Server Load Balancer:FAQ about CLB certificates

Before you begin: certificate requirements

Before uploading a certificate, confirm that it meets these requirements:

• Encoded in RFC 4648 Base64 (PEM format)

• Certificate file starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----

• Private key is an RSA key in PKCS#1 format, starting with -----BEGIN RSA PRIVATE KEY-----

• Private key is not encrypted

• Certificate chain is complete: server certificate followed by intermediate certificate(s)

• CLB instance and certificate are created with the same Alibaba Cloud account type

"Invalid parameter" when uploading a third-party certificate

Cause: The certificate content or encoding format is invalid.

Fix: Verify the certificate with OpenSSL:

openssl x509 -noout -text -in certificate.pem

If the command returns an error, the certificate is corrupted or incomplete. CLB requires certificates encoded in RFC 4648 Base64. If your certificate uses a different encoding, convert it before uploading.

"The specified Server Certificate format is invalid" when uploading a third-party certificate

Cause: The private key content is invalid.

Fix: Verify the private key with OpenSSL:

openssl rsa -in private.key -check

If the output includes RSA key ok, the key is valid. Otherwise, get a valid private key that matches your certificate from your Certificate Authority (CA).

"No certificate chain is found in the certificate content"

Cause: The certificate file is missing the intermediate CA certificate(s).

Fix: Contact your CA to get the complete certificate chain, then concatenate the files in this order:

1. Server certificate (your certificate)

2. Intermediate certificate(s)

3. Root certificate (optional, usually omitted)

"The format of the private key content is invalid"

Cause: CLB requires RSA private keys in PKCS#1 format. Keys in PKCS#8 format or encrypted keys are not accepted.

Fix: Convert to PKCS#1 format:

openssl rsa -in pkcs8_key.pem -out pkcs1_key.pem -traditional

The -traditional flag is required for OpenSSL 3.x, which outputs PKCS#8 by default.

The converted key must match this format:

Example: PKCS#1 private key

-----BEGIN RSA PRIVATE KEY-----
Base64-encoded private key
-----END RSA PRIVATE KEY-----

"The format of the certificate content is invalid"

Cause: The certificate does not match the expected PEM format.

Fix: Confirm the certificate matches this format:

Example: PEM-encoded certificate

-----BEGIN CERTIFICATE-----
Base64-encoded certificate
-----END CERTIFICATE-----

Check for these common issues:

• Extra whitespace or line breaks

• Missing header or footer lines

• Partial content from an incomplete copy-paste

If the format looks correct, contact your CA to verify the certificate content.

"The certificate does not exist" when selecting a certificate for an HTTPS listener

Cause: The CLB instance and the certificate were created with different account types. For example, the CLB instance was created with an Alibaba Cloud account, but the certificate was uploaded using an Alibaba Finance Cloud account.

Fix: Use the same account to create both the CLB instance and the certificate.

500 error when calling UploadServerCertificate

Error message: "The request processing has failed due to some unknown error, exception or failure"

Cause: The AliCloudCertificateRegionId parameter is set to the wrong value. This parameter specifies the region where the SSL certificate was issued—not the region of your CLB instance.

Fix: Set AliCloudCertificateRegionId based on where the certificate was issued: