Certificate Management Service packages SSL certificates in server-ready formats for NGINX, Apache HTTPD, Apache Tomcat, Spring Boot, and Internet Information Services (IIS). Download the package for your server type and install it directly—no format conversion needed.
Prerequisites
Before you begin, ensure that you have:
A certificate issued through Certificate Management Service. For details, see Purchase an official certificate
Third-party certificates uploaded to Certificate Management Service cannot be downloaded for data security reasons. If you don't know your server type, query the server type before proceeding.
Download a certificate
If you generated the certificate signing request (CSR) using an external tool such as OpenSSL or keytool, the downloaded package does not include a private key file. The private key is managed on your on-premises machine.
Log on to the Certificate Management Service console.
In the left-side navigation pane, choose Certificate Management > SSL Certificate Management.
On the Official Certificate tab, select your certificate and click Download below the certificate list.
NoteThe Download button appears only when the certificate status is Issued, Pending Expiration, or Expired.
In the dialog box, select your server type and download the certificate package. Then decompress the package.
If your server's format is not in the list, download the PEM certificate and convert it to the required format. For details, see Convert the format of a certificate.
Certificate formats by server type
Internationally accepted algorithm certificates
| Server type | Certificate format | Files in the package |
|---|---|---|
| NGINX | PEM — Base64-encoded format, readable as plain text. In most cases, PEM certificates are used by applications or servers such as NGINX servers. | <domain-name>.pem (certificate), <domain-name>.key (private key) |
| Tomcat | PFX (PKCS#12) — Binary format containing both the public key and private key. Used by Tomcat, IIS, and Exchange servers. | <domain-name>.pfx (certificate), pfx-password.txt (password file) |
| Apache | CRT — Binary format containing the certificate and metadata (issuer, validity period, and subject). Does not include a private key. Used by Apache servers. | <domain-name>_public.crt (certificate), <domain-name>_chain.crt (certificate chain), <domain-name>.key (private key) |
| IIS | PFX (PKCS#12) — Binary format containing both the public key and private key. Used by Tomcat, IIS, and Exchange servers. | <domain-name>.pfx (certificate), pfx-password.txt (password file) |
| JKS | JKS — Java keystore format for Java-based applications and services such as Tomcat and Jetty. | <domain-name>.jks (certificate), jks-password.txt (password file) |
| Other | PEM — Base64-encoded format. Select this option if your format is not listed. | <domain-name>.pem (certificate), <domain-name>.key (private key) |
For Tomcat and IIS packages: if you did not set CSR Generation to Automatic when applying for the certificate, the package does not include the TXT password file.
Root certificates
Select Download Root Certificate to download in CRT or CER format. Root certificates must be installed on clients such as apps and IoT devices that do not have root certificates preconfigured. To find the root certificate for your certificate brand, see Obtain a root certificate.
SM2 certificates
SM2 certificates use PEM format for all server types. Each package contains four files—a signing certificate and private key pair, and an encryption certificate and private key pair:
<domain-name>___sm2_sign.pemand<domain-name>___sm2_sign.key— signing certificate and private key<domain-name>___sm2_enc.pemand<domain-name>___sm2_enc.key— encryption certificate and private key
Intermediate certificate troubleshooting
Most certificate packages include an intermediate certificate. If the intermediate certificate is untrusted during installation, contact your account manager.
What's next
After downloading the certificate, install it on your web application server to enable HTTPS-encrypted communication.