Before enabling the HTTPS service, you must configure certificates. You can directly select Alibaba Cloud Security certificates, apply for a free certificate, or manually upload custom certificates. You can upload only certificates in
PEM format. You must convert certificates and private keys from other formats to the PEM format.
Certificate authorities (CAs) generally provide the following types of certificates. Alibaba Cloud DCDN uses the Nginx format (certificates are .crt files and private keys are .key files):
If certificates are issued by a root CA, you receive only one certificate.
If you have obtained a certificate file consisting of multiple certificates from an intermediate CA, you must manually splice the server certificate and intermediate certificate before uploading them together.
Splicing rules: The server certificate must be followed by the intermediate certificate without any blank line. Generally, the CA provides the relevant description when issuing a certificate. So pay attention to the rule description.
Verify that the format of a certificate is correct before uploading the certificate .
In Linux environments, certificates are in the
- Upload the
-----END CERTIFICATE-----content together.
- Each line has 64 characters, but the last line can have less then 64 characters.
Certificate link rules:
- Do not insert a blank line between certificates.
- Each certificate must comply with the certificate rules.
RSA private key rules:
openssl genrsa -out privateKey.pem 2048command to generate a local private key, with
privateKey.pembeing the private key file.
-----BEGIN RSA PRIVATE KEY-----and
-----END RSA PRIVATE KEY-----indicate the beginning and end of the private key file, respectively. Upload the beginning and end content together.
Each line has 64 characters, but the last line can have less than 64 characters.
If your private key is not generated in the format
-----BEGIN PRIVATE KEY-----, ——-
END PRIVATE KEY----- based on the preceding rules, run the following command to convert the private key:
openssl rsa -in old_server_key.pem -out new_server_key.pem
Then, upload the
new_server_key.pem content together with the certificate.
SSL acceleration only supports certificates in the PEM format. Certificates in other formats must be converted to the PEM format. We recommend that you use the OpenSSL tool for conversion. The following shows the methods used to convert other common certificate formats to PEM.
The DER format is generally used on Java platforms.
openssl x509 -inform der -in certificate.cer -out certificate.pem
Private key conversion:
openssl rsa -inform DER -outform pem -in privatekey.der -out privatekey.pem
The P7B format is generally used in Windows Server and Tomcat.
- Certificate conversion:
openssl pkcs7 -print_certs -in incertificat.p7b -out outcertificate.cer
-----END CERTIFICATE----- content in
outcertificat.cer and upload the content as a certificate.
- Private key conversion: P7B certificates do not have private keys, so you only have to enter the certificate portion, not the private key portion, in the console.
The PFX format is generally used in Windows Server.
openssl pkcs12 -in certname.pfx -nokeys -out cert.pem
Private key conversion:
openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes
You can also apply for free certificates to enable the SSL acceleration service. You can apply for one free certificate per domain name, with no limit per account. The system does not support wildcard domain names.
- The application process for a free certificate takes 5 to 10 minutes. While waiting, you can also go back and choose to upload a custom certificate or select a managed certificate.
- You can always switch among custom, managed or free certificate no matter which one you enable at the beginning.
- Free certificates are valid for one year and automatically renewed upon expiration.
- When using this product, if you disable the HTTPS settings and then enable the free certificate option again, the system uses the free certificate you applied for previously, provided it has not expired. If your certificate has expired when you enable the free certificate option, the system reapplies for a free certificate.
- You can disable, enable, and modify certificates. After you disable a certificate, the system no longer retains the certificate information. When you re-enable the certificate, you must upload the certificate and private key again. See SSL acceleration settings tutorial.
- Only SSL/TLS handshakes with SNI information are supported.
- Make sure that the certificate and private key you upload match.
- Certificate updates take effect in 10 minutes.
- Private keys with passwords are not supported.
For more certificate-related FAQs, see More certificate questions.