Alibaba Cloud CDN supports HTTPS secure acceleration. You can upload a custom SSL certificate or select an SSL certificate from SSL Certificates Service in the Alibaba Cloud CDN console. The SSL certificate ensures data security during transmission. This topic describes how to configure and renew an SSL certificate.

Prerequisites

  • An SSL certificate is prepared. If you want to purchase an SSL certificate, you can log on to the SSL Certificates Service console to apply for a free certificate or purchase a certificate from a certificate authority (CA).
  • If you want to use a custom certificate, it must be in a valid format. For more information, see Certificate formats.

Background information

SSL certificates are classified into different types based on vetting and verification requirements. Different types provide different levels of security and are suitable for different websites. For more information, see Supported certificate types.

Only SSL certificates that are in PEM format are supported. If your SSL certificate is not in PEM format, you must convert it to PEM. For more information, see Convert certificate formats.
Note
  • The CRT file extension is short for certificate. The certificate may be in PEM or Distinguished Encoding Rules (DER) format. Before you convert the format of a certificate, check whether the certificate needs to be converted into other formats.
  • PEM is a text format. It starts with " -----BEGIN ***-----" and ends with "-----END ***-----". The content between these lines is encoded in Base64. Both the certificate and private key can be saved in this format. To distinguish a certificate from a private key, the extension of a private key file that is in PEM format is .key.

Step 1: Configure or renew the SSL certificate

HTTPS secure acceleration is a value-added service. After you enable HTTPS, you are charged based on the number of HTTPS requests. You cannot use CDN data transfer plans to offset the fees. For more information about the pricing of HTTPS secure acceleration, see HTTPS requests for static content.

  1. Log on to the Alibaba Cloud CDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column of the domain name.
  4. In the management pane of the domain name, click HTTPS.
  5. In the HTTPS Certificate section, click Modify.
  6. In the Modify HTTPS Settings dialog box, turn on HTTPS Secure Acceleration.
    After you turn on HTTPS Secure Acceleration, the system displays a message, which indicates that you are separately billed for HTTPS requests. You can enable this feature based on your business requirements. For more information about the pricing of HTTPS secure acceleration, see HTTPS requests for static content.
  7. Set the parameters.
    Note
    • Alibaba Cloud CDN supports TLS encryption algorithms by default. For more information, see Default TLS encryption algorithms.
    • For more information about common issues that may arise when you configure SSL certificates, see FAQ about HTTPS.
    SSL certificate
    Parameter Description
    Certificate Source Certificate Source supports the following options. You can switch between the options.
    • SSL Certificates Service

      You can apply for certificates of various CAs and types in the SSL Certificates Service console.

    • Custom Certificate (Certificate+Private Key)
      If you cannot find a certificate that meets your requirements from the certificate list, upload a custom certificate. You must enter the certificate name, the public key, and the private key of the certificate. The certificate is saved to SSL Certificates Service. You can check the certificate on the SSL Certificates page.
      Note If the system indicates that the certificate already exists when you upload a custom certificate with a private key, change the certificate name and try again.
    • Upload Custom Certificate (Certificate)

      If you cannot find a certificate that meets your requirements from the certificate list, upload a custom certificate. You can select Upload Custom Certificate (Certificate) if you want to keep the private key confidential. In this case, you must create a certificate signing request (CSR) in the Alibaba Cloud CDN console and use the CSR to apply for a certificate from a CA. For more information, see Create a CSR.

    • Free Certificate
      Free certificates are used only for HTTPS secure acceleration. You cannot manage free certificates or view the public or private keys of free certificates in the SSL Certificates Service console. Follow the instructions in the Alibaba Cloud CDN console to apply for or renew free certificates.
      • Free certificates are issued within one to two business days. During this period of time, you can choose to upload a custom certificate or select a certificate from Alibaba Cloud SSL Certificates Service.
        Note After you submit the application, the certificate may be issued within several hours or two business days. The time it takes is based on the verification process required by the CA.
      • A free SSL certificate is valid for one year. Before it expires, you do not need to apply for a new certificate each time you enable HTTPS acceleration. You must apply for a new certificate only if the current one expires.
    Certificate Name
    You must specify a certificate name if Certificate Source is set to one of the following values:
    • SSL Certificates Service
    • Custom Certificate (Certificate+Private Key)
    Certificate (Public Key)
    You must set Certificate (Public Key) if Certificate Source is set to one of the following values: For more information, see the PEM Encoding Reference below the Certificate (Public Key) field.
    • Custom Certificate (Certificate+Private Key)
    • Upload Custom Certificate (Certificate)
    Private Key If you set Certificate Source to Custom Certificate (Certificate+Private Key), you must set Private Key. For more information, see the PEM Encoding Reference below the Private Key field.
  8. Click OK.

Step 2: Check whether HTTPS takes effect

After an SSL certificate is uploaded, it takes effect within one minute. To verify that the SSL certificate takes effect, send HTTPS requests to access resources. If the URL is displayed with a lock icon in the address bar of the browser, HTTPS secure acceleration is working as expected. Check the settings

Step 3: Disable HTTPS secure acceleration

If you no longer want to use HTTPS secure acceleration, you can disable it in the Alibaba Cloud CDN console. HTTPS secure acceleration is disabled immediately after you turn off the switch.