After you create and enable a private certificate authority (CA) in the Certificate Management Service console, you can apply for private certificates from a private intermediate CA of the private CA. The private certificates can be used for application identity authentication and data encryption and decryption within your enterprise. This topic describes how to configure private certificates.

Background information

Only private intermediate CAs can issue private certificates. Private certificates are terminal entity certificates, including server certificates and client certificates. Trusted communication can be established between a server and a client only after private certificates are installed both on the server and the client.

Initial configuration

If this is your first time to configure a private certificate, perform the following steps:
  1. Assign the quota to issue private certificates
  2. Apply for a private certificate
  3. Export a private certificate
  4. Install a private certificate

Prerequisites

A private CA is purchased and enabled. For more information, see Purchase and enable a private CA.

Purchase a private certificate

If the private root CA does not have the sufficient quota to issue private certificates, you can purchase private certificates for the private root CA. This increases the quota that allows all private intermediate CAs of the private root CA to issue private certificates.

  1. Log on to the SSL Certificates Service console.
  2. In the left-side navigation pane, click Private Certificates.
  3. On the Private Certificates page, find the required private root CA and click Purchase Certificate in the Actions column.
  4. In the Purchase Certificate panel, enter the number of private certificates that you want to purchase.
    Note If the number of private certificates that you purchase for a private root CA exceeds a specified threshold, you are not charged for the excess certificates. For more information about the threshold, search for and join the DingTalk group numbered 32435999.
  5. Click Purchase and complete the payment.

Assign the quota to issue private certificates

Only private intermediate CAs can issue private certificates. Private root CAs cannot issue private certificates. Before you apply for a private certificate, you must assign the quota of the private root CA to a private intermediate CA. The quota can be assigned only when the private root CA and the private intermediate CA meet the following conditions:

  • The private root CA is in the Enabled state.
  • The remaining quota of the private root CA is not 0.
  • The private intermediate CA is in the Enabled state.
  1. Log on to the SSL Certificates Service console.
  2. In the left-side navigation pane, click Private Certificates.
  3. On the Private Certificates page, find the required private root CA and click Assign Certificate in the Remaining Certificate Quota/Total column.
  4. In the Assign Certificate panel, select the private intermediate CA to which you want to assign the quota, and configure the Remaining Certificate Quota parameter.
  5. Click OK.

Apply for a private certificate

You can apply for a private certificate from a private intermediate CA only when the value of the Remaining Certificate Quota parameter of the private intermediate CA is not 0.

  1. Log on to the SSL Certificates Service console.
  2. In the left-side navigation pane, click Private Certificates.
  3. On the Private Certificates page, find the required private intermediate CA and click Apply for Certificate in the Actions column.
  4. In the Apply for Certificate panel, configure the parameters.

    The following table describes the parameters.
    Parameter Description
    Certificate Type The type of the private certificate. Valid values:
    • Server Certificate: A server certificate must be installed on an application server.
    • Client Certificate: A client certificate must be installed on a client browser that accesses an application.
    Common Name (CN) The common name of the private certificate holder.
    Validity Period The validity period of the private certificate.
    SAN The Subject Alternative Name (SAN) extension of the private certificate. If you want to deploy the private certificate to multiple servers, you can use SAN extensions to add information about other servers.

    For a server certificate, you can enter the domain name or IP address of your website. For a client certificate, you can enter a user email address or URI.

    You can add up to 10 SAN extensions.

    More If you want to specify the name of the private certificate and add company and department information for the private certificate, click More and configure the following parameters.
    Certificate Name The name of the private certificate.
    Organization (O) The name of the company that uses the private certificate.
    Organizational Unit (OU) The name of the department that uses the private certificate.
  5. Click Confirm.
    The private certificate is immediately issued after the certificate application is submitted. To view the details about the issued private certificate, find the private intermediate CA in the list of private CAs, click Certificates in the Actions column, and then view the details on the Certificates page.

Export a private certificate

After a private intermediate CA issues a private certificate, you can export the private certificate and deliver the private certificate to a specified user for installation and use.

  1. Log on to the SSL Certificates Service console.
  2. In the left-side navigation pane, click Private Certificates.
  3. On the Private Certificates page, find the required private intermediate CA and click Certificates in the Actions column.
  4. On the Certificates page, find the required private certificate and click Details in the Actions column.
  5. In the Certificate Details panel, select View Private Key Content.
  6. In the Password field, specify a password to encrypt the private key and click Export.
    The password must be eight characters in length and must contain digits, uppercase letters, and lowercase letters. The password is used to encrypt the private key of the private certificate that you want to export. When you install the private certificate, you must use the password to decrypt the private key. You can run OpenSSL commands to install the private certificate. We recommend that you keep the password confidential.
    After the private certificate is exported, the following information appears in the lower part of the Certificate Details panel: Certificate Information, Complete Certificate Chain Content, and Private Key Content.
  7. Copy and send the information about the private certificate to a specified user for installation and use.

Install a private certificate

Install a server certificate

You must install a server certificate on an application server. The installation operations are the same as the operations to install a certificate that is purchased by using Certificate Management Service. For more information, see Installation overview.

Install a client certificate

  1. Install the certificate chain.
    Note Server certificates are not embedded in browsers. You must install the certificate chain on your client to prevent security warnings.
    1. Create a TXT file, copy and paste the value of Complete Certificate Chain Content to the file, and then save the file in the .cert format.
    2. Send the .cert file to the user who wants to install the client certificate.
    3. The user can double-click the .cert file on the client to install the certificate chain on the client browser.
  2. Install the certificate.
    1. Create a TXT file, copy and paste the value of Certificate Information to the file, and then save the file in the .cert format.
    2. Send the .cert file to the user.
    3. The user can double-click the .cert file on the client to install the certificate on the client browser.

Revoke a private certificate

If you no longer require a private certificate, you can revoke the private certificate in the Certificate Management Service console before the private certificate expires. Revoked private certificates are no longer trusted by the internal environments of enterprises.

  1. Log on to the SSL Certificates Service console.
  2. In the left-side navigation pane, click Private Certificates.
  3. On the Private Certificates page, find the required private intermediate CA and click Certificates in the Actions column.
  4. On the Certificates page, find the private certificate that you want to revoke and click Revoke in the Actions column.
  5. In the Confirmation message, click Revoke.
    The private certificate is immediately revoked. After the value in the Status column of the private certificate changes to Revoke, you can delete the private certificate from the list of private certificates.