After you create and enable a private certificate authority (CA) in the Certificate
Management Service console, you can apply for private certificates from a private
intermediate CA of the private CA. The private certificates can be used for application
identity authentication and data encryption and decryption within your enterprise.
This topic describes how to configure private certificates.
Background information
Only private intermediate CAs can issue private certificates. Private certificates
are terminal entity certificates, including server certificates and client certificates.
Trusted communication can be established between a server and a client only after
private certificates are installed both on the server and the client.
Initial configuration
If this is your first time to configure a private certificate, perform the following
steps:
If the private root CA does not have the sufficient quota to issue private certificates,
you can purchase private certificates for the private root CA. This increases the
quota that allows all private intermediate CAs of the private root CA to issue private
certificates.
In the left-side navigation pane, click Private Certificates.
On the Private Certificates page, find the required private root CA and click Purchase Certificate in the Actions column.
In the Purchase Certificate panel, enter the number of private certificates that you want to purchase.
Note If the number of private certificates that you purchase for a private root CA exceeds
a specified threshold, you are not charged for the excess certificates. For more information
about the threshold, search for and join the DingTalk group numbered 32435999.
Click Purchase and complete the payment.
Assign the quota to issue private certificates
Only private intermediate CAs can issue private certificates. Private root CAs cannot
issue private certificates. Before you apply for a private certificate, you must assign
the quota of the private root CA to a private intermediate CA. The quota can be assigned
only when the private root CA and the private intermediate CA meet the following conditions:
The private root CA is in the Enabled state.
The remaining quota of the private root CA is not 0.
The private intermediate CA is in the Enabled state.
In the left-side navigation pane, click Private Certificates.
On the Private Certificates page, find the required private root CA and click Assign Certificate in the Remaining Certificate Quota/Total column.
In the Assign Certificate panel, select the private intermediate CA to which you want to assign the quota,
and configure the Remaining Certificate Quota parameter.
Click OK.
Apply for a private certificate
You can apply for a private certificate from a private intermediate CA only when the
value of the Remaining Certificate Quota parameter of the private intermediate CA is not 0.
In the left-side navigation pane, click Private Certificates.
On the Private Certificates page, find the required private intermediate CA and click Apply for Certificate in the Actions column.
In the Apply for Certificate panel, configure the parameters.
The following table describes the parameters.
Parameter
Description
Certificate Type
The type of the private certificate. Valid values:
Server Certificate: A server certificate must be installed on an application server.
Client Certificate: A client certificate must be installed on a client browser that accesses an application.
Common Name (CN)
The common name of the private certificate holder.
Validity Period
The validity period of the private certificate.
SAN
The Subject Alternative Name (SAN) extension of the private certificate. If you want
to deploy the private certificate to multiple servers, you can use SAN extensions to add information about other servers.
For a server certificate, you can enter the domain name or IP address of your website.
For a client certificate, you can enter a user email address or URI.
You can add up to 10 SAN extensions.
More
If you want to specify the name of the private certificate and add company and department
information for the private certificate, click More and configure the following parameters.
Certificate Name
The name of the private certificate.
Organization (O)
The name of the company that uses the private certificate.
Organizational Unit (OU)
The name of the department that uses the private certificate.
Click Confirm.
The private certificate is immediately issued after the certificate application is
submitted. To view the details about the issued private certificate, find the private
intermediate CA in the list of private CAs, click Certificates in the Actions column, and then view the details on the Certificates page.
Export a private certificate
After a private intermediate CA issues a private certificate, you can export the private
certificate and deliver the private certificate to a specified user for installation
and use.
In the left-side navigation pane, click Private Certificates.
On the Private Certificates page, find the required private intermediate CA and click Certificates in the Actions column.
On the Certificates page, find the required private certificate and click Details in the Actions column.
In the Certificate Details panel, select View Private Key Content.
In the Password field, specify a password to encrypt the private key and click Export.
The password must be eight characters in length and must contain digits, uppercase
letters, and lowercase letters. The password is used to encrypt the private key of
the private certificate that you want to export. When you install the private certificate,
you must use the password to decrypt the private key. You can run OpenSSL commands
to install the private certificate. We recommend that you keep the password confidential.
After the private certificate is exported, the following information appears in the
lower part of the Certificate Details panel: Certificate Information, Complete Certificate Chain Content, and Private Key Content.
Copy and send the information about the private certificate to a specified user for
installation and use.
Install a private certificate
Install a server certificate
You must install a server certificate on an application server. The installation operations
are the same as the operations to install a certificate that is purchased by using
Certificate Management Service. For more information, see Installation overview.
Install a client certificate
Install the certificate chain.
Note Server certificates are not embedded in browsers. You must install the certificate
chain on your client to prevent security warnings.
Create a TXT file, copy and paste the value of Complete Certificate Chain Content to the file, and then save the file in the .cert format.
Send the .cert file to the user who wants to install the client certificate.
The user can double-click the .cert file on the client to install the certificate
chain on the client browser.
Install the certificate.
Create a TXT file, copy and paste the value of Certificate Information to the file, and then save the file in the .cert format.
Send the .cert file to the user.
The user can double-click the .cert file on the client to install the certificate
on the client browser.
Revoke a private certificate
If you no longer require a private certificate, you can revoke the private certificate
in the Certificate Management Service console before the private certificate expires.
Revoked private certificates are no longer trusted by the internal environments of
enterprises.
In the left-side navigation pane, click Private Certificates.
On the Private Certificates page, find the required private intermediate CA and click Certificates in the Actions column.
On the Certificates page, find the private certificate that you want to revoke and click Revoke in the Actions column.
In the Confirmation message, click Revoke.
The private certificate is immediately revoked. After the value in the Status column of the private certificate changes to Revoke, you can delete the private certificate from the list of private certificates.