Deploy a certificate to an Alibaba Cloud service - Install Certificates| Alibaba Cloud Documentation Center

SSL Certificates Service allows you to deploy issued certificates and uploaded third-party certificates to supported Alibaba Cloud services with a few clicks.

Prerequisites

The following Alibaba Cloud services are activated: WAF, CLB, ALB, Alibaba Cloud CDN, Secure CDN, Dynamic Route for CDN, ApsaraVideo Live, and Anti-DDoS. A domain name that matches the certificate you want to deploy is configured in a supported Alibaba Cloud service.
For more information about the introduction and usage of the Alibaba Cloud services, see Related services.
The certificate that you want to deploy is issued by using SSL Certificates Service or the third-party certificate that you want to deploy is uploaded to SSL Certificates Service.
For more information, see Apply for a certificate and Upload certificates.

Limits on deploying a certificate to CLB and ALB instances

When you deploy a certificate to CLB (formerly known as SLB) and ALB instances by using SSL Certificates Service, take note of the following limits:

If HTTPS listeners are added to CLB and ALB instances with mutual authentication enabled, you cannot deploy a certificate to the CLB and ALB instances by using SSL Certificates Service.
In this case, you can deploy the corresponding certificate only in the SLB console. For more information, see Configure an HTTPS listener (mutual authentication).
Assume that a certificate is already deployed to CLB and ALB instances. If you want to replace this certificate with a new one, the domain name bound to the new certificate must be equal to or contain the domain name bound to this existing certificate. Examples:
- Assume that a certificate that is bound to the single domain name example.com is deployed to CLB and ALB instances. If you want to replace this certificate with a new one by using SSL Certificates Service, the domain name bound to the new certificate must be equal to or contain the domain name example.com. For example, the domain name bound to the new certificate can be example.com and www.example.com, or *.example.com.
- Assume that a certificate that is bound to the wildcard domain name *.example.com is deployed to CLB and ALB instances. If you want to replace this certificate with a new one by using SSL Certificates Service, the domain name bound to the new certificate must be equal to or contain the domain name *.example.com. For example. the domain name bound to the new certificate can be *.example.com or example.com.
If you want to replace an existing certificate with a certificate that does not meet the preceding requirements to CLB and ALB instances, you can deploy the new one only in the SLB console. For more information, see Add an HTTPS listener to a CLB instance and Add an HTTPS listener to an ALB instance.

Deploy an issued certificate

If your certificate is purchased and issued by using SSL Certificates Service, you can perform the following steps to deploy the certificate to a supported Alibaba Cloud service.

Log on to the SSL Certificates Service console.
On the Overview page, select Issued from the status drop-down list above the certificate list.
This operation filters through all the certificates and identifies the certificates that are issued by CAs.
Find the certificate that you want to deploy, and click Deploy in the Actions column.
In the Deploy Certificate panel, select an Alibaba Cloud service to which you want to deploy the certificate from the Select Cloud Service drop-down list. For example, if you want to deploy the certificate to a domain name that is configured in Web Application Firewall (WAF), select WAF.
The supported Alibaba Cloud services include WAF, CLB, ALB, Alibaba Cloud CDN, Secure CDN, Dynamic Route for CDN, ApsaraVideo Live, and Anti-DDoS.
After you select an Alibaba Cloud service, the domain name list in the lower part shows the domain names that are configured in this service and match the certificate you want to deploy.
Note
- Only when domain names that match the certificate are configured in the Alibaba Cloud service, the domain name list shows the domain names to which the certificate can be deployed. Otherwise, the domain name list is empty.
- If the certificate that you want to deploy to CLB and ALB instances does not meet the requirements in Limits on deploying a certificate to CLB and ALB instances, the domain name list is empty.
In the domain name list, select the domain name to which you want to deploy the certificate. Then, deploy the certificate to the domain name with a few clicks.
You can deploy the certificate by using one of the following methods:
- Click Deploy All to deploy the certificate to all domain names.
- Select the domain names to which you want to deploy the certificate. Then, click Batch Deploy below the domain name list to deploy the certificate to the selected domain names.
- Find the domain name to which you want to deploy the certificate, and click Deploy in the Actions column to deploy the certificate to the domain name.
After the certificate is deployed, the value of the Deployed parameter for the domain name changes to Yes. In addition, the values of the Deployed and Undeployed parameters above the domain name list are also automatically updated.
After the certificate is deployed, close the Deploy Certificate panel.
View the status of certificate deployment.
In the certificate list, find the certificate and click Details in the Actions column to view the deployment status of the certificate. In the Certificate Details panel, the Deployed section in the lower part shows the Alibaba Cloud services and domain names that are deployed with the certificate.

Deploy an uploaded certificate

If your certificate is purchased from a third-party vendor and uploaded to SSL Certificates Service for centralized management, you can perform the following steps to deploy the certificate to a supported Alibaba Cloud service.

Log on to the SSL Certificates Service console.
On the Overview page, select Uploaded from the status drop-down list above the certificate list.
This operation filters through all the certificates and identifies the uploaded certificates.
Find the certificate that you want to deploy, and click Deploy in the Actions column.
In the Deploy Certificate panel, select an Alibaba Cloud service to which you want to deploy the certificate from the Select Cloud Service drop-down list. For example, if you want to deploy the certificate to a domain name that is configured in Web Application Firewall (WAF), select WAF.
The supported Alibaba Cloud services include WAF, CLB, ALB, Alibaba Cloud CDN, Secure CDN, Dynamic Route for CDN, ApsaraVideo Live, and Anti-DDoS.
After you select an Alibaba Cloud service, the domain name list in the lower part shows the domain names that are configured in this service and match the certificate you want to deploy.
Note
- Only when domain names that match the certificate are configured in the Alibaba Cloud service, the domain name list shows the domain names to which the certificate can be deployed. Otherwise, the domain name list is empty.
- If the certificate that you want to deploy to CLB and ALB instances does not meet the requirements in Limits on deploying a certificate to CLB and ALB instances, the domain name list is empty.
After the certificate is deployed, close the Deploy Certificate panel.
View the status of certificate deployment.
In the certificate list, find the certificate and click Details in the Actions column to view the deployment status of the certificate. In the Certificate Details panel, the Deployed section in the lower part shows the Alibaba Cloud services and domain names that are deployed with the certificate.