All Products
Search

This Product

    Certificate Management Service:Billing for PCA

    Document Center

    Certificate Management Service:Billing for PCA

    Last Updated:Jan 07, 2026

    Private Certificate Authority (PCA) lets you build a private CA platform for your enterprise using a simple visual interface. You can use PCA to manage identity authentication, data encryption, and decryption for your internal applications. This topic describes the billable items, expiration, and renewal policies for the PCA service.

    Billable items

    Important

    The prices in the following table are for reference only. For actual prices, see the service purchase page.

    Service type

    Billing method

    Price

    Billing rule

    Private root CA

    Subscription

    USD 760/month

    Unit price of a private root CA (in USD/month) × subscription duration

    Note

    Each root CA instance includes one root CA, one intermediate CA, and 10 free private certificates. The free private certificates are valid for 30 days from the date of purchase. Their validity period is not extended when you renew the root CA. The validity period of separately purchased private certificates is extended when you renew the root CA.

    Private intermediate CA

    Subscription

    USD 380/month

    Unit price of a private intermediate CA (in USD/month) × subscription duration

    Private certificate

    Upfront

    The unit price of private certificates decreases as the quantity increases.

    The price is the same within the following quantity ranges. A higher quantity results in a lower price.

    • 1 to 1,000 certificates: USD 0.7.

    • 1,001 to 10,000 certificates: USD 0.3.

    Note

    Within each calendar year (January 1 to December 31), after the cumulative number of purchased private certificates reaches 120,000, any additional certificates are free of charge. The cumulative quantity is reset on January 1 of the next year.

    Unit price per certificate (in USD) × quantity

    Expiration

    After a root CA expires, you cannot enable it or request new certificates from it. To avoid service disruptions, renew your root and intermediate CAs within 30 calendar days before they expire. If a root CA or an intermediate CA has expired, you must reactivate it.

    Renewal policy

    When a root CA or an intermediate CA is about to expire (within 30 calendar days of expiration), you can renew it in the Certificate Management Service console. After a root CA or an intermediate CA expires, you can no longer renew it. To continue using the service, you must reactivate the root CA and intermediate CA in the Certificate Management Service console.

    Renewal

    Important

    The renewal option is available only within 30 calendar days before a root CA or an intermediate CA expires.

    1. Log on to the Certificate Management Service console.

    2. In the left navigation pane, choose Certificate Management > PCA Certificate Management. On the PCA Certificate Management page, select the region where the PCA service is located.

    3. On the Private CAs tab, find the target private CA, and in the Actions column, click Renew.

      The renewal process for a Certificate Authority (CA) depends on how it was created.

      • If the root CA and intermediate CA were created at the same time, you only need to renew the root CA. This extends the service period for both the root CA and the intermediate CA that was created with it.

      • If the intermediate CA was purchased separately, you must first renew the root CA to ensure that it is valid. Then, you must renew the intermediate CA separately to extend its service period.

    4. On the private certificate renewal page, confirm the Current Configuration information, select a Subscription Duration, read and select the Terms of Service, and then click Buy Now and complete the payment.

      After you complete the purchase, the Expire On of the root CA or intermediate CA is updated on the Private CAs page of the Certificate Management Service console.

    Reactivation

    If a root CA or an intermediate CA expires, you must reactivate them separately in the Certificate Management Service console to continue using the service.

    1. Log on to the Certificate Management Service console.

    2. In the left navigation pane, choose Certificate Management > PCA Certificate Management. On the PCA Certificate Management page, select the region where the PCA service is located.

    3. On the Private CAs tab, find the target CA, and in the Actions column, click Reactivate.

    4. , on the Certificate Management Service page, select the CA configuration, read and select the Terms of Service, and then click Buy Now and complete the payment.

      Important

      • When you reactivate a root CA, you can select only the Certificate Algorithm and Duration. When you reactivate an intermediate CA, you can select only the Duration.

      • If the status of your CA was Disabled before reactivation, you must enable the CA after the reactivation to continue using the PCA service. For more information, see Enable a private CA. If the status of your CA was Enabled before reactivation, you can continue to use the PCA service immediately after the reactivation.

    5. Optional: Return to the Certificate Management Service console to view the new expiration date of the reactivated private root CA.