All Products
Search
Document Center

Object Storage Service:Host SSL certificates

Last Updated:Aug 10, 2023

To use a custom domain name to access Object Storage Service (OSS) resources over HTTPS, you must first purchase an SSL certificate and host the SSL certificate in OSS. You can purchase an SSL certificate from a certificate authority (CA) or purchase Alibaba Cloud SSL Certificates Service.

SSL certificate hosting methods

Host a certificate for an accelerated domain name

If you map an accelerated domain name to your bucket, perform the following steps in the Alibaba Cloud CDN console to host your certificate. For more information about how to map an accelerated domain name to a bucket, see Map accelerated domain names.

  1. Log on to the Alibaba Cloud CDN console.

  2. In the left-side navigation pane, choose Content Delivery > Domain Names. On the Domain Names page, locate the domain name in the domain name list and click Manage in the Actions column.

  3. In the navigation tree that appears, click HTTPS > Modify.

  4. In the Modify HTTPS Settings dialog box, turn on HTTPS Secure Acceleration and configure the HTTPS certificate parameters described in the following table.

    Parameter

    Description

    Certificate Source

    Valid values:

    • SSL Certificates Service: Select the certificate that you purchase from SSL Certificates Service from the Certificate Name drop-down list.

    • Custom Certificate (Certificate+Private Key): If no matching certificate is available in the drop-down list, you can upload a custom certificate. Then, set Certificate Name and enter the certificate content in the Certificate (Public Key) field and the private key in the Private Key field. The uploaded certificate is saved to SSL Certificates Service. If you receive a message that indicates the certificate already exists, change the certificate name and upload the certificate again. After you upload a certificate, you can view the certificate in the Certificate Management Service console.

    • Upload Custom Certificate (Certificate): If you do not want to upload your private key, you must create a Certificate Signing Request (CSR) in the Alibaba Cloud CDN console and apply for a certificate from a CA. For more information, see Manage CSRs.

    • Free Certificate: If you want to use free SSL certificates for HTTPS secure acceleration, select this option. Free SSL certificates cannot be managed in the SSL Certificates Service console. The public keys and private keys of free SSL certificates cannot be viewed in the SSL Certificates Service console. A free certificate takes effect approximately 10 minutes after you save the configurations of the certificate.

      In most cases, free certificates are issued within one to two business days. The validity period of free certificates is one year. Within the validity period of a free certificate, you do not need to apply for a new free certificate each time you enable HTTPS secure acceleration. You must apply for a new free certificate only if the current one expires.

      Note

      Changes have been made to the certificate policies based on the latest proposals of the CA/Browser Forum (CA/B). Due to the changes, the success rate of applying for a free SSL certificate in the Alibaba Cloud CDN console is greatly reduced. If you want to use free SSL certificates, we recommend that you apply for and deploy certificates in the SSL Certificates Service console.

    Certificate Name

    You must configure this parameter only if you select SSL Certificates Service or Custom Certificate (Certificate+Private Key) for Certificate Source.

    Certificate (Public Key)

    You must configure this parameter only if you select Custom Certificate (Certificate+Private Key) or Upload Custom Certificate (Certificate) for Certificate Source. For more information, click PEM Encoding Reference below the Certificate (Public Key) field.

    Private Key

    You must configure this parameter only if you select Custom Certificate (Certificate+Private Key) for Certificate Source. For more information, click PEM Encoding Reference below the Private Key field.

  5. Click OK.

    After you configure an SSL certificate, the certificate takes effect in approximately 1 minute. You can access the bucket over HTTPS to check whether HTTPS secure acceleration takes effect. If the https icon precedes the HTTPS URL of the bucket in the address bar of your browser, HTTPS secure acceleration takes effect.http

    HTTPS secure acceleration is a value-added service. After you enable this service, you are charged based on the number of HTTPS requests. For more information about HTTPS secure acceleration billing, see Billing of value-added services.

Host a certificate for a custom domain name

If you map a custom domain name to your bucket, perform the following steps in the OSS console to host your certificate:

  1. Log on to the OSS console.

  2. In the left-side navigation pane, click Buckets. On the Buckets page, find and click the desired bucket.

  3. In the left-side navigation pane, choose Bucket Settings > Domain Names.

  4. Locate the domain name for which you want to host an SSL certificate and click Upload Certificate.

  5. In the Upload Certificate message, click Go to CDN Console or Update in OSS Console.

    • Go to the CDN console

      For more information, see Step 5 in the "Host a certificate for an accelerated domain name" section of this topic.

    • Update in the OSS console

      1. In the Upload Certificate dialog box, select a certificate from the drop-down list.

        Note

        Only the certificates that match the custom domain name are displayed.

        After you select a certificate, the public key of the certificate is displayed. To ensure security, the private key is not displayed.

        Important

        You cannot upload a custom certificate in the OSS console. If no certificates are available, you must purchase or upload a certificate. For more information about how to purchase a certificate, see Purchase an SSL certificate. For more information, see Upload an SSL certificate.

      2. Click Upload.