To access resources over HTTPS secure acceleration, you must configure an SSL certificate. This topic describes the certificate formats that are supported by Alibaba Cloud Dynamic Route for CDN (DCDN) and how to convert certificate formats.

Before you enable HTTPS, you must configure an SSL certificate. You can directly select a certificate purchased in the Alibaba Cloud SSL Certificates Service console or a free certificate, or upload a custom certificate. For more information, see Request and renew an SSL certificate. Custom certificates support only the PEM format. If a custom certificate is in another format, convert the certificate to the PEM format.

Root CA certificates

Root CA certificates are issued by root certificate authorities (CAs) including Apache, IIS, NGINX, and Tomcat. Each root CA certificate is unique. Alibaba Cloud DCDN uses root CA certificates that are issued by NGINX. The certificate information is contained in a .crt file and the private key is contained in a .key file.

Take note of the following rules when you upload a certificate:
  • The certificate must start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.
  • All lines except the last line must be 64 characters in length. The last line can be up to 64 characters in length.
The following figure shows a sample certificate in PEM format that is used in Linux. PEM

Certificates issued by an intermediate CA

A certificate file that is issued by an intermediate CA contains multiple certificates. When you configure HTTPS, you must combine the intermediate certificates and server certificate into a complete certificate before you upload it.

Note When you combine the certificates, make sure that the server certificate is followed by the intermediate certificate. In most cases, the CA provides the instructions when the CA issues a certificate. Pay attention to the instructions.

A chain of certificates that are issued by an intermediate CA:

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

The certificates in the chain must comply with the following rules:

  • Empty lines are not allowed between certificates.
  • Each certificate must be in PEM format.

RSA private key formats

A Rivest-Shamir-Adleman (RSA) private key must comply with the following rules:

  • Run the openssl genrsa -out privateKey.pem 2048 command to generate the RSA private key. privateKey.pem is the private key file.
  • The private key must start with -----BEGIN RSA PRIVATE KEY----- and end with -----END RSA PRIVATE KEY-----.
  • All lines except the last line must be 64 characters in length. The last line can be less than 64 characters in length.
RSA
If you do not generate the private key as instructed and the private key does not start with -----BEGIN PRIVATE KEY----- or end with -----END PRIVATE KEY-----, run the following command to convert the private key:
openssl rsa -in old_server_key.pem -out new_server_key.pem

Then, upload the new_server_key.pem file and the certificate together.

Convert certificate formats

HTTPS configuration supports only certificates that are in the PEM format. If your certificates are not in the PEM format, you must convert them to the PEM format. We recommend that you use OpenSSL to convert certificate formats. This section describes how to convert certificates to PEM:

  • Convert a certificate from DER to PEM
    The DER format is typically used for Java.
    • Convert the certificate format:
      openssl x509 -inform der -in certificate.cer -out certificate.pem
    • Convert the private key format:
      openssl rsa -inform DER -outform pem -in privatekey.der -out privatekey.pem
  • Convert a certificate from P7B to PEM
    The P7B format is typically used for Windows Server and Tomcat.
    • Convert the certificate format:
      openssl pkcs7 -print_certs -in incertificat.p7b -out outcertificate.cer

      Open the outcertificat.cer file. Then, upload the part that starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----.

    • A certificate in the P7B format does not include a private key. When you configure an SSL certificate in the DCDN console, specify the certificate information. You do not need to specify the private key.
  • Convert a certificate from PFX to PEM
    The PFX format is typically used for Windows Server.
    • Convert the certificate format:
      openssl pkcs12 -in certname.pfx -nokeys -out cert.pem
    • Convert the private key format:
      openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes