All Products
Search
Document Center

Certificate Management Service:Deploy SSL certificates to ECS and Simple Application Server

Last Updated:May 27, 2026

Certificate Management Service automates SSL certificate deployment. Deploy certificates to ECS trusted instances with one click, or update certificates on ECS and Simple Application Server instances where a certificate is already configured.

Deployment methods

Choose a deployment method based on your server type and scenario.

Feature

One-click deployment (for initial deployment)

Manual deployment (for certificate updates)

Core mechanism

Fully automated. The private key remains within the instance and communicates with the hardware trusted module through the PKCS#11 interface for high security.

Semi-automated. A new certificate file is uploaded to a specified server path, overwriting the old one.

Supported servers

Supports only specific ECS trusted instances (7th/8th generation x86 architecture). Simple Application Server is not supported.

Supports all ECS instances and Simple Application Server instances.

Supported operating systems

Alibaba Cloud Linux 3.x and Ubuntu 22.04 UEFI images.

All major Linux and Windows Server distributions.

Supported web servers

Only supports specific versions of Nginx installed from yum or apt sources.

Supports all web servers, including Nginx, Apache, and Tomcat.

SSL certificate requirements

Single-domain SSL certificates that use the RSA algorithm.

All types of SSL certificates.

Use cases

Initial deployment of a certificate on an eligible ECS trusted instance to enable fully automated renewals.

Update an existing certificate deployed on an ECS or Simple Application Server instance.

Note

If neither method meets your requirements, Choose an SSL certificate deployment method covers additional options.

One-click deployment (for ECS trusted instances)

Integrates with ECS trusted instance security modules for fully automated, high-security certificate and private key deployment. Multi-year certificates are renewed automatically.

Prerequisites

  • Instance type and specification: 7th and 8th generation x86-based ECS trusted instances (Create a trusted instance). Simple Application Server is not supported.

  • Operating system: Alibaba Cloud Linux 3.x or Ubuntu 22.04 UEFI images.

  • Web server: Specific versions of Nginx installed from a yum or apt repository.

    • For Alibaba Cloud Linux 3.x images: Nginx installed by using yum, versions 1.18.0-2.1.al8 to 1.20.1-1.0.5.al8 (exclusive).

    • For Ubuntu 22.04 UEFI images: Nginx installed by using apt.

  • Certificate type and status: A single-domain SSL certificate that uses the RSA algorithm and is in the Issued state.

  • Server Permissions: Use the root account or an account with sudo permissions.

  • DNS Resolution: The domain name resolves to the server's public IP address.

Step 1: Verify the Cloud Assistant status

Cloud Assistant must be installed and running on the target ECS instance.

  1. Go to ECS console - Cloud Assistant.

  2. Select the resource group and region of your target instance.

  3. On the Instance tab, locate the target ECS server and check the status in the Cloud Assistant Status column.

    Note

    If Cloud Assistant is not installed or abnormal, troubleshoot using View Cloud Assistant status and troubleshoot exceptions.

Step 2: Configure the Nginx web server

For initial deployment, modify the Nginx configuration to access the private key from the trusted module via PKCS#11. Subsequent updates skip this step.

Alibaba Cloud Linux 3.x

Note

This section uses Nginx 1.20.1 as an example. The default installation directory for Nginx installed using yum is /etc/nginx/. If you have modified this directory, adjust the paths accordingly.

  1. Confirm your Nginx version.

    Supported versions: 1.18.0-2.1.al8 to 1.20.1-1.0.5.al8 (exclusive).

    Important

    If Nginx is already installed, verify the version is supported. Downgrade or reinstall if needed.

  2. Open the /etc/nginx/nginx.conf file and add ssl_engine pkcs11; after pid /run/nginx.pid; to specify the PKCS#11 crypto engine. The following example shows the location and full configuration:

    user nginx;
    worker_processes auto;
    error_log /var/log/nginx/error.log;
    pid /run/nginx.pid;
    
    # Specify the PKCS#11 crypto engine
    ssl_engine pkcs11;
  3. Open the /etc/nginx/nginx.conf file, uncomment the Settings for a TLS enabled server section, and add include "/etc/acm/ssl/nginx-acm.conf"; to reference the SSL key configuration.

    • Content to add:

      include "/etc/acm/ssl/nginx-acm.conf";
    • The following example shows the location and full configuration:

      server {
              listen       443 ssl http2;
              listen       [::]:443 ssl http2;
             
              # Specify the hostname or Common Name (CN)
              server_name  example.com;
              root         /usr/share/nginx/html;
      
              ssl_session_cache shared:SSL:1m;
              ssl_session_timeout  10m;
              ssl_prefer_server_ciphers on;
             
              # Reference the SSL key configuration
              include "/etc/acm/ssl/nginx-acm.conf";
             
              # Load configuration files for the default server block.
              include /etc/nginx/default.d/*.conf;
      
              error_page 404 /404.html;
                  location = /40x.html {
              }
      
              error_page 500 502 503 504 /50x.html;
                  location = /50x.html {
              }
          }
  4. Open the /usr/lib/systemd/system/nginx.service file and add P11_KIT_SERVER_ADDRESS=unix:path=/etc/acm/ssl/acm-p11-kit.sock and OPENSSL_CONF=/etc/acm/ssl/openssl-acm.cnf to configure communication with the SSL key service.

    1. Content to add:

      Environment="P11_KIT_SERVER_ADDRESS=unix:path=/etc/acm/ssl/acm-p11-kit.sock"
      Environment="OPENSSL_CONF=/etc/acm/ssl/openssl-acm.cnf"
    2. The following example shows the location and full configuration:

      [Unit]
      Description=A high performance web server and a reverse proxy server
      Documentation=man:nginx(8)
      After=network.target nss-lookup.target
      
      [Service]
      Type=forking
      PIDFile=/run/nginx.pid
      ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;'
      ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on;'
      ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload
      ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid
      TimeoutStopSec=5
      KillMode=mixed
      
      # Configure communication with the SSL key service
      Environment="P11_KIT_SERVER_ADDRESS=unix:path=/etc/acm/ssl/acm-p11-kit.sock"
      Environment="OPENSSL_CONF=/etc/acm/ssl/openssl-acm.cnf"
      
      [Install]
      WantedBy=multi-user.target
      Note

      If you do not know the path to the Nginx systemd service file, run sudo find / -name "nginx.service" to locate it.

  5. Run the following command to reload the Nginx systemd service configuration:

    systemctl daemon-reload

Ubuntu 22.04

Note

This section uses Nginx 1.18.0 as an example. The default installation directory for Nginx installed by using apt is /etc/nginx/. If you have modified this directory or installed Nginx by using a different method, adjust the paths accordingly.

  1. Open the /etc/nginx/nginx.conf file and add ssl_engine pkcs11; after pid /run/nginx.pid; to specify the SSL/TLS crypto engine. The following example shows the location and full configuration:

    user www-data;
    worker_processes auto;
    pid /run/nginx.pid;
    
    # Specify the PKCS#11 crypto engine
    ssl_engine pkcs11;
    
    include /etc/nginx/modules-enabled/*.conf;
  2. Open the /etc/nginx/sites-enabled/default file, create a new server block in the file, and add include "/etc/acm/ssl/nginx-acm.conf"; within it.

    1. Content to add:

      include "/etc/acm/ssl/nginx-acm.conf";
    2. The following example shows the location and full configuration:

      server {
          listen 443 ssl;
          
          # Specify the hostname or Common Name (CN)
          server_name example.com;
          root /var/www/html;
          index index.html index.htm;
          access_log /var/log/nginx/access_6equj5.log;
          error_log /var/log/nginx/error_6equj5.log;
          ssl on;
          
          # Reference the SSL key configuration
          include "/etc/acm/ssl/nginx-acm.conf";
      
          location / {
            try_files $uri $uri/ =404;
          }
      }
  3. Open the /usr/lib/systemd/system/nginx.service file and add P11_KIT_SERVER_ADDRESS=unix:path=/etc/acm/ssl/acm-p11-kit.sock and OPENSSL_CONF=/etc/acm/ssl/openssl-acm.cnf to configure communication with the SSL key service.

    Note

    If you do not know the path to the Nginx systemd service file, run sudo find / -name "nginx.service" to locate it.

    1. Content to add:

      Environment="P11_KIT_SERVER_ADDRESS=unix:path=/etc/acm/ssl/acm-p11-kit.sock"
      Environment="OPENSSL_CONF=/etc/acm/ssl/openssl-acm.cnf"
    2. The following example shows the location and full configuration:

      [Unit]
      Description=A high performance web server and a reverse proxy server
      Documentation=man:nginx(8)
      After=network.target nss-lookup.target
      
      [Service]
      Type=forking
      PIDFile=/run/nginx.pid
      ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;'
      ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on;'
      ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload
      ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid
      TimeoutStopSec=5
      KillMode=mixed
      
      # Configure communication with the SSL key service
      Environment="P11_KIT_SERVER_ADDRESS=unix:path=/etc/acm/ssl/acm-p11-kit.sock"
      Environment="OPENSSL_CONF=/etc/acm/ssl/openssl-acm.cnf"
      
      [Install]
      WantedBy=multi-user.target
  4. Run the following command to reload the Nginx systemd service configuration:

    systemctl daemon-reload

Step 3: Deploy the certificate from the console

  1. Log in to the Certificate Management Service console.

  2. In the left navigation bar, select Deployment and Resource Management > Deployment to Cloud Servers.

  3. On the Deployment to Cloud Servers page, click Create Task, and follow the steps below to deploy the SSL certificate.

    1. On the Configure Basic Information page, enter a Task Name and click Next.

    2. On the Select Certificate page, select a Certificate Type and an Associated Certificates, then click Next.

      Each task deploys one certificate. Create multiple tasks for multiple certificates.

    3. On the Select Resource page, set All Types to Quick Deployment, select the target ECS instance, and click Next.

      • The system lists all eligible ECS instances under your account. If no resources appear, in the Total Resources area in the upper-left corner, click Synchronize Cloud Resources. Sync time depends on resource count.

      • To filter for supported instances, from the All Types drop-down list, select Quick Deployment to quickly filter for supported instances.

    4. On the Quick Deployment tab, verify that the certificate deployment environment requirements are met, select the Confirm that the preceding operations are complete. checkbox, and click Continue to Deploy.

      • In the prompt dialog box, click OK.

        Warning

        Restarting the web server interrupts service. Deploy during off-peak hours.

        image

        To restart Nginx manually, you can use the following command:

        systemctl restart nginx.service
      • After restarting Nginx, you can use the curl command to test the Nginx SSL connection. The command format is curl -v https://<your_domain_name>.

Step 4: Check the deployment task status

On the Deployment to Cloud Servers page, find the task that you created. If the Task Status is Deployed Successfully, this means that the certificate has been successfully uploaded to the cloud server.

image

Step 5: Verify the SSL certificate

A successful deployment task does not guarantee the certificate is active. Verify by accessing your domain.

  1. Access your domain name over HTTPS. Example: https://example.com. Replace example.com with your actual domain name.

  2. If a lock icon appears in the browser's address bar, the certificate is deployed successfully. If an access error occurs or the lock icon does not appear, clear your browser's cache or try again in incognito or private mode.

    image

    Starting with Chrome 117, the image icon in the address bar has been replaced by a new image icon. Click this icon to view the security lock information.

Manual deployment (for certificate updates)

Updates an existing certificate on ECS or Simple Application Server by overwriting old certificate files. Not for initial deployments.

Prerequisites

  • Cloud server type: Alibaba Cloud servers only (Simple Application Server and ECS).

  • Web server: Supports web servers, such as Nginx and Apache, that directly use PEM or CRT certificate files. IIS is not supported.

  • Server Permissions: Use the root account or an account with sudo permissions.

Step 1: Deploy the SSL certificate

  1. Log in to the Certificate Management Service console.

  2. In the left-side navigation pane, choose Deployment and Resource Management > Deployment to Cloud Servers.

  3. On the Deployment to Cloud Servers page, click Create Task.

    1. On the Configure Basic Information page, enter a Task Name and click Next.

    2. On the Select Certificate page, select a Certificate Type, select the Associated Certificates, and then click Next.

      Note

      Certificates issued by the Private CA service are synced to the Uploaded Certificates tab.

    3. On the Select Resource page, select a Resources by Cloud Service, check the target instance, and click Next. The system automatically lists all eligible cloud server instances under your account (servers with a web application deployed).

      Note

      If no resources appear, click Synchronize Cloud Resources in the upper-left Total Resources area to sync manually.

    4. On the Deployment Configuration wizard, configure the parameters as described in the following table and click OK.

      Important

      The Certificate Path and Private Key Path must match the paths configured in your web application. Otherwise, the certificate will not take effect.

      The following figure shows an example of Nginx certificate file paths on a cloud server for reference:

      image

      Parameter

      Description

      Example

      Certificate Path

      The absolute path to the certificate file on the server.

      • Linux example: /ssl/cert.pem

      • Windows example: c:\ssl\cert.pem

      Private Key Path

      The absolute path to the private key file on the server.

      • Linux example: /ssl/cert.key

      • Windows example: c:\ssl\cert.key

      Certificate Chain Path

      The absolute path to the certificate chain file on the server.

      Note

      If your web application is already configured with a certificate chain file, enter the corresponding path here.

      • Linux example: /ssl/cert.cer

      • Windows example: c:\ssl\cert.cer

      Reload Command

      Executed after deployment to apply the new certificate.

      Important

      If restart fails, log in to the server and restart manually.

      • Nginx graceful reload: sudo nginx -s reload.

      • Apache restart: sudo systemctl restart httpd.

    5. In the dialog box, click OK.

      • If no restart command is configured, click OK in the prompt, then manually restart the web service on the server.

        image

      • If a restart command is configured, confirm the risks and click OK. After deployment completes, the configured restart command executes to apply the new certificate.

        image

Step 2: Check the deployment task status

On the Deployment to Cloud Servers page, find the task you created. If the Task Status is Deployed, the certificate has been successfully updated on the cloud server.

Step 3: Verify the SSL certificate

  1. Access your domain name over HTTPS. Example: https://example.com. Replace example.com with your actual domain name.

  2. If a lock icon appears in the browser's address bar, the certificate is deployed successfully. If an access error occurs or the lock icon does not appear, clear your browser's cache or try again in incognito or private mode.

    image

    Starting with Chrome 117, the image icon in the address bar has been replaced by a new image icon. Click this icon to view the security lock information.

Note

If you still encounter issues, FAQ provides troubleshooting steps.

Quotas and limitations

  • Deployment fees:

    • Deploying officially issued certificates is free and does not consume your deployment quota.

    • Deploying Self-uploaded certificates consumes your deployment quota. Please Purchase Deployment Package as needed. For specific fees, refer to the purchase page. If a deployment fails, the corresponding deployment quota will be refunded.

  • Quota limits:

    Each task deploys one certificate to one instance. Create multiple tasks for multiple instances.

Going live

  • Service interruption risk: Both methods may restart your web server (Nginx, Apache), causing brief service interruption. Deploy during off-peak hours.

  • Graceful reload: If your web server supports graceful reload (e.g., Nginx), use nginx -s reload or systemctl reload nginx in the Restart command field instead of restart to minimize connection disruption.

  • Monitoring and alerts: Enable domain name monitoring to receive certificate expiry reminders and avoid service interruptions. Purchase and enable public domain name monitoring.

FAQ

Certificate not active after deployment

Common reasons include:

  • Port 443 is not open in the server's security group or firewall.

  • The domain you are accessing is not included in the certificate's Bound Domains.

  • The deployment task's Task Status is abnormal. Go to the task details page and click View Failure Cause. Update the relevant configurations based on the provided information and try again.

"Cloud Assistant not install or run" error

image

Cause: Cloud Assistant is not installed on the ECS instance or is not running as expected.