HTTPS listeners require SSL/TLS certificates. You can either import a certificate from Alibaba Cloud Certificate Management Service or upload a third-party certificate directly to CLB.
Authentication modes
CLB supports two authentication modes for HTTPS:
Mode | Certificates required | Use case |
One-way (server authentication) | Server certificate only | Standard HTTPS—client verifies server identity |
Mutual (mTLS) | Server certificate + CA certificate | High-security scenarios—both parties verify each other |
Certificate sources
Source | Pros | Cons |
Certificate Management Service | Centralized management, expiration alerts, one-click renewal | Does not support CA certificates for mTLS |
Third-party upload | Supports both server and CA certificates | Manual upload and renewal |
After uploading, CLB manages the certificate. You don't need to deploy it on backend servers.
Create a certificate
Add a certificate from Certificate Management Service
Before you begin:
Ensure you have purchased or uploaded a certificate in the Certificate Management Service console.
Console
Open the CLB console and go to CLB > Certificates.
Click Add Certificate, select Alibaba Cloud Certificates, then choose your certificate and target regions.
Note: Certificates are region-specific. Select all regions where you plan to use this certificate.
Click Create.
API
Call UploadServerCertificate with the following parameters:
RegionId: The region ID of the CLB instanceAliCloudCertificateId: Certificate IDAliCloudCertificateName: A descriptive nameAliCloudCertificateRegionId:ap-southeast-1
Add a third-party certificate
Before you begin:
Prepare the server certificate's public and private key files in PEM format.
(For mTLS only) Prepare the CA certificate's public key file in PEM format.
Console
Open the CLB console and go to CLB > Certificates.
Click Add Certificate and select Third-party Certificates.
Enter a Certificate Name.
Select Certificate Type:
Server Certificate: For standard HTTPS (one-way authentication).
CA Certificate: For mTLS (also requires a separate server certificate).
Configure the certificate based on the type you selected:
For Server Certificate:
Public Key Certificate: Paste the certificate content. CLB uses Nginx format—files typically have
.pemextension but may have.crtor others.Private Key: Paste the private key. Nginx-format key files typically have
.keyextension.
For CA Certificate:
Client CA Certificate: Paste the CA certificate content in PEM format.
Note: Click View Sample in the console to see the correct format. For more details, see Certificate requirements and format conversion.
Select Region: Certificates are region-specific. Choose all regions where you want to use this certificate.
Click Create.
API
To add a server certificate, call UploadServerCertificate
RegionId: The region ID of the CLB instanceServerCertificate: Certificate content in PEM formatPrivateKey: Private key in PEM format
To add a CA certificate, call UploadCACertificate
RegionId: The region ID of the CLB instanceCACertificate: CA certificate content in PEM format
Limits
Quotas
Name | Description | Default value | Adjustable |
slb_quota_certs_num | The maximum number of server certificates that can be uploaded in a region. | 100 | |
slb_quota_ca_certs_num | The maximum number of client certificate authority (CA) certificates that can be uploaded in a region. | 100 |
Certificate requirements
CLB only accepts PEM-formatted RSA certificates (1024, 2048, or 4096 bits). ECDSA certificates are not supported. For format conversion commands, see Certificate requirements and format conversion.
Additional restrictions:
PEM files containing
BEGIN DH PARAMETERSare not supported. HTTPS listeners use ECDHE cipher suites for perfect forward secrecy, which do not use DHE security parameters.Certificates cannot be shared across accounts. To transfer a certificate, download the certificate in Nginx format from the source account and import the certificate into the target account.