Dynamic Route for CDN (DCDN) supports HTTPS secure acceleration. You can upload a custom Secure Sockets Layer (SSL) certificate or select an SSL certificate from SSL Certificates Service to the DCDN console. The SSL certificate ensures data security during transmission. This topic describes how to configure and renew an SSL certificate.


  • An SSL certificate is prepared. If you want to purchase an SSL certificate, you can log on to the SSL Certificates Service console to apply for a free certificate or purchase a certificate from a certificate authority (CA).
  • If you want to use a custom certificate, it must be in a valid format. For more information, see Certificate formats.

Background information

SSL certificates are classified into different types based on vetting and verification requirements. Different types provide different levels of security and are suitable for different websites. For more information, see Supported certificate types.

Only SSL certificates that are in Privacy Enhanced Mail (PEM) format are supported. If your SSL certificate is not in PEM format, you must convert it to PEM format. For more information, see Certificate formats.
  • The CRT file extension is short for certificate. The certificate may be in PEM or Distinguished Encoding Rules (DER) format. Before you convert the format of a certificate, check whether the certificate needs to be converted into other formats.
  • PEM is a text format. It starts with "-----BEGIN ***-----" and ends with "-----END ***-----". The content between these lines is encoded in Base64. Both the certificate and private key can be saved in this format. To distinguish a certificate from a private key, change the extension of a private key file that is in PEM format to .key.


HTTPS secure acceleration is a value-added service. After you enable HTTPS, you are charged based on the number of HTTPS requests. You cannot use DCDN data transfer plans to offset the fees. For more information about the pricing of HTTPS secure acceleration, see Billing of HTTPS and HTTP requests for dynamic content.

Configure or renew the SSL certificate

  1. Log on to the DCDN console.
  2. In the left-side navigation pane, choose Tools > Certificate Center.
  3. On the Certificate Center page, click Add Certificate.
  4. On the Add Certificate panel, configure the parameters that are described in the following table.
    Parameter Description
    Certificate Source
    • SSL Certificates Service

      You can apply for certificates of various CAs and types in the SSL Certificates Service console.

    • Custom Certificate (Certificate + Private Key)

      If you cannot find a certificate that meets your requirements from the certificate list, upload a custom certificate. You must enter the certificate name, the public key, and the private key of the certificate. The certificate is saved to SSL Certificates Service. You can check the certificate in the SSL Certificates Service console.

    • Free Certificate
      Free certificates are used only for HTTPS secure acceleration. You cannot manage free certificates or view the public or private keys of free certificates in the SSL Certificates Service console.
      • In general, free certificates are issued within one to two business days. During this period of time, you can choose to upload a custom certificate or select a certificate from Alibaba Cloud SSL Certificates Service.
        Note After you submit the request, the certificate may be issued within several hours to two business days. The time required to issue the certificate is based on the verification process defined by the CA.
      • A free certificate is valid for one year. Before it expires, you do not need to apply for a new certificate each time you enable HTTPS secure acceleration. You must apply for a new certificate only if the current one expires.

    You can switch between certificates from SSL Certificates Service, Custom Certificate (Certificate + Private Key), and Free Certificate.

    Certificate Name If you set Certificate Source to SSL Certificates Service or Custom Certificate (Certificate + Private Key), you must specify a certificate name.
    Certificate (Public Key) This parameter is required if you set Certificate Source to Custom Certificate (Certificate + Private Key). For more information, see PEM Encoding Reference below the Certificate (Public Key) field.
    Private Key This parameter is required if you set Certificate Source to Custom Certificate (Certificate + Private Key). For more information, see PEM Encoding Reference below the Private Key field.
  5. Click Next.
  6. Associate one or more domain names with the certificate.
    Note If you use a certificate from SSL Certificates Service or a custom certificate, you can associate multiple domain names with the certificate at a time. If you use a free certificate, you can associate only one domain name with the certificate.
  7. Click OK to deploy or update the certificate.

Check whether HTTPS takes effect

After an SSL certificate is uploaded, it takes effect within one minute. To verify that the SSL certificate takes effect, send HTTPS requests to access resources. If the URL is displayed with a lock icon in the address bar of the browser, HTTPS secure acceleration is working as expected.

What to do next

Related API operations

You can call the related API operation to configure or update the certificate of a domain name. For more information, see SetDcdnDomainCertificate.
Note If you want to update the certificates of multiple domain names, call this operation multiple times.