To access resources by using HTTPS secure acceleration, you must configure an HTTPS certificate. This topic describes the certificate formats that are supported by Alibaba Cloud CDN. This topic also describes how to convert certificates of various formats.

Root CA certificates

Root CA certificates are issued by root certificate authorities (CAs), including Apache, IIS, NGINX, and Tomcat. Each root CA certificate is unique. Alibaba Cloud Dynamic Route for CDN (DCDN) uses root CA certificates that are issued by NGINX. The certificate information is contained in a .crt file and the private key information is contained in a .key file.

Upload your certificate in the following format:
  • The certificate must start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.
  • All the lines except the last line must be 64 characters in length and the last line cannot exceed 64 characters in length.
The following figure shows a sample certificate in the Privacy-Enhanced Mail (PEM) format. The sample certificate is used in a Linux operating system.PEM

Intermediate CA certificates

A certificate file that is issued by an intermediate CA includes one server certificate and one intermediate certificate. You must manually concatenate the content of the server certificate and the intermediate certificate before you upload them.

Note Make sure that the content of the server certificate is followed by the content of the intermediate certificate. In most cases, the CA provides the concatenating description when the CA issues the certificates. Follow the description to concatenate the content of the certificates.

The chain of certificates that are issued by an intermediate CA is in the following format:

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

The certificates in the chain must follow these rules:

  • Empty lines are not allowed between certificates.
  • Each certificate follows the format description when the certificate is uploaded.

Format rules of RSA private keys

A Rivest-Shamir-Adleman (RSA) private key must follow these rules:

  • The RSA private key must be generated by running the openssl genrsa -out privateKey.pem 2048 command. privateKey.pem represents the private key file.
  • The private key must start with -----BEGIN RSA PRIVATE KEY----- and end with -----END RSA PRIVATE KEY-----.
  • All the lines except the last line must be 64 characters in length and the last line can be less than 64 characters in length.
RSA
If you do not generate the private key as instructed and the private key does not start with -----BEGIN PRIVATE KEY----- or end with -----END PRIVATE KEY-----, run the following command to convert the private key:
openssl rsa -in old_server_key.pem -out new_server_key.pem

Then, upload the new_server_key.pem file and the certificate.

Certificate format conversion

HTTPS configuration supports only certificates that are in the PEM format. If your certificates are not in the PEM format, you must convert them from other formats to the PEM format. We recommend that you use OpenSSL to convert certificate formats. The following section describes how to convert certificates from other formats to the PEM format:

  • Conversion from the DER format to the PEM format
    The Distinguished Encoding Rules (DER) format is typically used for Java.
    • Certificate conversion:
      openssl x509 -inform der -in certificate.cer -out certificate.pem
    • Private key conversion:
      openssl rsa -inform DER -outform pem -in privatekey.der -out privatekey.pem
  • Conversion from the P7B format to the PEM format
    The P7B format is typically used for Windows Server and Tomcat.
    • Certificate conversion:
      openssl pkcs7 -print_certs -in incertificat.p7b -out outcertificate.cer

      You must open the outcertificat.cer file. Then, copy and paste the part that starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE----- as the certificate content.

    • Private key conversion: A certificate in the P7B format does not include a private key. When you configure an HTTPS certificate in the Alibaba Cloud CDN console, you only need to specify the certificate information. You do not need to specify the private key information.
  • Conversion from the PFX format to the PEM format
    The PKCS#12 (PFX) format is typically used for Windows Server.
    • Certificate conversion:
      openssl pkcs12 -in certname.pfx -nokeys -out cert.pem
    • Private key conversion:
      openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes