To access resources over HTTPS secure acceleration, you must configure an SSL certificate. This topic describes the certificate formats that are supported by Alibaba Cloud Dynamic Route for CDN (DCDN) and how to convert certificate formats.
Before you enable HTTPS, you must configure an SSL certificate. You can directly select a certificate purchased
in the Alibaba Cloud SSL Certificates Service console or a free certificate, or upload a custom certificate. For more information, see
Request and renew an SSL certificate. Custom certificates support only the PEM
format. If a custom certificate is in another format, convert the certificate to
the PEM format.
Root CA certificates
Root CA certificates are issued by root certificate authorities (CAs) including Apache,
IIS, NGINX, and Tomcat. Each root CA certificate is unique. Alibaba Cloud DCDN uses
root CA certificates that are issued by NGINX. The certificate information is contained
in a .crt
file and the private key is contained in a .key
file.
- The certificate must start with
-----BEGIN CERTIFICATE-----
and end with-----END CERTIFICATE-----
. - All lines except the last line must be 64 characters in length. The last line can be up to 64 characters in length.
PEM
format that is used in Linux. 
Certificates issued by an intermediate CA
A certificate file that is issued by an intermediate CA contains multiple certificates. When you configure HTTPS, you must combine the intermediate certificates and server certificate into a complete certificate before you upload it.
A chain of certificates that are issued by an intermediate CA:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
The certificates in the chain must comply with the following rules:
- Empty lines are not allowed between certificates.
- Each certificate must be in PEM format.
RSA private key formats
A Rivest-Shamir-Adleman (RSA) private key must comply with the following rules:
- Run the
openssl genrsa -out privateKey.pem 2048
command to generate the RSA private key.privateKey.pem
is the private key file. - The private key must start with
-----BEGIN RSA PRIVATE KEY-----
and end with-----END RSA PRIVATE KEY-----
. - All lines except the last line must be 64 characters in length. The last line can be less than 64 characters in length.

-----BEGIN PRIVATE KEY-----
or end with -----END PRIVATE KEY-----
, run the following command to convert the private key: openssl rsa -in old_server_key.pem -out new_server_key.pem
Then, upload the new_server_key.pem
file and the certificate together.
Convert certificate formats
HTTPS configuration supports only certificates that are in the PEM format. If your certificates are not in the PEM format, you must convert them to the PEM format. We recommend that you use OpenSSL to convert certificate formats. This section describes how to convert certificates to PEM:
- Convert a certificate from DER to PEM
The DER format is typically used for Java.
- Convert the certificate format:
openssl x509 -inform der -in certificate.cer -out certificate.pem
- Convert the private key format:
openssl rsa -inform DER -outform pem -in privatekey.der -out privatekey.pem
- Convert the certificate format:
- Convert a certificate from P7B to PEM
The P7B format is typically used for Windows Server and Tomcat.
- Convert the certificate format:
openssl pkcs7 -print_certs -in incertificat.p7b -out outcertificate.cer
Open the
outcertificat.cer
file. Then, upload the part that starts with-----BEGIN CERTIFICATE-----
and ends with-----END CERTIFICATE-----
. - A certificate in the P7B format does not include a private key. When you configure an SSL certificate in the DCDN console, specify the certificate information. You do not need to specify the private key.
- Convert the certificate format:
- Convert a certificate from PFX to PEM
The PFX format is typically used for Windows Server.
- Convert the certificate format:
openssl pkcs12 -in certname.pfx -nokeys -out cert.pem
- Convert the private key format:
openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes
- Convert the certificate format: