Alibaba Cloud CDN accepts certificates and private keys only in PEM format. This topic describes the format requirements for each certificate type and how to convert DER, P7B (PKCS#7), and PFX (PKCS#12) certificates to PEM.
Before you upload
Make sure your certificate and private key meet all of the following requirements before uploading:
Requirement | Details |
Format | Encoded in PEM format |
Line length | Each line, except the last, contains exactly 64 characters |
No space characters | No space characters between the |
Certificate chain order | Server certificate first, followed by intermediate certificates (intermediate CA only) |
Certificates from a root CA
Root CA certificates are compatible with web servers such as Apache, IIS, NGINX, and Tomcat. SSL certificates used by CDN use the NGINX-compatible format. The certificate file has a .crt extension and the private key file has a .key extension.
Open the .crt file in a text editor to view the certificate content.
The certificate must match this structure:
Starts with
-----BEGIN CERTIFICATE-----Ends with
-----END CERTIFICATE-----Each line except the last contains exactly 64 characters; the last line can be 64 characters or fewer
Upload the full content from -----BEGIN CERTIFICATE----- through -----END CERTIFICATE-----.
Certificates from an intermediate CA
When your certificate is issued by an intermediate CA, upload the full certificate chain: the server certificate and all intermediate certificates combined into a single file.
-----BEGIN CERTIFICATE-----
(server certificate content)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(intermediate certificate content)
-----END CERTIFICATE-----The server certificate must come first, followed by intermediate certificates. Do not add space characters between certificates. All certificates must be in PEM format.
To assemble the chain, open each .pem file in a text editor and paste the content in order: server certificate block first, then each intermediate certificate block immediately after, with no spaces between them.
RSA private key format
The private key file has a .pem or .key extension. Open it in a text editor to view its content.
A valid RSA private key must:
Start with
-----BEGIN RSA PRIVATE KEY-----End with
-----END RSA PRIVATE KEY-----Have each line (except the last) contain exactly 64 characters
Generate a new RSA private key
Run the following command to generate a 2048-bit RSA private key. The output is saved to privateKey.pem.
openssl genrsa -out privateKey.pem 2048Convert a private key that starts with `-----BEGIN PRIVATE KEY-----`
If your private key starts with -----BEGIN PRIVATE KEY----- instead of -----BEGIN RSA PRIVATE KEY-----, convert it with OpenSSL before uploading:
openssl rsa -in old_server_key.pem -out new_server_key.pemUpload the content of new_server_key.pem along with your certificate.
Key length requirements
The supported RSA private key length range for CDN is as follows:
RSA keys shorter than 2048 bits (such as 1024 bits) are considered insecure and may be rejected by backend validation.
Use 2048 bits or 4096 bits. Generate a key with
openssl genrsa -out privateKey.pem 2048or replace
2048with4096.CDN also supports ECC (Elliptic Curve Cryptography) certificates. Common ECC curve types include prime256v1 (secp256r1) and secp384r1. Generate an ECC private key with:
openssl ecparam -genkey -name prime256v1 -out ecc_key.pemThe exact maximum key length and ECC curve support depend on the CDN backend API validation. If you encounter key-related format errors during upload, try regenerating with a standard 2048-bit RSA or prime256v1 ECC key.
Convert certificate formats
CDN accepts only PEM-format certificates. Use OpenSSL to convert from other formats.
A.crtfile may be in either PEM or Distinguished Encoding Rules (DER) format. Open it in a text editor — if you see-----BEGIN CERTIFICATE-----, it is already in PEM format and no conversion is needed. PEM is a Base64-encoded text format; private key files in PEM format use the.keyextension.
DER to PEM
DER is commonly used on Java platforms.
Convert the certificate:
openssl x509 -inform der -in certificate.cer -out certificate.pemConvert the private key:
openssl rsa -inform DER -outform pem -in privatekey.der -out privatekey.pemP7B (PKCS#7) to PEM
P7B is commonly used on Windows Server and Tomcat.
Convert the certificate:
openssl pkcs7 -print_certs -in incertificat.p7b -out outcertificate.cerOpen outcertificate.cer and copy the block from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----. Upload only that block.
P7B files do not contain a private key. When configuring your SSL certificate in the CDN console, enter only the certificate content and leave the private key field blank.
PFX (PKCS#12) to PEM
PFX is commonly used on Windows Server.
Convert the certificate:
openssl pkcs12 -in certname.pfx -nokeys -out cert.pemConvert the private key:
openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodesSignature algorithm support
The signature algorithms supported by CDN depend on the backend API validation rules. Below is a compatibility reference for common signature algorithms:
Recommended signature algorithms:
SHA-256 with RSA (sha256WithRSAEncryption)
SHA-384 with RSA
SHA-512 with RSA
ECDSA with SHA-256 (for ECC certificates)
Not recommended:
SHA-1 with RSA: SHA-1 has been marked insecure by major browsers, and some backend validations may reject SHA-1 signed certificates.
The CDN console does not perform signature algorithm validation on the frontend. Signature algorithm compatibility is determined entirely by the backend API. If you receive an error when uploading a certificate that uses an uncommon signature algorithm, reissue the certificate using SHA-256 with RSA or a more secure algorithm.
You can check your certificate's signature algorithm with:
openssl x509 -in your_cert.pem -noout -text | grep "Signature Algorithm"The output should look like Signature Algorithm: sha256WithRSAEncryption.