You must configure a certificate before enabling the HTTPS service. To complete this task, you can select a free certificate from Alibaba Cloud Security, purchase an advanced certificate, or upload a custom certificate. Custom certificates must be in the PEMformat.

Certificate format requirements

Certificate authorities (CAs) often provide the following types of certificates. Alibaba Cloud CDN uses the Nginx format (certificates are saved in .crt files and keys are saved in .key files):

  • If your certificate is issued by a root CA, this certificate is unique.
  • If you have obtained a certificate file containing multiple certificates from an intermediate CA, you must manually link the server certificate and intermediate certificate and then upload them.
    Linking rule: The server certificate must be followed by the intermediate certificate without blank lines between them. Typically, the CA provides a description for each issued certificate.

Ensure that the format is correct before uploading the certificate.

In the Linux environment, the certificate PEM format is as follows:

Certificate rules:
  • Upload the ——-BEGIN CERTIFICATE——-and ——-END CERTIFICATE——-entries.
  • Each line must contain 64 characters. The last line can contain less than 64 characters.

Certificate chains issued by intermediate CAs:







Certificate chain rules:

  • Ensure that no blank lines exist between certificates.
  • Each certificate must meet the format requirements.

RSA key format requirements

RSA key rules:

  • Run the openssl genrsa -out privateKey.pem 2048 command to generate a local private key.Here, privateKey.pemindicates the private key file.

  • ——-BEGIN RSA PRIVATE KEY——- and ——-END RSA PRIVATE KEY——- indicate the beginning and ending entries, respectively. You must upload both entries.

  • Each line must contain 64 character. The last line can contain less than 64 characters.

If your private key is not generated according to the preceding rules and it is in the following format:
Run the following command to convert the private key to the required format:
  1. openssl rsa -in old_server_key.pem -out new_server_key.pem

Then, upload the content of new_server_key.pemtogether with the certificate.

Certificate format conversion method

CDN HTTPS secure acceleration only supports certificates in the PEM format. Certificates in other formats must be converted to the PEM format before they can be used. We recommend that you use the OpenSSL tool to convert the format. The following describes the methods for converting other common certificate formats to PEM.

From DER to PEM:

The DER format is typically used on Java platforms.
  • Certificate conversion:
    1. openssl x509 -inform der -in certificate.cer -out certificate.pem
  • Private key conversion:
    1. openssl rsa -inform DER -outform pem -in privatekey.der -out privatekey.pem

From P7B to PEM:

The P7B format is typically used on Windows Server and Tomcat platforms.
  • Certificate conversion:
    1. openssl pkcs7 -print_certs -in incertificat.p7b -out outcertificate.cer

    In outcertificat.cer, retrieve the ——-BEGIN CERTIFICATE——- and ——-END CERTIFICATE——- content.Upload the content as a certificate.

  • Private key conversion: the P7B certificate does not contain any private keys. Therefore, you only need to enter the certificate in the CDN console. The private key is not required.

From PFX to PEM:

The PFX format is typically used in Windows Server.
  • Certificate conversion:
    1. openssl pkcs12 -in certname.pfx -nokeys -out cert.pem
  • Private key conversion:
    1. openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes

Free certificates

  • Applying for a free certificate takes 5 to 10 minutes. During this period, you can only upload custom or managed certificates.
  • Whether you enable a custom, managed, or free certificate, you can always switch among them later.
  • Free certificates are valid for one year and are automatically renewed upon expiration.
  • If you disable the HTTPS settings and then enable the free certificate option again, the system directly uses the previously applied free certificate that has not expired. If the certificate has expired when you enable the free certificate option, the system applies for another free certificate.

Other certificates

  • You can disable, enable, and change certificates. After you disable a certificate, the system does not retain the certificate information. To enable the certificate again, you must reupload it with the private key.
  • Only SSL and TLS with SNI information are supported.
  • Ensure that the certificate and private key to be uploaded match each other.
  • The updated certificate takes effect in 10 minutes.
  • Private keys with a password are not supported.