All Products
Search

This Product

    Certificate Management Service:Create or upload a CSR

    Document Center

    Certificate Management Service:Create or upload a CSR

    Last Updated:Aug 06, 2025

    A certificate signing request (CSR) contains the information that a Certificate Authority (CA) needs to issue your SSL certificate, including the public key of the certificate, the certificate holder, and the geographical location of the certificate holder. You must submit the CSR file of your certificate to the certificate authority (CA) for review. Alibaba Cloud automatically generates a CSR when creating a certificate. You can also create one manually in the console or upload a pre-existing one. This allows you to specify a custom key algorithm or encryption strength. This topic describes how to create and upload a CSR.

    Create a CSR

    1. Log on to the Certificate Management Service console.

    2. On the Manage CSRs tab, click Create CSR.

    3. In the CSR Generator panel, configure the following parameters and click Generate Certificate CSR.

      Parameter

      Description

      CSR Name

      Enter a name for the CSR.

      The name can be up to 50 characters in length and can contain letters, digits, underscores (_), hyphens (-), and periods (.).

      Domains

      Enter the domain name for which you want to apply for a certificate.

      Note

      You can enter only one domain name. If you want to apply for the same certificate for multiple domain names, you can enter one domain name in this field and enter other domain names in the SANs field.

      SANs

      Enter other domain names that share the same certificate with the domain name specified by Domains. If you enter multiple domain names, separate them with commas (,).

      For example, if you want to bind www.aliyundoc.com, example.aliyundoc.com, and test.aliyundoc.com to the same certificate, you can set Domains to www.aliyundoc.com, and set SANs to example.aliyundoc.com,test.aliyundoc.com.

      Contact

      Specify the contact for the certificate that you want to apply for. The information includes the name and phone number of a contact.

      If you have not created a contact, you can click Create Contact to create one. Certificate Management Service saves the created contact for you to use next time. For more information about how to create a contact, see Manage contacts.

      Company

      Specify the company profile for the certificate that you want to apply for. The information includes the name and phone number of a company.

      If you have not created a company profile, you can click Create Company Profile to create one. Certificate Management Service saves the created company profile for you to use next time. For more information about how to create a company profile, see Create a company profile.

      Encryption Algorithm

      Select the type of the key algorithm that you want to use. Valid values:

      • RSA (default): The RSA algorithm is an asymmetric algorithm that is widely used in the world and provides high compatibility.

      • ECC: The ECC algorithm is an encryption algorithm based on elliptic curves.

        Compared with the RSA algorithm, the ECC algorithm is more advanced and secure. The ECC algorithm provides faster encryption and higher efficiency at lower server resource consumption. The ECC algorithm is promoted among mainstream browsers.

      • SM2: The SM2 algorithm is developed and approved by the State Cryptography Administration of China based on the ECC algorithm. This algorithm is suitable for government agencies, public institutions, large state-owned enterprises, and financial banks that need to implement localization transformation and comply with Chinese cryptographic algorithm requirements.

      Encryption Strength

      Select the encryption strength that you want to use.

      The available key strengths depend on the selected algorithm:

      • RSA: 2048, 3072, or 4096

      • ECC: p256, p384, or p512

      • SM2: 256

      When you apply for a certificate, you can set CSR Generation to Select Existing CSR and select a CSR from the drop-down list. For more information, see Apply for a certificate.

      image

    Upload a CSR

    If you want to use a CSR that is not created in the Certificate Management Service console when you apply for a certificate, you can upload existing CSRs in advance. This also helps you manage your CSRs in a centralized manner.

    1. Log on to the Certificate Management Service console.

    2. On the Manage CSRs tab, click Upload CSR.

    3. In the Upload CSR panel, specify the content of the CSR file and the related private key file and click OK.

      Parameter

      Description

      CSR Name

      Enter a name for the CSR.

      The name can be up to 50 characters in length and can contain letters, digits, underscores (_), hyphens (-), and periods (.).

      CSR File

      Enter the content of the CSR file.

      Paste the PEM-encoded content of your CSR file. Alternatively, click Upload and Parse File to upload the file directly from your computer.

      Private Key Content

      Enter the content of the PEM-encoded private key file.

      You can use one of the following methods to enter the content. Method 1: Use a text editor to open the private key file in the KEY format. Then, copy the content to the Private Key Content field. Method 2: Click Upload and Parse File below the Private Key Content field. Then, select the private key file from your computer to upload the content of the file.

      When you apply for a certificate, you can set CSR Generation to Select Existing CSR and select a CSR from the drop-down list. For more information, see Apply for a certificate. image

    More operations

    Obtain the content and private key of a CSR

    Follow these steps to view and obtain the content and private key of a CSR that you created or uploaded:

    1. Log on to the Certificate Management Service console.

    2. In the left-side navigation pane, choose Certificate Management > SSL Certificate Management.

    3. On the Manage CSRs tab, find the CSR whose details you want to view and click Details in the Actions column.

    4. In the Details panel, click View CSR Content and Private Key.

    5. In the Note message, click OK.妥善保管CSR、私钥

    Delete a CSR

    If you no longer require a CSR, you can delete it.

    Important

    If you use a CSR when you apply for a certificate and the certificate is not issued, do not delete the CSR. Otherwise, the certificate may fail to be issued. The CSR cannot be restored after it is deleted. Proceed with caution.

    1. Log on to the Certificate Management Service console.

    2. In the left-side navigation pane, choose Certificate Management > SSL Certificate Management.

    3. On the Manage CSRs tab, find the CSR that you want to delete and click Delete in the Actions column.

    4. In the message that appears, click Confirm.确认并删除