To access resources over HTTPS secure acceleration, you must configure an SSL certificate. This topic describes how to request and renew an SSL certificate.
Request a free SSL certificate
You can request a free SSL certificate by using one of the following methods:
- When you enable HTTPS, you can request a free SSL certificate in the DCDN console. Alibaba Cloud requests and validates a free SSL certificate on your behalf. After the certificate is requested, it is automatically added to the current domain name. Then, you can use Dynamic Route for CDN (DCDN) to accelerate content delivery over HTTPS. To request a free SSL certificate, submit a request.
- Alternatively, you can use SSL Certificates Service to request a free SSL certificate. After the certificate is requested, you must manually validate the certificate and add it to the accelerated domain name.
- In most cases, free certificates are issued within one to two business days. During
this period, you can choose to upload a custom certificate or an SSL certificate that
was purchased from SSL Certificates Service.
Note After you submit the request, the certificate may be issued within several hours to two business days. The time required to issue the certificate is based on the verification process defined by the CA.
- You can switch among custom certificates, purchased certificates from SSL Certificates Service, and free certificates.
- You do not need to request a new certificate each time you enable HTTPS secure acceleration. However, if the certificate expires while HTTPS secure acceleration is enabled, you must request a new certificate.
Renew a certificate
- A free certificate remains valid for one year and is automatically renewed when it expires. If the renewal process fails, you are notified by email and text message. We recommend that you renew the certificate at your earliest opportunity after you receive a notification. This ensures the continuity of your services.
- Notifications for other certificates: You are notified by email and text message 10 days before and after a certificate expires. We recommend that you renew the certificate at your earliest opportunity after you receive a notification. This ensures the continuity of your services.
FAQ about certificates
- You can disable, enable, and modify HTTPS certificates. After HTTPS certificates are disabled, the system deletes the data that is associated with the disabled certificates. To enable a disabled certificate, you must re-upload the certificate or private key. For more information, see Configure an SSL certificate.
- Wildcard domain certificate: To associate a certificate with a wildcard domain, you must purchase a certificate that supports wildcard domains. A single-domain certificate cannot be associated with wildcard domains.
- Special origin configurations: If HTTP, HTTPS, and 301 redirects are enabled for the origin server, you must also enable HTTPS and configure an SSL certificate in the DCDN console. Otherwise, errors may occur.
- Certificate service: If SSL services, HTTPS, certificate application, certificate verification, certificate installation, and certificate configuration are required, we recommend that you purchase the relevant services in the Alibaba Cloud Marketplace.
- Only SSL and TLS handshakes that include Server Name Indication (SNI) values are supported.
- Make sure that the uploaded certificate matches the private key.
- It takes 10 minutes for an updated certificate to take effect.
- The system does not support the private keys for which passwords are configured.
Why is my request for a free certificate not approved?
- When you request a free certificate, make sure that the following requirements are met. For details about required information, see Required information for certificate application.
- Each individual or enterprise that passes real-name verification is allowed to request up to 20 free certificates each year. If the number of free certificates that you request has reached the upper limit, you cannot request more free certificates.
- The DNS record of the accelerated domain name to which the certificate is attached must point all traffic to the CNAME provided by DCDN. For more information about how to configure a CNAME record, see Configure a CNAME record for a domain name.
- If you request a free certificate for a top-level domain or a second-level domain, you must configure the top-level domain and second-level domain in DCDN. Furthermore, you must configure DNS to point all traffic to the CNAME record of the current domain.
- The Certification Authority Authorization (CAA) record of the DNS record for the current domain must be empty or contain Digicert.com and digicert.com.
- The security level of SSL Labs for an accelerated domain name must be A.
- You must grant Alibaba Cloud the permissions to request free certificates on your behalf.
Why does my free certificate fail to be renewed?
- Free certificates remain valid for one year. If a free certificate is not automatically renewed seven days before it expires, renew it manually.
- When you renew a free certificate, use the same configurations that you used when you originally requested the free certificate. For details about required information, see Required information for certificate application.