To use a custom domain name to access Object Storage Service (OSS) resources over HTTPS, you must purchase an SSL certificate. You can purchase an SSL certificate from a certificate authority (CA) or from Alibaba Cloud SSL Certificates Service and host your certificate in OSS.

Host your certificate by using one of the following methods based on scenarios:

Host a certificate for an accelerated domain name

If you map an accelerated domain name to your bucket, perform the following steps to host your certificate in the CDN console. For more information about how to map an accelerated domain name to a bucket, see Map accelerated domain names.

  1. Log on to the Alibaba Cloud CDN console.
  2. Click Domain Names. On the page that appears, click Manage in the Actions column that corresponds to the domain name for which you want to upload an SSL certificate.
  3. Choose HTTPS > Modify.
  4. In the Modify HTTPS Settings dialog box, turn on the HTTPS Secure Acceleration switch and then set the HTTPS certificate parameters described in the following table.
    Parameter Description
    Certificate Source An SSL certificate can be obtained from the following sources:
    • SSL Certificates Service: Select the certificate that you purchase from SSL Certificates Service from the drop-down list.
    • Custom Certificate (Certificate+Private Key): If the required certificate cannot be found in the drop-down list, you can upload a custom certificate. Set Certificate Name and then enter the certificate content in the Certificate (Public Key) section and the private key in the Private Key section. The uploaded certificate is saved to SSL Certificates Service. If a message appears to indicate that the certificate already exists, change the certificate name and try again. After you upload a certificate, you can view the certificate in the SSL Certificates Service console.
    • Upload Custom Certificate (Certificate): If you do not want to upload your private key, you must create a Certificate Signing Request (CSR) in the Alibaba Cloud CDN console and apply for a certificate from a CA. For more information, see Create a CSR.
    • Free Certificate: If you want to use free SSL certificates for HTTPS secure acceleration, select this option. Free SSL certificates cannot be managed in the SSL Certificates Service console. The public keys and private keys of free SSL certificates cannot be viewed on the SSL Certificates Service console. A free certificate takes effect after about 10 minutes.

      In general, free certificates are issued within one to two business days. Free certificates are valid for one year. You do not need to apply for a new certificate each time when you enable HTTPS secure acceleration. You must apply for a new certificate only if the current one expires.

    Certificate Name You need to configure this parameter only when you select SSL Certificates Service or Custom Certificate (Certificate+Private Key) for Certificate Source.
    Certificate (Public Key) You need to configure this parameter only when you select Custom Certificate (Certificate+Private Key) or Upload Custom Certificate (Certificate) for Certificate Source. For more information, click PEM Encoding Reference under the Certificate (Public Key) section.
    Private Key You need to configure this parameter only when you select Custom Certificate (Certificate+Private Key) for Certificate Source. For more information, click PEM Encoding Reference under the Private Key section.
  5. Click OK.
    After you configure an SSL certificate, the certificate takes effect in about one minute. You can access an OSS resource over HTTPS to verify whether HTTP secure acceleration takes effect. If the https icon is displayed before the HTTPS URL of the resource in the address bar of your browser, HTTP secure acceleration takes effect. http

    HTTPS secure acceleration is a value-added service. After you enable this service, you are charged based on the number of HTTPS requests. For more information, see Billing of value-added services.

Host a certificate for a custom domain name

If you map a custom domain name to your bucket, perform the following steps to host your certificate in the OSS console. For more information about how to map a custom domain name to a bucket, see Map custom domain names.

  1. Log on to the OSS console.
  2. Click Buckets, and then click the name of the target bucket.
  3. In the left-side navigation pane, choose Transmission > Domain Names.
  4. Click Upload Certificate in the Actions column that corresponds to the custom domain name for which you want to host an SSL certificate.
  5. In the Upload Certificate panel, select SSL Certificates or Upload a Certificate (Public Key + Private Key). For more information about the configuration of the two certificate types, see Modify HTTPS Settings.
    If you select Upload a Certificate (Public Key + Private Key), you must configure Public Key and Private Key. After you obtain an SSL certificate, you can view the public key and private key information from the following files:
    • The file suffixed with .pem or .crt in the certificate contains the public key in the following format:
      -----BEGIN CERTIFICATE-----
      ......
      -----END CERTIFICATE----- 
    • The file suffixed with .key in the certificate contains the private key in the following format:
      -----BEGIN RSA PRIVATE KEY-----
      ......
      -----END RSA PRIVATE KEY-----

    You can select Show PEM Encoding Example to view the examples of the public key and private key. For more information about the certificate format, see Certificate formats.

  6. Click Upload.