Certificate Management Service is an Alibaba Cloud platform for issuing and managing certificates. It provides one-stop services, including full lifecycle management for SSL certificates and private certificates, HTTPS acceleration gateways, and a certificate application repository. This helps you deploy and manage certificates in various scenarios.
Scenarios
Scenario 1: HTTPS encryption for public traffic
Internet-facing businesses must use HTTPS to ensure secure user access. Certificate Management Service provides the following two solutions:
SSL certificates: This solution is suitable for scenarios where you need to deploy certificates directly to existing infrastructure, such as web application servers, Server Load Balancer, or CDN. It is also suitable if you have specific requirements for certificate brands, types, or configurations.
HTTPS acceleration gateway: This solution is suitable for scenarios where you want to enable HTTPS encryption for a domain name with one click. You do not need to manage technical details, such as certificate requests, renewals, or deployments. This service also accelerates your website.
SSL certificates
After you purchase an SSL certificate, Certificate Management Service submits a certificate request to a Certificate Authority (CA) based on the application information. After the CA approves the request and issues the certificate, you must deploy the certificate to a cloud product, such as a web application server or CDN.
HTTPS acceleration gateway
After you purchase an HTTPS acceleration gateway, you only need to resolve the domain name to the gateway's dedicated address and configure the origin server information. HTTPS access is then automatically enabled. The HTTPS acceleration gateway uses CDN caching and nearby distribution to significantly improve application performance and user experience.
Scenario 2: HTTPS encryption for internal corporate traffic
For non-public services within an enterprise, such as OA, ERP, DevOps platforms, code repositories, and IoT devices, using public certificates is costly. Public certificates are also limited by fixed validity periods and domain validation requirements. The Private Certificate Authority (PCA) service lets you build a dedicated private root CA. You can issue and manage internal certificates, customize certificate validity periods, issue certificates in batches for internal devices and services, and instantly revoke abnormal certificates. This helps you build a unified internal trust system at a lower cost.
Private certificates are trusted only within the enterprise and not by public browsers. You must install the root certificate or client certificates on enterprise devices.
Benefits
Trusted brands: We partner with well-known domestic and international CAs to provide a wide range of trusted digital certificates.
Convenient management: Supports unified management of the entire certificate lifecycle. You can centrally manage certificates on and off the cloud.
Efficient deployment: Deeply integrated with Alibaba Cloud products. Supports one-click deployment to cloud products, which simplifies the certificate application process.
Comprehensive services: Provides one-stop solutions, including certificate management, HTTPS acceleration gateway, certificate application repository, and certificate hosting services.
Open and flexible: Provides a rich set of API operations to support batch and automated certificate management.
Core concepts
Digital Certificate
A digital credential issued by a trusted CA. It contains a public key and entity information, and is used to establish secure communication and verify identity. A digital certificate is valid only within its specified validity period.
Certificate Authority (CA)
A globally trusted third-party organization that is responsible for verifying the identity of applicants and issuing digital certificates. It is the source of trust in a public key system.
SSL certificates and HTTPS
An SSL certificate is the foundation for HTTPS encrypted transmission. After a website deploys an SSL certificate, communication between the browser and the server is encrypted. This effectively prevents data from being eavesdropped on or tampered with during transmission.
Private Certificate (PCA)
A private certificate is issued by a private CA built by an enterprise. It is used for encrypted communication between internal systems, such as in internal network applications and IoT device scenarios.
Features
SSL certificates
Provides full lifecycle management for certificates, including selection, purchase, creation, request, deployment, renewal, and revocation.
PCA certificates
Helps enterprises quickly build a private certificate management platform through a visual interface. Supports self-issuance and management of internal certificates. Provides identity authentication and data encryption capabilities for internal applications to ensure secure internal network communication.
HTTPS acceleration gateway
A one-stop HTTPS acceleration solution that integrates certificate hosting and access acceleration features. You can quickly enable HTTPS access and access acceleration for domain names through simple configuration. It supports automatic certificate renewal, which effectively reduces the O&M costs of certificate management.
Domain name monitoring service
Supports periodic monitoring of the HTTPS status of multiple public websites, such as no SSL configuration or expired certificates. It centrally displays monitoring results and repair suggestions in the console and provides detailed monitoring reports. This shifts certificate O&M from a reactive to a proactive approach, preventing business interruptions caused by human error, such as expired certificates.
Certificate notification
Supports custom notifications for events such as domain name monitoring exceptions, API call exceptions, and certificate lifecycle management. It also supports multiple notification methods, such as emails, DingTalk, internal messages, or phone calls.
Certificate toolkit
You can use it to perform free actions, such as viewing Certificate Signing Request (CSR) information and certificate details, checking SSL status, and converting certificate formats. This provides professional technical support for certificate requests, configuration, and deployment.
Billing
Billable products in Certificate Management Service include SSL certificates, PCA certificates, the HTTPS acceleration gateway, and public domain name monitoring. For more information, see the following billing documents: Billing of SSL certificates, Billing of PCA certificates, Billing of HTTPS acceleration gateway, and Billing of public domain name monitoring.
Getting started
SSL certificates
Learn about the service: Read Core concepts, What is an SSL certificate?, and SSL certificate workflow to understand the concepts and procedures related to SSL certificates. .
Purchase a certificate: See Select an SSL certificate to determine the certificate specifications based on your business scenario. Then, purchase a commercial certificate .
Request issuance: After you create an SSL certificate, submit a certificate request to a CA. Complete the domain name ownership verification as required by the CA and wait for the certificate to be issued.
Deploy the certificate: After the certificate is issued, see Select a deployment solution for an SSL certificate to determine the deployment solution. Then, deploy the certificate to your server or cloud product.
Manage the certificate: Renew the SSL certificate before it expires to prevent business interruptions. If the certificate is no longer needed, revoke and delete the SSL certificate.
HTTPS acceleration gateway
Learn about the service: Read What is HTTPS acceleration gateway? to understand its benefits and scenarios.
Purchase the service: See Purchasing guide for HTTPS acceleration gateway to purchase an HTTPS acceleration gateway instance and gateway resource computing units based on your domain name type.
Configure the domain name: See Configure an HTTPS acceleration gateway to configure the accelerated domain name and set up CNAME forwarding in DNS.
Manage the certificate: You do not need to manually request a certificate for the HTTPS acceleration gateway. After the configuration takes effect, monitor the accessed state to prevent business interruptions caused by overdue payments.
PCA certificates
Learn about the service: Read Overview and workflow of the PCA service to understand its scenarios and workflow. To apply for a free trial, see Free trial of the private CA service.
Purchase a certificate: After you purchase and enable a private CA, allocate a private certificate quota.
Request issuance: See Request and issue a private certificate to issue a private certificate.
Deploy and use: After you download a private certificate , deploy the certificates to the server and client.
Manage the certificate: See Revoke a private certificate, and Reset a private CA.
FAQ
Do I still need to purchase a certificate for my domain name after purchasing an HTTPS acceleration gateway?
No, you do not. After you purchase an HTTPS acceleration gateway, a certificate is automatically attached to your domain name.
What if I am not familiar with the basic concepts of SSL certificates?
Before you purchase and use Certificate Service, read the following documents:
What is an SSL certificate?: This document describes the encryption principles, workflow, and brands of SSL certificates.
SSL certificate workflow: This document describes the workflow of using an SSL certificate, including purchase, request, verification, issuance, deployment, and subsequent management.
I am not sure about the encryption scenario for my current business, and I do not know how to choose a suitable certificate. What should I do?
If you are not sure which type of certificate to purchase for your business scenario, see Select an SSL certificate.
I am a non-technical person. How can I get comprehensive technical support services?
You can visit the product page to consult with technical experts for an assessment.