Alibaba Cloud CDN supports HTTPS secure acceleration. You can upload a custom SSL certificate or select an SSL certificate from Certificate Management Service in the Alibaba Cloud CDN console. If you want to enable HTTPS secure acceleration to ensure the security of data transmission, SSL certificates are required. This topic describes how to configure and renew an SSL certificate.
SSL certificate management
SSL certificates are classified into different types based on vetting and verification requirements. Different types of SSL certificates provide different levels of security and are suitable for different websites. For more information, see What is Certificate Management Service?
If you want to purchase an SSL certificate, you can log on to the Certificate Management Service console to purchase a certificate from a certificate authority (CA). If you want to use a custom certificate, the certificate must be in a valid format. For more information, see Certificate formats.
The Tengine web server that is used by Alibaba Cloud CDN is designed based on the NGINX web server architecture. Therefore, you can upload only certificate files in the NGINX-compatible
PEMformat for domain names for which HTTPS secure acceleration is enabled. If your SSL certificate is not in the PEM format, you need to convert the certificate into the PEM format. For more information, see Convert certificate formats.The uploaded SSL certificate must match the private key. Otherwise, requests that are sent from clients fail the authentication.
The system does not support private keys for which passwords are configured.
Only SSL and TLS handshakes that include Server Name Indication (SNI) values are supported.
You can view SSL certificates. You cannot view private keys because they are sensitive information. Keep certificate-related information confidential.
Configure or renew an SSL certificate
- Log on to the Alibaba Cloud CDN console.
- In the left-side navigation pane, click Domain Names.
- On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column.
- In the left-side navigation pane of the domain name, click HTTPS.
In the HTTPS Certificate section, click Modify.
In the Modify HTTPS Settings dialog box, turn on HTTPS Secure Acceleration.
Set the parameters.
Parameter
Description
Certificate Source
Certificate Source supports the following options. You can switch between the options.
SSL Certificates Service
You can apply for SSL certificates from various CAs and of different types in the Certificate Management Service console.
Custom Certificate (Certificate+Private Key)
If you cannot find an SSL certificate that meets your requirements from the certificate list, upload a custom certificate. You need to enter the certificate name, the public key, and the private key of the custom certificate. The certificate is saved to Certificate Management Service. You can check the certificate on the SSL Certificates page.
NoteIf the system prompts that the certificate already exists when you upload a custom certificate, change the certificate name and try again.
If you do not want to expose your private key to environments other than Alibaba Cloud CDN, you can use the Certificate Signing Request (CSR) tool that is provided by Certificate Management Service to generate a CSR and a private key based on algorithms such as Rivest-Shamir-Adleman (RSA), Elliptic-curve cryptography (ECC), and ShangMi2 (SM2). You can also upload an existing CSR. For more information, see Manage CSRs.
Certificate Name
You need to specify a certificate name if you set Certificate Source to one of the following values:
SSL Certificates Service
Custom Certificate (Certificate+Private Key)
Certificate (Public Key)
If you set Certificate Source to Custom Certificate (Certificate+Private Key), you need to configure Certificate (Public Key). For more information, click PEM Encoding Reference below the Certificate (Public Key) field.
Private Key
If you set Certificate Source to Custom Certificate (Certificate+Private Key), you need to configure Private Key. For more information, click PEM Encoding Reference below the Private Key field.
Click OK.
Check whether HTTPS secure acceleration takes effect
After you upload an SSL certificate, the certificate takes effect within 1 minute. To verify whether the SSL certificate takes effect, you can send HTTPS requests to access resources. If the URL is displayed with a lock icon in the address bar of the browser, HTTPS secure acceleration is working as expected.
After you configure an SSL certificate, you need to take note of the expiration time of the SSL certificate and configure a new certificate before the certificate expires.
Disable HTTPS secure acceleration
If you no longer require HTTPS secure acceleration, you can disable the feature in the Alibaba Cloud CDN console. Disabling HTTPS secure acceleration immediately takes effect. After you disable HTTPS secure acceleration, you cannot access resources over HTTPS, and the SSL certificate and the private key are no longer retained.
If you want to re-enable HTTPS secure acceleration, you need to select an SSL certificate.
Related API operations
| API operation | Description |
| CreateCdnCertificateSigningRequest | Creates a certificate signing request (CSR). |
| DescribeDomainCertificateInfo | Queries the certificate information about an accelerated domain name. |
| SetDomainServerCertificate | Enables or disables the certificate of a domain name, and modifies the certificate information. |
| SetCdnDomainCSRCertificate | Configures an SSL certificate for a specified domain name. |
| DescribeCdnDomainByCertificate | Queries accelerated domain names by SSL certificate. |
| DescribeCdnCertificateDetail | Queries the detailed information about an SSL certificate. |
| DescribeCdnCertificateList | Queries information about certificates. |
| DescribeCertificateInfoByID | Queries the information about a specified SSL certificate. |
| BatchSetCdnDomainServerCertificate | Enables or disables the certificates of domain names, and modifies the certificate information. |
| DescribeCdnHttpsDomainList | Queries the information about the SSL certificates within your Alibaba Cloud account. |
| DescribeUserCertificateExpireCount | Queries the number of domain names whose SSL certificates are about to expire or have already expired. |
| SetCdnDomainSMCertificate | Enables or disables a ShangMi (SM) certificate for a domain name. |
| DescribeCdnSMCertificateList | Queries the SM certificates of an accelerated domain name. |
| DescribeCdnSMCertificateDetail | Queries the details about an SM certificate. |