Private Certificate Authority (PCA) allows you to build a private certificate platform within your enterprise by performing visualized operations. PCA helps you implement application identity authentication and data encryption and decryption within your enterprise. This topic describes the billable items of PCA and the rules for certificate expiration, renewal, and refunds.

Billable items

Billable item Billing method Price Billing rule
Private root CA Yearly or monthly subscription The prices of private root CAs vary based on certificate algorithms. The following algorithms are supported: Rivest-Shamir-Adleman (RSA), SM, and elliptic curve cryptography (ECC). The SM algorithms are developed and approved by the State Cryptography Administration of China. The actual price on the buy page of a private root CA shall prevail. The price of a private root CA is calculated based on the following formula: Unit price in USD per month × Subscription duration.

By default, a private root CA consists of 1 private root CA, 1 private intermediate CA, and a quota for 10 private certificates.

Private intermediate CA Yearly or monthly subscription The prices of private intermediate CAs vary based on certificate algorithms. The following algorithms are supported: RSA, SM, and ECC. The actual price on the buy page of a private intermediate CA shall prevail. The price of a private intermediate CA is calculated based on the following formula: Unit price in USD per month × Subscription duration.
Private certificate Subscription The prices of private certificates vary based on certificate algorithms and the number of purchased certificates. The actual price in the Purchase Certificate panel of the Private Certificates page in the Certificate Management Service console shall prevail. The price of a private certificates is calculated based on the following formula: Unit price of a private certificate in USD × Number of purchased private certificates.
The unit price decreases when the number of purchased private certificates increases. In the following pricing tiers, a larger number of private certificates are billed at a lower unit price, and private certificates in the same tier are billed at the same unit price:
  • 0 ≤ Number of private certificates ≤ 1,000
  • 1,001 ≤ Number of private certificates ≤ 10,000
  • 10,001 ≤ Number of private certificates ≤ 99,999,999
Note If the number of purchased private certificates exceeds a threshold, you are not charged for the excess private certificates. For more information about the threshold, search for and join the DingTalk group numbered 32435999.

Expiration

The expiration date of a private certificate is the same as the expiration date of its private root CA. After the private root CA expires, you can no longer enable the private root CA or apply for a private certificate from a private intermediate CA of the private root CA. The private certificates that are issued by a private intermediate CA of the private root CA also expire. After a private intermediate CA expires, the private certificates that are issued by the private intermediate CA also expire. After the private certificates expire, features such as identity authentication and secure transmission of application data are no longer provided for your enterprise. Your service may be interrupted. To prevent impacts on your business, we recommend that you renew your private root CA and private intermediate CAs within 30 calendar days before they expire. If the private root CA and private intermediate CAs have expired, you must reactivate the CAs.

Renewal policy

You can renew a private root A or a private intermediate CA within 30 calendar days before the CA expires. You can renew the private root CA or private intermediate CA in the Certificate Management Service console. You cannot renew an expired private root CA or private intermediate CA. If you want to continue using the private root CA or private intermediate CA, you must reactivate the CA in the Certificate Management Service console.

Renewal

Important You can renew a private root CA or private intermediate CA only within 30 calendar days before the CA expires.
  1. Log on to the SSL Certificates Service console.
  2. In the left-side navigation pane, click Private Certificates.
  3. On the Private Certificates page, find the private root CA or private intermediate CA that you want to renew and click Renew in the Actions column.
    The private CA that you need to renew varies based on how you create the private CA.
    • If the private root CA and the private intermediate CA are created together, you need to only renew the private root CA. The validity periods of both the private root CA and the private intermediate CA are extended.
    • If the private intermediate CA is separately purchased, you must renew the private root CA in advance to ensure that the private root CA is valid. Then, you can renew the private intermediate CA to extend its validity period.
  4. In the Renew page, confirm the specifications, configure Subscription Duration, read and select Terms of Service, and then click Buy Now to complete the payment.
    After you complete the payment, you can log on to the SSL Certificates Service console and go to the Private Certificates page. On the Private Certificates page, you can view the new expiration time of the private root CA or private intermediate CA in the Expire On column.

Reactivation

If you want to continue using PCA after your private root CA and private intermediate CA expire, you must separately reactivate the private root CA and private intermediate CA in the Certificate Management Service console.

  1. Log on to the SSL Certificates Service console.
  2. In the left-side navigation pane, click Private Certificates.
  3. On the Private Certificates page, find the required private root CA and click Reactivate in the Actions column.
  4. On the buy page, specify the same configurations as the existing configurations of the private root CA that you want to reactivate, and click Buy Now. On the page that appears, read and select Terms of Service, and then complete the payment.

    When you reactivate a private root CA, you cannot modify the configurations of the private root CA. You must retain the following configurations of the private root CA: Commodity Module, Product specifications, and Certificate Algorithm. You can configure Subscription Duration based on your business requirements.

  5. Return to the Certificate Management Service console to view the expiration time of the reactivated private root CA.
    After the private root CA is reactivated, Alibaba Cloud automatically updates the expiration time of the private root CA.

    If the private root CA is in the Disabled state before it is reactivated, you must enable the private root CA. Then, you can continue to use PCA. For more information about how to enable a private CA, see Enable a private CA. If the private root CA is in the Enabled state before it is reactivated, you can directly use PCA.

  6. Click the Hide/Show icon icon on the left side of the reactivated private root CA.
  7. Find the private intermediate CA that you want to reactivate and click Reactivate in the Actions column.
  8. On the buy page, specify the same configurations as the existing configurations of the private intermediate CA that you want to reactivate, and click Buy Now. On the page that appears, read and select Terms of Service, and then complete the payment.

    When you reactivate a private intermediate CA, you cannot modify the configurations of the private intermediate CA. You must retain the following configurations of the private intermediate CA: Commodity Module, Product specifications, and Certificate Algorithm. You can configure Subscription Duration based on your business requirements.

  9. Return to the Certificate Management Service console to view the expiration time of the reactivated private intermediate CA.
    After the private intermediate CA is reactivated, Alibaba Cloud automatically updates the expiration time of the private intermediate CA.

    If the private intermediate CA is in the Disabled state before it is reactivated, you must enable the private intermediate CA. Then, you can continue to use PCA. For more information about how to enable a private CA, see Enable a private CA. If the private intermediate CA is in the Enabled state before it is reactivated, you can directly use PCA.

Refund policy

Refund condition

  • Private root CA or private intermediate CA: the private root CAs or private intermediate CAs that are not enabled in an order.
  • Private certificate: the quota for private certificates in an order that is not consumed.

Procedure

  1. Log on to the SSL Certificates Service console.
  2. In the left-side navigation pane, click Private Certificates.
  3. Click the Manage Orders tab.
  4. Find the order for which you want to request a refund and click Refund in the Actions column.
  5. In the Refund Application message, click OK.
    After you request a refund, the paid fee is returned to the account that you use to make the payment. After the fee is returned, the value in the Status column for a private root CA or private intermediate CA in the order changes to Refunded. Then, you can click Delete in the Actions column to remove the private root CA or private intermediate CA from the private CA list.