All Products
Document Center

CDN:Configure an SSL certificate

Last Updated:May 06, 2024

Alibaba Cloud CDN supports HTTPS secure acceleration. You can deploy an SSL certificate in the Alibaba Cloud CDN console and enable HTTPS secure acceleration to encrypt requests between clients and points of presence (POPs).


An SSL certificate is prepared for the accelerated domain name.

  • If you want to purchase an SSL certificate, log on to the Certificate Management Service console to purchase a certificate from a certificate authority (CA).

  • Certificates that are issued by third-party CAs must meet the certificate format requirements. For more information, see Certificate formats.

Usage notes

  • Only certificates in the PEM format are supported. You can convert certificates in other formats to the PEM format. For more information, see Convert certificate formats.

  • When you upload a certificate that is issued by a third-party CA, use a private key that does not have password protection.

  • You can deploy an SSL certificate that is purchased from Certificate Management Service for multiple domain names in the Alibaba Cloud CDN console. For more information, see Configure an SSL certificate for multiple domain names.

  • You can view SSL certificates. You cannot view private keys because the keys are considered sensitive information. Keep certificate-related information confidential.

  • If you do not want to expose your private key to environments other than Alibaba Cloud CDN, you can use the Certificate Signing Request (CSR) tool that is provided by Alibaba Cloud Certificate Management Service to generate a CSR and a private key based on algorithms such as Rivest-Shamir-Adleman (RSA) and Elliptic-curve cryptography (ECC). You can also upload an existing CSR. For more information, see Manage CSRs.

  • If you want to enable end-to-end data transfer over HTTPS, you need to configure origin fetch over HTTPS. Make sure that the origin servers support HTTPS.

Configure or renew an SSL certificate

  1. Log on to the Alibaba Cloud CDN console.

  2. In the left-side navigation pane, click Domain Names.

  3. On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column.

  4. In the left-side navigation tree of the domain name, click HTTPS.

  5. In the HTTPS Certificate section, click Modify.

  6. In the Modify HTTPS Settings dialog box, turn on HTTPS Secure Acceleration, and configure the parameters.证书

    • If you have purchased a certificate from Alibaba Cloud Certificate Management Service, set the Certificate Source parameter to SSL Certificates Service and select the purchased certificate from the Certificate Name drop-down list.


      If the certificate that you purchased is unavailable, check whether the domain name that is associated with the purchased certificate is the accelerated domain name.

    • If you use a certificate that is issued by a third-party CA, set the Certificate Source parameter to Custom Certificate (Certificate+Private Key). After you configure the Certificate Name parameter, configure the Certificate (Public Key) and Private Key parameters. Then the certificate is saved in Alibaba Cloud Certificate Management Service. You can check the certificate on the SSL Certificates page.



      Certificate Name

      Enter a name for the certificate that you want to upload.

      The name can contain letters, digits, periods (.), underscores (_), and hyphens (-).

      • A certificate name must be unique. You can view existing certificates on the SSL Certificates page.

      • If the system prompts that the certificate already exists, change the certificate name and re-upload the certificate.

      Certificate (Public Key)

      Enter the content of the PEM-encoded certificate file.

      You can use a text editor to open the certificate file in the PEM format. Then, copy the content to the Certificate (Public Key) field.

      For more information, click PEM Encoding Reference below the Certificate (Public Key) field.

      Private Key

      Enter the content of the PEM-encoded private key file.

      You can use a text editor to open the private key file in the KEY format. Then, copy the content to the Private Key field.

      For more information, click PEM Encoding Reference below the Private Key field.


      If you obtain a private key that starts with "----- BEGIN PRIVATE KEY -----" and ends with "----- END PRIVATE KEY -----", use the OpenSSL tool to run the following command to convert the private key format. Then, copy the content of the new_server_key.pem file to the Private Key field.

      openssl rsa -in old_server_key.pem -out new_server_key.pem
  7. Click OK.

Check whether HTTPS secure acceleration takes effect

After you upload an SSL certificate, the certificate takes effect within 1 minute. To check whether the SSL certificate takes effect, you can send HTTPS requests to access resources. If the URL is displayed with a lock icon in the address bar of the browser, HTTPS secure acceleration is working as expected.验证结果

After you configure an SSL certificate, take note of the expiration time of the certificate. You need to configure a new certificate before the certificate expires.

Disable HTTPS secure acceleration

If you no longer require HTTPS secure acceleration, you can disable the feature in the Alibaba Cloud CDN console. Disabling HTTPS secure acceleration immediately takes effect. After you disable HTTPS secure acceleration, you can no longer access resources over HTTPS, and the SSL certificate and the private key are no longer retained.

If you want to re-enable HTTPS secure acceleration, select another SSL certificate.




Configure URL redirection

You can configure the URL redirection feature to forcibly redirect requests from clients to POPs to HTTPS.

Configure HSTS

After you configure HTTP Strict Transport Security (HSTS), clients such as browsers can establish only HTTPS connections to POPs to improve security.

Configure OCSP stapling

POPs cache certificate verification results and then send the results to clients without the need for the clients to verify certificates with the CAs. This reduces the verification time.


Related API operations

API operationDescription
CreateCdnCertificateSigningRequestCreates a certificate signing request (CSR).
DescribeDomainCertificateInfoQueries the certificate information about an accelerated domain name.
SetDomainServerCertificateEnables or disables the certificate of a domain name, and modifies the certificate information.
SetCdnDomainCSRCertificateConfigures an SSL certificate for a specified domain name.
DescribeCdnDomainByCertificateQueries accelerated domain names by SSL certificate.
DescribeCdnCertificateDetailQueries the detailed information about an SSL certificate.
DescribeCdnCertificateListQueries information about certificates.
DescribeCertificateInfoByIDQueries the information about a specified SSL certificate.
BatchSetCdnDomainServerCertificateEnables or disables the certificates of domain names, and modifies the certificate information.
DescribeCdnHttpsDomainListQueries the information about the SSL certificates within your Alibaba Cloud account.
DescribeUserCertificateExpireCountQueries the number of domain names whose SSL certificates are about to expire or have already expired.
SetCdnDomainSMCertificateEnables or disables a ShangMi (SM) certificate for a domain name.
DescribeCdnSMCertificateListQueries the SM certificates of an accelerated domain name.
DescribeCdnSMCertificateDetailQueries the details about an SM certificate.