Create a certificate

To configure an HTTPS listener for a Classic Load Balancer (CLB) instance, you must first create a certificate.

Certificate types

CLB supports two authentication modes:

One-way authentication: Requires only a server certificate on CLB. The client authenticates the server.
Mutual authentication: Requires both a server certificate and a CA certificate on CLB. The server and client authenticate each other.

CLB supports certificates from two sources:

Alibaba Cloud Certificate Management Service: You can directly select a certificate you have purchased from or uploaded to the Certificate Management Service. This method centralizes certificate management and provides benefits such as expiration reminders and one-click renewals. However, this method does not currently support client CA certificates.
Third-party certificates: You can upload a certificate issued by another provider or a self-signed certificate. This method requires you to manually upload the public key and private key files. It supports both server certificates and CA certificates.

After you upload a certificate to CLB, CLB manages it. You do not need to deploy the certificate on your backend servers.

Ensure you have purchased or uploaded the required certificate in the Certificate Management Service console.
Log on to the CLB console.
In the left-side navigation pane, choose CLB > Certificates.
On the Certificates page, click Add Certificate.
In the Add Certificate panel, select Alibaba Cloud Certificates. From the list, select the desired SSL certificate and specify its Region.
Once created, a certificate cannot be used in regions that are not specified for Region. Select all the regions where you want to use the certificate.
Click Create. You can then view the created certificate on the Certificates page.

Before you begin:
- Prepare the server certificate's public and private key files in PEM format.
- (For mutual authentication only) Prepare the CA certificate's public key file in PEM format.
Log on to the CLB console.
In the left-side navigation pane, choose CLB > Certificates.
On the Certificates page, click Add Certificate.

In the Add Certificate panel, select Third-party Certificates, complete the following configurations, then click Create.

Parameter	Description
Certificate Type	Select the type of certificate to upload: Server Certificate: Use for one-way HTTPS authentication. You need to provide the certificate's public key and private key. CA Certificate: Use for mutual HTTPS authentication. You need to provide the CA certificate's public key. This method also requires a separate Server Certificate.
Public Key Certificate	Paste the content of your server or CA certificate. The certificate contains information like its public key and signature. CLB uses certificates in Nginx format. Certificates got from a provider in Nginx format typically have a .pem file extension but may otherwise have .crt or other extensions. Click View Sample to see the correct certificate format. For more information, see Certificate requirements.
Private Key	Paste the private key for your Server Certificate. The private key file obtained from a provider in Nginx format typically has a .key file extension. Click View Sample to see the correct private key format. For more information, see Private key format requirements. Important This field is required only for Server Certificates.
Region	Select all the regions where you want to use the certificate. Once created, a certificate cannot be used for any other regions that are not specified.

You can create up to 100 Server Certificates and 100 CA Certificates in each region.
CLB supports the following public key algorithms: RSA 1024, RSA 2048, and RSA 4096.
The uploaded certificate must be in PEM format. PEM certificate files that contain the BEGIN DH PARAMETERS field are not supported. This is because HTTPS listeners use ECDHE cipher suites for perfect forward secrecy. ECDHE does not use the security parameters required by DHE cipher suites.
Certificates cannot be shared between different Alibaba Cloud accounts. To use a certificate in a different account, you must first download the certificate in Nginx format from the source account, then import the certificate into the target account.