All Products
Search
Document Center

Simple Application Server:Install an SSL certificate on Node.js (Linux)

Last Updated:Jun 20, 2026

You can enable HTTPS access for a domain name configured on your Simple Application Server. This upgrades your data transmission protocol from HTTP to HTTPS at a low cost. HTTPS provides website authentication and encrypted data transmission to protect your data in transit from tampering and leakage. This topic shows you how to install an SSL certificate and enable HTTPS access on a Simple Application Server running a Node.js runtime environment.

Prerequisites

  • You have a domain name. For more information about how to purchase a domain name from Alibaba Cloud, see Register a generic domain name.

  • If your Simple Application Server is in the Chinese mainland, ensure your domain name has an Internet content provider (ICP) filing. For more information, see What is an ICP filing?.

  • Your domain name has been bound to the Simple Application Server and resolved. For more information, see Register and resolve a domain name.

Background

Node.js is a JavaScript runtime built on Chrome's V8 engine for building fast and scalable network applications. Node.js uses an event-driven, non-blocking I/O model, which makes it lightweight and efficient. It is well-suited for data-intensive, real-time applications that run on distributed devices. For more information, visit the official Node.js website.

When you purchase, apply for, and deploy a certificate to your web server with Certificate Management Service, your web service can transmit data over HTTPS. HTTPS establishes an SSL-encrypted channel between a client's browser and the web server. This provides strong, one-way encryption to prevent data leaks or tampering. HTTPS encryption is essential for mobile apps, mini programs, and other code or controls published to an app store or an application ecosystem. HTTPS provides the following benefits for your website:

  • Security and compliance: Meet the requirements of various app stores and application ecosystems.

  • Encrypted data transmission: Encrypt communications between your website and its users to prevent data hijacking, tampering, and interception.

  • Enhanced website security: Prevent phishing events. Browsers display a security indicator for HTTPS-secured sites, improving your website's credibility, traffic, and search engine ranking.

For more information, see What is Certificate Management Service?.

Step 1: Create a Node.js server

  1. Go to the Servers page in the Simple Application Server console.

  2. On the Simple Application Server purchase page, configure the resources.

    For more information, see Create a Simple Application Server.

    In the Image section, select the Node.js 16.5.0 application image.

Step 2: Purchase SSL certificate

Purchase certificate

  1. Go to the Certificate Service purchase page.

  2. Select the specifications for your certificate.

    Parameter

    Description

    Example

    Certificate Type

    Select the type of domain to which the SSL certificate will be bound:

    • Single Domain: An SSL certificate that is bound to a single domain.

    • Wildcard Domain: Secures multiple subdomains at the same level, eliminating the need to purchase and install a separate certificate for each subdomain.

      The following rules apply to wildcard domain matching:

      • The certificate matches only subdomains at the same level. For example, a certificate for *.aliyundoc.com can match demo.aliyundoc.com and learn.aliyundoc.com, but cannot match guide.demo.aliyundoc.com or developer.demo.aliyundoc.com.

      • You can apply for a certificate for only one wildcard domain. To include multiple wildcard domains in one certificate, you can combine multiple certificates of the same brand and type. For more information, see Combine certificate applications.

    • Multiple Domains: An SSL certificate that is bound to multiple single domains. You can use a single certificate to secure up to five domains.

    Note

    Alibaba Cloud provides a free domain name when you purchase a qualifying commercial certificate. For more information, see Purchase a commercial certificate.

    Single Domain

    Brand

    Select the certificate brand (the CA that issues the certificate).

    For more information about certificate brands, see SSL certificate selection guide.

    Digicert

    Certificate Specifications

    Select the required certificate type.

    For more information about different certificate types, see SSL certificate selection guide.

    DV SSL

    Domain Names

    This parameter is required only when you select Multiple Domains. Select the number of single domains to bind to the SSL certificate.

    1

    Quantity

    The number of SSL certificates to purchase. This value is fixed at 1. To purchase certificates for multiple consecutive years, set the Service Duration. For example, setting Service Duration to 2 Years provides two separate one-year certificates.

    1

    Service Duration

    The duration of the SSL certificate service. Options:

    • 1 Year: Provides a one-year SSL certificate service. The certificate is valid for one year and must be manually renewed upon expiration.

    • 2 Years: Provides a two-year service that includes two one-year certificates and one year of the certificate hosting service.

      For more information about certificate hosting, see What is certificate hosting?.

    • 3 years: Provides a three-year service that includes three one-year certificates and two years of the certificate hosting service.

    1 Year

  3. Click Buy Now and complete the payment.

Submit certificate application

  1. Log in to the Certificate Management Service console.

  2. In the navigation pane on the left, choose Certificate Management > SSL Certificate Management.

  3. On the Commercial Certificate tab, find the certificate you purchased and click Apply for Certificate in the Actions column.

  4. In the Apply for Certificate panel, configure the parameters, select the Quick Issue checkbox, and then click Submit.

    Parameter

    Description and example

    Certificate Type

    Single Domain

    Certificate Specifications

    digicert DV

    Domain Name

    The domain name to be secured by the certificate. This domain must be the one bound to your Simple Application Server instance. Example: aliyundoc.com

    Validity Period (Years)

    1

    Quick Issue

    Domain Verification Mode

    • If your domain uses Alibaba Cloud DNS under the same account, Certificate Management Service automatically selects Automatic DNS Verification. This method cannot be changed. The system completes verification automatically after you submit the application, so you only need to wait for the certificate to be issued.

    • If the domain name does not use Alibaba Cloud DNS or is managed by a different Alibaba Cloud account, you can select one of the following methods to verify domain ownership:

      • Manual DNS Verification: Requires you to manually add a TXT record in your DNS provider's console to verify domain ownership.

      • File Verification: Download a dedicated verification file from the Certificate Management Service console and upload it to the required verification directory on your web server.

    Contact

    From the drop-down list, select a contact. If no contact is available, click Create Contact to create one.

    Make sure that the contact information is accurate and valid.

    Region

    Select your city or region.

    Encryption Algorithm

    The encryption algorithm of the SSL certificate. The default value is RSA and cannot be changed. RSA is a widely used asymmetric encryption algorithm that provides good compatibility.

    CSR Generation

    A Certificate Signing Request (CSR) is a file that contains server and company information and is submitted to a CA for review.

    Select System Generated. Certificate Management Service automatically generates a CSR file by using the specified Encryption Algorithm.

  5. If the Domain Verification Mode is Automatic DNS Verification, the system automatically completes the DNS verification. You only need to wait for the certificate to be issued. If the Domain Verification Mode is set to Manual DNS Verification or File Verification, you must follow the prompts in Verify Information to complete the domain ownership verification. For more information, see Domain ownership verification.

    After you submit the certificate application, the CA typically reviews the application and issues the certificate within approximately 30 minutes. After the SSL certificate is issued, its Status changes to Issued.

Step 3: Configure the SSL certificate

After a certificate is issued, its status changes to Issued. You must download and configure the certificate. For more information, see Deploy an SSL certificate.

  1. Download the certificate.

    1. On the Commercial Certificates tab, select the certificate that you want to download, and then click Download in the lower-left corner of the certificate list.

      Note

      You can click Download only for SSL certificates in the Issued, Expiring, or Expired state.

    2. In the Batch Download Certificates dialog box, download the certificate for your server type.

      This example uses NGINX for forwarding, so you need to download the NGINX version.

      Warning

      After downloading the certificate, save it in a secure location to prevent a certificate leak.

      In the Batch Download Certificates dialog box, find the NGINX row (format: pem/key), and then click Download in that row.

    3. After decompressing the package, you get two files:

      drxxxcn.key
      drxxxcn.pem
  2. Use a tool such as WinSCP or Xshell to upload the private key file (.key) and the certificate file (.pem) to a specified directory on the Simple Application Server, such as /home.

  3. Connect to the Simple Application Server. For more information, see Connect to a Linux server.

  4. Run the following commands to create an https_server_test.js file.

    cd /home
    sudo touch https_server_test.js
  5. Run the following command to edit the https_server_test.js file.

    vim https_server_test.js

    Press the i key to enter insert mode, and then add the following content to the https_server_test.js file:

    // The https package is required to start an HTTPS service.
    // The fs package is required to read files.
    const https = require('https');
    const fs = require('fs');
    // Read the certificate files into the options object.
    // Use the readFileSync() method to sequentially read the files and start the service.
    const options = {
        key: fs.readFileSync('/home/cert-file-name.key'),
        cert: fs.readFileSync('/home/cert-file-name.pem')
    };
    // Create and start the server, and set the listening port number.
    https.createServer(options, (req, res) => {
        res.end('hello world\n');
    }).listen(443);

    Where:

    • /home/cert-file-name.key: The absolute path to the private key file you uploaded.

    • /home/cert-file-name.pem: The absolute path to the SSL certificate file you uploaded.

    Important

    Incorrect certificate file paths will cause the configuration to fail and prevent HTTPS access.

  6. After adding the content, press the Esc key to exit insert mode. Then, enter :wq and press the Enter key to save the file and exit.

  7. Run the following command to start the HTTPS server.

    sudo node https_server_test.js
  8. Open a browser and visit https://<your_domain_name>.

    • A lock icon in the browser's address bar indicates a successful configuration. The page returns the expected content, such as hello world.

    • If your website is not accessible over HTTPS, verify that port 443 is enabled on your Simple Application Server and is not blocked by other tools. To open port 443, see Manage firewalls.