To access resources through HTTPS secure acceleration, you must configure an HTTPS certificate. This topic describes the certificate formats supported by Alibaba Cloud Dynamic Route for CDN (DCDN) and how to convert certificates in various formats into the PEM format.

Before you enable HTTPS, you must configure an HTTPS certificate. You can select an SSL certificate that was purchased from the SSL Certificates Service console, apply for a free certificate, or upload a custom certificate. Custom certificates only support the PEM format. If a custom certificate is in another format, convert it into the PEM format first.

Root CA certificates

Root CA certificates are issued by root certificate authorities (CAs) including Apache, IIS, NGINX, and Tomcat. Each root CA certificate is unique. Alibaba Cloud DCDN uses root CA certificates issued by NGINX. The certificate information is contained in a .crt file and the private key information is contained in a .key file.

A root CA certificate must follow these rules:
  • The certificate must start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.
  • All lines except the last line must be 64 characters in length, and the last line must be up to 64 characters in length.
The following figure shows a sample certificate in the PEM format when your system runs a Linux operating system.PEM

Intermediate CA certificates

A certificate file issued by an intermediate CA includes one server certificate and one intermediate certificate. You must splice the server certificate and intermediate certificate manually before you upload them.

Note Make sure that the server certificate is followed by the intermediate certificate. In most cases, the CA provides the splicing description when issuing the certificates. Follow the description to splice the certificates.

The chain of certificates issued by an intermediate CA is as follows:

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

The certificates in the chain must follow these rules:

  • Blank lines are not allowed between certificates.
  • Each certificate must be in the PEM format.

RSA private keys

An RSA private key must follow these rules:

  • The RSA private key must be generated by running the openssl genrsa -out privateKey.pem 2048 command. privateKey.pem represents the private key file.
  • The private key must start with -----BEGIN RSA PRIVATE KEY----- and end with -----END RSA PRIVATE KEY-----.
  • All lines except the last line must be 64 characters in length, and the last line must be up to 64 characters in length.
RSA
If you do not generate the private key as instructed and the private key does not start with -----BEGIN PRIVATE KEY----- or end with -----END PRIVATE KEY-----, run the following command to convert the private key:
openssl rsa -in old_server_key.pem -out new_server_key.pem

Then, upload the new_server_key.pem file with the certificate.

Certificate format conversion

HTTPS configuration only supports certificates in the PEM format. If your certificates are not in the PEM format, you must convert them into the PEM format. We recommend that you use OpenSSL to convert certificate formats. The following description shows how to convert various certificates into the PEM format:

  • Certificates in the DER format
    The DER format is usually used for Java.
    • Convert a certificate from DER to PEM as follows:
      openssl x509 -inform der -in certificate.cer -out certificate.pem
    • Convert a private key from DER into PEM as follows:
      openssl rsa -inform DER -outform pem -in privatekey.der -out privatekey.pem
  • Certificates in the P7B format
    The P7B format is typically used for Windows Server and Tomcat.
    • Convert a certificate from P7B to PEM as follows:
      openssl pkcs7 -print_certs -in incertificat.p7b -out outcertificate.cer

      You must open the outcertificat.cer file, and copy and paste the part that starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE----- as the certificate.

    • A certificate in the P7B format does not have a private key. When you configure an HTTPS certificate in the DCDN console, you only need to enter the certificate information.
  • Certificates in the PFX format
    The PFX format is typically used for Windows Server.
    • Convert a certificate from PFX to PEM as follows:
      openssl pkcs12 -in certname.pfx -nokeys -out cert.pem
    • Convert a private key from PFX to PEM as follows:
      openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes

Free certificates

When you use a free certificate, follow these rules:
  • It takes 5 to 10 minutes to apply for a free certificate. During this period, you can also choose to upload a custom certificate or an SSL certificate that was purchased from SSL Certificates Service.
  • After you enable HTTPS secure acceleration, you can change the certificate between a custom certificate, a purchased certificate from SSL Certificates Service, and a free certificate.
  • A free certificate is valid for one year and is automatically renewed upon expiration.
  • You do not need to apply for a new certificate each time you enable HTTPS secure acceleration. If the free certificate expires, you must apply for a new one.

Others

When you use a certificate, you must also follow these rules:
  • You can disable, enable, and modify an HTTPS certificate. After an HTTPS certificate is disabled, the system deletes the certificate information. To enable a disabled certificate again, you must re-upload the certificate or private key. For more information, see Configure an HTTPS certificate.
  • Only SSL and TLS handshakes that include Server Name Indication (SNI) values are supported.
  • Make sure that the uploaded certificate and private key match each other.
  • It takes 10 minutes to apply an updated certificate.
  • A private key cannot have a password configured.