To access resources through HTTPS secure acceleration, you must configure an HTTPS certificate. This topic describes the certificate formats that are supported by Alibaba Cloud Dynamic Route for CDN (DCDN). This topic also describes how to convert certificates from various formats to the Privacy Enhanced Mail (PEM) format.

Before you enable HTTPS, you must configure an HTTPS certificate. You can select an SSL certificate that was purchased from the SSL Certificates Service console, apply for a free certificate, or upload a custom certificate. Custom certificates support only the PEM format. If a custom certificate is in another format, convert the certificate from this format to the PEM format.

Root CA certificates

Root CA certificates are issued by root certificate authorities (CAs), including Apache, IIS, NGINX, and Tomcat. Each root CA certificate is unique. Alibaba Cloud DCDN uses root CA certificates that are issued by NGINX. The certificate information is contained in a .crt file and the private key information is contained in a .key file.

A root CA certificate must follow these rules:
  • The certificate must start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.
  • All the lines except the last line must be 64 characters in length and the last line cannot exceed 64 characters in length.
The following figure shows a sample certificate in the PEM format. The sample certificate is used when your system runs a Linux operating system.PEM

Intermediate CA certificates

A certificate file that is issued by an intermediate CA includes one server certificate and one intermediate certificate. You must manually concatenate the content of the server certificate and the intermediate certificate before you upload them.

Note Make sure that the content of the server certificate is followed by the content of the intermediate certificate. In most cases, the CA provides the concatenating description when the CA issues the certificates. Follow the description to concatenate the content of the certificates.

The chain of certificates that are issued by an intermediate CA is in the following format:

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

The certificates in the chain must follow these rules:

  • Blank lines are not allowed between certificates.
  • Each certificate must be in the PEM format.

RSA private keys

A Rivest-Shamir-Adleman (RSA) private key must follow these rules:

  • The RSA private key must be generated by running the openssl genrsa -out privateKey.pem 2048 command. privateKey.pem represents the private key file.
  • The private key must start with -----BEGIN RSA PRIVATE KEY----- and end with -----END RSA PRIVATE KEY-----.
  • All the lines except the last line must be 64 characters in length and the last line can be less than 64 characters in length.
RSA
If you do not generate the private key as instructed and the private key does not start with -----BEGIN PRIVATE KEY----- or end with -----END PRIVATE KEY-----, run the following command to convert the private key:
openssl rsa -in old_server_key.pem -out new_server_key.pem

Then, upload the new_server_key.pem file and the certificate.

Certificate format conversion

HTTPS configuration supports only certificates that are in the PEM format. If your certificates are not in the PEM format, you must convert them from other formats to the PEM format. We recommend that you use OpenSSL to convert certificate formats. The following section describes how to convert certificates from other formats to the PEM format:

  • Certificates in the DER format
    The Distinguished Encoding Rules (DER) format is typically used for Java.
    • Convert a certificate from the DER format to the PEM format:
      openssl x509 -inform der -in certificate.cer -out certificate.pem
    • Convert a private key from the DER format to the PEM format:
      openssl rsa -inform DER -outform pem -in privatekey.der -out privatekey.pem
  • Certificates in the P7B format
    The P7B format is typically used for Windows Server and Tomcat.
    • Convert a certificate from the P7B format to the PEM format:
      openssl pkcs7 -print_certs -in incertificat.p7b -out outcertificate.cer

      You must open the outcertificat.cer file. Then, copy and paste the part that starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE----- as the certificate content.

    • A certificate in the P7B format does not have a private key. When you configure an HTTPS certificate in the DCDN console, you need only to specify the certificate information.
  • Certificates in the PFX format
    The PFX format is typically used for Windows Server.
    • Convert a certificate from the PFX format to the PEM format:
      openssl pkcs12 -in certname.pfx -nokeys -out cert.pem
    • Convert a private key from the PFX format to the PEM format:
      openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes

Free certificates

When you use a free certificate, follow these rules:
  • In most cases, free certificates are issued within one to two business days. During this period, you can choose to upload a custom certificate or an SSL certificate that was purchased from SSL Certificates Service.
    Note After you submit the application, the certificate may be issued within several hours or two business days. The amount of the consumed time depends on the verification process that is required by the CA.
  • You can switch among a custom certificate, a purchased certificate from SSL Certificates Service, and a free certificate.
  • A free certificate is valid for one year and is automatically renewed upon expiration.
  • You do not need to apply for a new certificate each time you enable HTTPS secure acceleration. If you enable HTTPS secure acceleration and the free certificate expires, you must apply for a new one.

Others

When you use HTTPS certificates, pay attention to the following notes:
  • You can disable, enable, and modify HTTPS certificates. After HTTPS certificates are disabled, the system deletes the certificate information. To enable a disabled certificate, you must re-upload the certificate or the private key. For more information, see Configure an SSL certificate.
  • Only Secure Sockets Layer (SSL) and Transport Layer Security (TLS) handshakes that include Server Name Indication (SNI) values are supported.
  • Make sure that the uploaded certificate and private key match each other.
  • It takes 10 minutes to apply an updated certificate.
  • The system does not support the private keys for which passwords are configured.