Certificate Management Service supports Private Certificate Authority (PCA). PCA allows you to build a private certificate platform for your enterprise in an efficient manner. Then, you can issue and manage self-signed private certificates within your enterprise. Private certificates are used to authenticate applications and encrypt and decrypt the data of your enterprise.

Supported regions

You can use PCA only in the Germany (Frankfurt) region.

If you use PCA, the data of your private certificates is stored on Certificate Management Service servers in the Germany (Frankfurt) region.

Scenarios

PCA is suitable for the scenarios in which you need to encrypt internal application data by using cryptographic technologies. In these scenarios, regulatory requirements and industry standards are not involved. The cryptographic technology of PCA enables secure data transmission, data encryption and decryption, and identity authentication between internal applications. These applications include internal office automation (OA) and human resources (HR) systems.

Procedure

PCA is a private certificate service that is provided by Alibaba Cloud. You can purchase a private root certificate authority (CA) and a private intermediate CA to build a private certificate platform for your enterprise. This way, you can manage private certificates within your enterprise by using the platform. You can purchase multiple private intermediate CAs for a private root CA based on the organizational structure of your enterprise. This way, you can manage private certificates by department.

Step Description References Cancellation
1 Create a private CA. After you create a private CA, PCA is enabled.

The first time you create a private CA, you must create a private root CA. Then, you can obtain one private root CA and one private intermediate CA. Later, you can create more private intermediate CAs for the private root CA.

Purchase a private root CA After you create a private CA, if the private CA is in the Disabled state, you can claim a refund for the private CA. After the refund is approved, you can delete the private CA from the private CA list.

For more information, see Claim a refund.

Notice You cannot claim a refund for a private CA that is enabled.
2 Enable the private CA.

The first time you enable a private CA, you must enable the private root CA and then the private intermediate CA.

Enable a private CA If a private CA is in the Enabled state, you can revoke the private CA. After the private CA is revoked, you can delete the private CA from the private CA list.

For more information, see Revoke a private CA.

Notice You cannot claim a refund for a private CA that is revoked.
3 Assign the quota on private certificates.

The first time you use a private intermediate CA, you must assign the quota on private certificates. Then, you can apply for private certificates from the private intermediate CA.

Apply for a private certificate Not supported.
4 Apply for a private certificate from the private intermediate CA that is enabled.

A private root CA can issue only private intermediate CAs. Only private intermediate CAs can issue private certificates. Private certificates include server certificates and client certificates.

Apply for a private certificate If a private certificate is in the Normal state, you can revoke the private certificate. After the private certificate is revoked, you can delete the private certificate from the private certificate list.

For more information, see Revoke a private certificate.

5 Export the private certificate to a specified user for installation and use.

A server certificate must be installed on a server, and a client certificate must be installed on a client browser.

Apply for a private certificate None.