Certificate Management Service is a certificate issuance and management platform provided by Alibaba Cloud. It provides unified lifecycle management for SSL certificates, private certificates, HTTPS acceleration gateways, and certificate application repositories. This service helps you deploy and manage certificates across various use cases.
Use cases
Case 1 : Public HTTPS encryption
Internet-facing services require HTTPS to secure user access. The service offers two solutions:
SSL certificate: Ideal for deploying certificates directly to existing infrastructure (such as web application servers, server load balancers, or CDNs), or where you have specific requirements for the certificate brand, type, or configuration.
HTTPS acceleration gateway: Ideal for enabling HTTPS encryption for domains with a single click, eliminating the need to manage certificate application, renewal, or deployment, while simultaneously accelerating website performance.
SSL certificate
After you purchase an SSL certificate, you must submit a certificate application via the management console. The service then forwards your application to the certificate authority (CA) for review. Once the CA approves and issues the certificate, you must manually deploy it to your web application servers or cloud services such as Alibaba Cloud CDN.
HTTPS acceleration gateway
After you purchase an HTTPS acceleration gateway, point your domain's DNS to the gateway address and configure the origin server. This enables HTTPS. The HTTPS acceleration gateway combines CDN caching with nearest-node distribution to significantly improve application performance and user experience.
Case 2: Internal enterprise HTTPS encryption
For internal services such as OA systems, ERP systems, DevOps platforms, code repositories, and IoT devices, using public certificates can be costly and restrictive due to fixed validity periods and domain verification requirements. Use the Private CA service to establish a private root CA to issue and manage internal certificates. You can customize certificate validity periods, batch-issue certificates for internal devices and services, and instantly revoke compromised certificates, building a unified internal trust system at a lower cost.
Private certificates are trusted only within the enterprise and are not trusted by public browsers. You must install the root certificate or client certificate on internal enterprise devices.
Benefits
Trusted brands: Alibaba Cloud collaborates with leading domestic and international CAs to provide trusted digital certificates across multiple brands and types.
Simplified management: Centralizes lifecycle management of certificates and provides unified control of both cloud and on-premises certificates.
Efficient deployment: Integrates with Alibaba Cloud products, enabling one-click deployment to cloud services to simplify the certificate application process.
Comprehensive services: Provides an integrated solution including certificate management, HTTPS acceleration gateway, certificate application repository, and certificate hosting services.
Open and flexible: Provides comprehensive APIs to support batched and automated certificate management operations.
Core concepts
Digital certificate
A digital credential containing a public key and identity information, issued by a trusted CA. It establishes secure communication and verifies identity. Digital certificates are valid only within a specified validity period.
Certificate authority (CA)
A trusted third-party entity responsible for verifying the identity of applicants and issuing digital certificates. It serves as the source of trust in the Public Key Infrastructure (PKI).
SSL certificate and HTTPS
SSL certificates enable HTTPS encrypted transmission. Once an SSL certificate is deployed on a website, communication between the browser and the server is encrypted, preventing data eavesdropping and tampering during transmission.
Private certificate
Private certificates are issued by a private CA built by the enterprise. They are used for encrypted communication between internal systems, such as intranet applications and IoT devices.
Features
SSL certificates
Provides lifecycle management covering selection, purchase, creation, request, deployment, renewal, and revocation.
Private CA certificates
Builds a private certificate management platform through a visual interface. Supports self-service issuance and management of internal certificates, providing identity authentication and data encryption capabilities for internal enterprise applications to ensure secure intranet communication.
HTTPS acceleration gateway
An integrated solution that combines certificate hosting and access acceleration. It enables HTTPS and speeds up domain access with minimal configuration. It supports automatic certificate renewal, effectively reducing the O&M costs of certificate management.
Certificate application repository
Supports centralized unified management of certificates from different sources (Alibaba Cloud and third-party platforms). Additionally, using the certificate application repository API, you can perform operations such as signing, verifying, encrypting, and decrypting sensitive data such as electronic contracts and invoices, ensuring the authenticity, integrity, and security of data files.
Public domain monitoring service
Periodically monitors the HTTPS status of multiple public websites (such as checking if SSL is not configured or if certificates have expired). It displays monitoring results and remediation suggestions centrally in the console and provides detailed monitoring reports. This shifts O&M from passive response to active risk prevention, avoiding business interruptions caused by human oversight such as certificate expiration.
Certificate notifications
Supports custom notifications, including domain monitoring anomalies, API call anomalies, and certificate lifecycle management alerts. It also supports various notification methods such as email, DingTalk, internal message, or phone calls.
Certificate tools
Allows you to view certificate signing request (CSR) information and certificate details, detect SSL status, and convert certificate formats for free, providing professional technical support for certificate application, configuration, and deployment.
Billing
Billable components include: SSL certificates, Private CA certificates, HTTPS acceleration gateway, and public domain monitoring. For detailed billing information, see SSL certificate billing, Private CA certificate billing, HTTPS acceleration gateway billing, and Public domain monitoring billing.
Getting started
SSL certificate
Understand the service: See Core concepts, What is SSL certificate, and SSL certificate usage process to understand SSL certificate concepts and processes.
Purchase a certificate: See SSL certificate selection guide to select certificate specifications as needed, then Purchase certificates.
Submit request to CA for issuance: Create certificates and submit the request. Wait for issuance after completing Domain ownership verification.
Deploy and use: After the certificate is issued, see SSL certificate deployment selection to determine the deployment plan, and then deploy the certificate to your servers or cloud products.
Manage the certificate: Complete SSL certificate renewal before the certificate expires to prevent service interruption. Revoke and delete SSL certificates when they are no longer needed.
HTTPS acceleration gateway
Understand the service: See What is HTTPS acceleration gateway to understand the product benefits and applicable scenarios.
Purchase the service: See HTTPS acceleration gateway purchase guide to purchase an HTTPS acceleration gateway instance and gateway resource computing units based on the domain type.
Configure the domain: See Configure HTTPS acceleration gateway to configure the acceleration domain and set up CNAME forwarding in DNS.
Manage the certificate: HTTPS acceleration gateway requires no manual certificate request. After the configuration takes effect, monitor the access status to avoid business interruptions caused by overdue payments.
Private CA certificate
Understand the service: Understand the applicable scenarios and usage process through Private CA service description and usage process. For free trials, see Free trial of private CA service.
Purchase a certificate: Purchase and enable private CA, then Allocate private certificate quota.
Submit request to CA for issuance: See Request and issue private certificates to complete private certificate issuance.
Deploy and use: Download the private certificate, and then deploy the certificate to servers and clients.
Manage the certificate: See Revoke private certificate, and Reset private CA.
FAQ
Do I need to purchase a separate certificate for my domain after purchasing HTTPS acceleration gateway?
No. A certificate is automatically bound to your domain upon purchase.
What if I don't understand the basic concepts of SSL certificates?
Before using the certificate service, we recommend that you read the following documents:
What is SSL certificate: Details the encryption principles of SSL certificates, usage process, and certificate brands.
SSL certificate usage process: Details the usage process of SSL certificates, including purchase, request, verification, issuance, deployment, and subsequent management.
I am not sure about the encryption scenario for my current business or how to choose the right certificate. What should I do?
If you are unsure which certificate type is suitable for your current business scenario, see SSL certificate selection guide.
I am a non-technical user. How can I get comprehensive technical support?
You can visit the Product details page to consult with technical experts for assessment.