Certificate Management Service encrypts private keys before it stores the private keys for certificates by using Key Management Service (KMS). This ensures the security of private keys.

Certificate Management Service uses accredited KMS to encrypt and store the private keys that are uploaded with your certificates and the private keys that are generated by using certificate signing requests (CSRs) during your certificate application.

KMS is a security management service that is provided by Alibaba Cloud to ensure the security, integrity, and availability of keys for certificates. KMS allows you to manage keys for multiple applications and services and meets regulatory and classified protection requirements. For more information about KMS, see What is Key Management Service?

Certificate Management Service stores private keys for certificates by using various asymmetric encryption methods. A private key is not stored in plaintext in disks. The plaintext appears in application memory only when necessary. For example, when you download a certificate, Certificate Management Service decrypts the ciphertext of the private key for the certificate. The plaintext appears in your server memory. This way, you can download the plaintext to your local computer over HTTPS.