All Products
Search

This Product

    Edge Security Acceleration:Configure edge certificates

    Document Center

    Edge Security Acceleration:Configure edge certificates

    Last Updated:Mar 31, 2026

    Edge Security Acceleration (ESA) supports an HTTPS secure acceleration service. You can deploy an SSL/TLS certificate to the ESA platform and enable the SSL/TLS function to encrypt requests transmitted between clients and ESA points of presence (POPs).

    Configure certificates

    Certificate types

    ESA supports both free and custom certificates. Free certificates are automatically issued and renewed by trusted certification authorities (CAs) such as Let's Encrypt, making them ideal for quickly enabling HTTPS encryption. Custom certificates allow you to upload your own enterprise certificates, such as those issued by GlobalSign, to meet branding or compliance requirements. You are responsible for managing the validity and renewal of custom certificates.

    • If you have a small-to-medium enterprise website or a personal blog that uses a single exact-match domain name, we recommend that you apply for a free certificate.

    • If you need a certificate from a specific certification authority (CA) or already have one, upload a custom certificate.

    Type

    Let's Encrypt free certificate

    Digicert free certificate

    Custom certificate

    Renewal method

    Automatic

    Automatic

    Manual

    Certificate type

    DV

    DV

    DV, OV, EV

    Certificate algorithm

    RSA

    RSA

    RSA, ECC

    Domain type

    Exact-match domain name, wildcard domain name

    Single exact-match domain name

    Single exact-match domain name, wildcard domain name
    Note

    You can configure both free and custom certificates for the same website. All certificates form a certificate pool. When a point of presence (POP) receives a client request, it automatically selects the optimal certificate from the pool and returns it to the client.

    Apply for a free certificate

    The free certificate feature simplifies certificate issuance and management. You can enter your domain name to automatically complete the certificate application, domain control validation (DCV), renewal, and deployment.

    Note

    • Free certificates cannot be downloaded.

    • During the application process, ESA automatically completes the domain control validation (DCV). You do not need to perform any manual validation. For more information, see Automatic domain control validation for free certificates.

    • ESA automatically renews free certificates 30 days before they expire. If a renewal fails, you will be notified by email and SMS. If this happens, you must upload a custom certificate to prevent service disruptions.

    1. In the ESA console, select Websites. In the Website column, click the target website.

    2. In the left-side navigation pane, choose Edge Certificates.

    3. In the Certificate Management area, click Apply for Free Certificate. Select a Certificate Authority and enter a Domain Name:

      • Let's Encrypt (No SLA): Each free certificate can include up to 50 domain names. You can enter single domain names and wildcard domain names. A wildcard domain name must start with *. The domain names must match the website. A certificate for example.com covers only that domain name and does not include subdomains such as www.example.com. To cover subdomains such as www.example.com, you must apply for a separate wildcard domain name certificate (*.example.com) or add the subdomain as an additional domain name.

      • DigiCert: You can select only one website domain for a Digicert single-domain certificate. If you apply for a certificate for example.com, the issued certificate will include both example.com and www.example.com.

    4. Click OK and wait for the certificate application to complete. After the certificate is successfully issued, its status in the Status column changes to Normal.

      image

    Upload a custom certificate

    You can deploy certificates to ESA from Alibaba Cloud Certificate Management Service or third-party providers.

    Note

    • To purchase an advanced certificate, go to the SSL Certificate console.

    • Certificates from third-party providers must be in the required format. For more information, see Certificate format requirements.

    • You can view the certificate details, but you cannot view the private key because it contains sensitive information. Store your certificate information securely.

    1. In the ESA console, select Websites. In the Website column, click the target website.

    2. In the left-side navigation pane, choose Edge Certificates.

    3. In the Certificate Management area, click Upload Custom Certificate.

      • If you purchased a certificate from Alibaba Cloud Certificate Management Service, set Certificate Source to Certificate Purchased by Using Certificate Management Service and select your certificate from the Certificate Name drop-down list.

        Note

        If you cannot find your certificate in the list, check whether the domain name bound to the certificate is the same as the domain name of the website.

      • If you are using a certificate from a third-party provider, set Certificate Source to Custom Certificate. Then, enter a Certificate Name and paste the content of your Certificate (Public Key) and Private Key. The certificate is saved in Certificate Management Service. You can view it in SSL Certificate Management.

        Parameter

        Description

        Certificate Name

        Enter a name for the certificate you want to upload.

        You can use letters, periods, numbers, underscores _, and hyphens -.

        Note

        • The certificate name must be unique. You can view existing certificates in SSL Certificate Management.

        • If the system reports a duplicate name, change the name and try again.

        Certificate (Public Key)

        Paste the PEM-encoded content of your certificate file.

        You can use a text editor to open the PEM-formatted certificate file, and then copy and paste the content into this field.

        Private Key

        Paste the PEM-encoded content of your certificate's private key.

        You can use a text editor to open the PEM-formatted private key file, and then copy and paste the content into this field.

    4. Click OK to upload the certificate.

    Enable SSL/TLS

    After deploying an SSL/TLS certificate, you must enable SSL/TLS. This allows clients to establish encrypted connections to edge points of presence (POPs) over HTTPS. The system automatically intercepts HTTP requests and redirects them to HTTPS, ensuring that all data is encrypted and protected from tampering. This helps you meet security and compliance requirements and increases user trust in your website.

    1. In the ESA console, select Websites. In the Website column, click the target website.

    2. In the left-side navigation pane, choose Edge Certificates.

    3. Turn on the SSL/TLS switch.

      Note

      This configuration applies to all domain names associated with the website. To enable SSL/TLS encryption for only specific domain names, add a rule for those domains. For more information, see SSL/TLS rules.

      image

    Verify HTTPS configuration

    After configuring the certificate and enabling SSL/TLS, you can verify the setup by accessing your website over HTTPS in a web browser. If a lock icon appears next to the URL, HTTPS security is active.

    p3701

    Update a custom certificate

    ESA does not automatically renew custom certificates. To prevent service disruptions, you must update custom certificates in the console before they expire. The system sends reminder notifications by email 30 days before expiration. Allow sufficient time to complete the update and ensure business continuity.

    Update an existing certificate

    1. In the ESA console, select Websites. In the Website column, click the target website.

    2. In the left-side navigation pane, choose Edge Certificates.

    3. In the Certificate Management area, find the certificate that you want to update and click Modify in the Actions column.

    4. Update the certificate content as needed, and then click OK.

    Configure a new certificate

    1. In the ESA console, select Websites. In the Website column, click the target website.

    2. In the left-side navigation pane, choose Edge Certificates.

    3. In the Certificate Management area, click Upload Custom Certificate. Enter the required information based on the Certificate Source, and then click OK.

    4. After uploading the new certificate, find the expiring certificate in the list and click Delete in the Actions column. Follow the on-screen prompts to delete the old certificate.

    Site-level and rule-based features

    Site-level configurations affect all requests for the website. To apply a feature only to specific requests, you can configure it as a rule. Rules use conditions to match specific request parameters, giving you precise control over which requests the configuration affects.

    Site-level feature

    Rule-based feature

    Enable SSL/TLS

    SSL/TLS Encryption

    Enforce HTTPS

    Enforce HTTPS

    TLS Cipher Suites and Protocol Version Configuration

    TLS Cipher Suites and Protocol Version Configuration

    OCSP Stapling

    OCSP Stapling

    Opportunistic Encryption

    Opportunistic Encryption

    HSTS

    HSTS

    References

    Automatic domain control validation for free certificates

    Certification authorities (CAs) require applicants to complete a validation process to verify domain ownership. ESA supports the following methods:

    • DNS validation (for websites that use NS record integration): After applying for a free certificate, ESA automatically adds a TXT record to your DNS configuration to complete the domain control validation (DCV).

    • HTTP validation (for websites added by using CNAME): After you apply for a free certificate, this method confirms your domain control by verifying that you can place a specific file on the web server for the specified domain.

    When you apply for a free certificate for a website that is active in ESA, ESA automatically handles the domain validation process by using hosted DCV.

    Certificate selection priority

    When an edge point of presence (POP) receives a client request, it selects the optimal certificate from the pool based on the following priority:

    • Active certificates that match the client's Server Name Indication (SNI) request are prioritized.

    • More recently configured certificates are prioritized over older ones.

    Plan support

    Type

    Entrance

    Entrance

    Premium

    Enterprise

    Let's Encrypt free certificate

    10

    50

    70

    100

    Digicert free certificate

    Not supported

    10

    20

    50

    Custom certificate

    5

    10

    20

    50

    FAQ

    Digicert free certificate features

    • Domain name limit: A single certificate can include only one domain name and does not support wildcard domain names.

    • SAN configuration: The certificate is issued with two Subject Alternative Names (SANs): the requested domain and its www subdomain. For example, if you apply for a certificate for example.com, the certificate will include both example.com and www.example.com.

    • Handling of www domain names: If you enter a certificate name that starts with www., ESA automatically ignores the leading www..

    • DCV verification: The domain name for TXT record verification is _dnsauth.{{certificate_name}}. For managed DCV, you must configure a CNAME record for this domain.

    • Validity period: The certificate is valid for 90 days and supports automatic renewal.

    • Certificate type: It is a Domain Validated (DV) certificate that uses the SHA-256 with RSA encryption algorithm.

    For more frequently asked questions, see SSL/TLS FAQ.