client certificate.
      3. The user can double-click the .cert file on the client to install the certificate chain on the client browser.
    2. Install the certificate.
      1. Create a TXT file, copy and paste the certificate content to the file, and then save the file in the .cert format.
      2. Distribute the .cert file to the user who wants to install the client certificate.
      3. The user can double-click the .cert file on the client to install the certificate on the client browser.