All Products
Document Center

Certificate format instruction

Last Updated: Dec 11, 2018

Before enabling the HTTPS service, you must configure certificates. You can directly select Alibaba Cloud Security certificates, apply for a free certificate, or manually upload custom certificates. You can upload only certificates in PEM format. You must convert certificates and private keys from other formats to the PEM format.

Certificate format requirements

Certificate authorities (CAs) generally provide the following types of certificates. Alibaba Cloud DCDN uses the Nginx format (certificates are .crt files and private keys are .key files):

  • If certificates are issued by a root CA, you receive only one certificate.

  • If you have obtained a certificate file consisting of multiple certificates from an intermediate CA, you must manually splice the server certificate and intermediate certificate before uploading them together.

    Splicing rules: The server certificate must be followed by the intermediate certificate without any blank line. Generally, the CA provides the relevant description when issuing a certificate. So pay attention to the rule description.


Verify that the format of a certificate is correct before uploading the certificate .

Certificates issued by a root CA

In Linux environments, certificates are in the PEM format:1

Certificate rules:

  • Upload the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- content together.
  • Each line has 64 characters, but the last line can have less then 64 characters.







Certificate link rules:

  • Do not insert a blank line between certificates.
  • Each certificate must comply with the certificate rules.

RSA private key format requirements

RSA private key rules:

  • Run the openssl genrsa -out privateKey.pem 2048 command to generate a local private key, with privateKey.pem being the private key file.

  • -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- indicate the beginning and end of the private key file, respectively. Upload the beginning and end content together.

  • Each line has 64 characters, but the last line can have less than 64 characters.

If your private key is not generated in the format -----BEGIN PRIVATE KEY-----, ——-END PRIVATE KEY----- based on the preceding rules, run the following command to convert the private key:

  1. openssl rsa -in old_server_key.pem -out new_server_key.pem

Then, upload the new_server_key.pem content together with the certificate.

Certificate format conversion method

SSL acceleration only supports certificates in the PEM format. Certificates in other formats must be converted to the PEM format. We recommend that you use the OpenSSL tool for conversion. The following shows the methods used to convert other common certificate formats to PEM.


The DER format is generally used on Java platforms.

  • Certificate conversion:

    1. openssl x509 -inform der -in certificate.cer -out certificate.pem
  • Private key conversion:

    1. openssl rsa -inform DER -outform pem -in privatekey.der -out privatekey.pem

P7B to PEM

The P7B format is generally used in Windows Server and Tomcat.

  • Certificate conversion:
    1. openssl pkcs7 -print_certs -in incertificat.p7b -out outcertificate.cer

Retrieve the -----BEGIN CERTIFICATE-----, -----END CERTIFICATE----- content in outcertificat.cer and upload the content as a certificate.

  • Private key conversion: P7B certificates do not have private keys, so you only have to enter the certificate portion, not the private key portion, in the console.


The PFX format is generally used in Windows Server.

  • Certificate conversion:

    1. openssl pkcs12 -in certname.pfx -nokeys -out cert.pem
  • Private key conversion:

    1. openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes

Free certificates

You can also apply for free certificates to enable the SSL acceleration service. You can apply for one free certificate per domain name, with no limit per account. The system does not support wildcard domain names.

  • The application process for a free certificate takes 5 to 10 minutes. While waiting, you can also go back and choose to upload a custom certificate or select a managed certificate.
  • You can always switch among custom, managed or free certificate no matter which one you enable at the beginning.
  • Free certificates are valid for one year and automatically renewed upon expiration.
  • When using this product, if you disable the HTTPS settings and then enable the free certificate option again, the system uses the free certificate you applied for previously, provided it has not expired. If your certificate has expired when you enable the free certificate option, the system reapplies for a free certificate.

Other certificate issues

  • You can disable, enable, and modify certificates. After you disable a certificate, the system no longer retains the certificate information. When you re-enable the certificate, you must upload the certificate and private key again. See SSL acceleration settings tutorial.
  • Only SSL/TLS handshakes with SNI information are supported.
  • Make sure that the certificate and private key you upload match.
  • Certificate updates take effect in 10 minutes.
  • Private keys with passwords are not supported.

For more certificate-related FAQs, see More certificate questions.