All Products
Search

This Product

    Certificate Management Service:Purchase and enable a private CA

    Document Center

    Certificate Management Service:Purchase and enable a private CA

    Last Updated:Dec 05, 2025

    A private certificate authority (CA) is typically used for internal enterprise applications, such as office automation (OA) and human resources (HR) systems, that require data encryption but are not subject to regulatory or industry compliance requirements. This topic describes how to purchase and enable the Private Certificate Authority (PCA) service.

    Select a private CA type

    Before you begin, select a private CA type based on your requirements. The PCA service provides two types of CAs: Enterprise private CA and Alibaba Cloud shared CA. They differ in customization capabilities, enablement methods, architectural flexibility, and cost.

    Item

    Enterprise private CA

    Alibaba Cloud shared CA

    CA customization

    Supported. You can fully customize the issuer identity, organization, and other information for the root CA and all levels of intermediate CAs.

    Not supported. You share a root CA that is created and managed by Alibaba Cloud with other users.

    Enablement method

    Manual enablement. After you purchase the service, you must manually configure and enable the root and intermediate CAs.

    Automatic enablement. The root and intermediate CAs are enabled by default after you purchase the service and can be used immediately.

    Organizational structure support

    Supported. You can create multi-level intermediate CAs to match complex departmental or organizational hierarchies.

    Not supported. You cannot create a multi-level CA architecture. The structure is flat.

    Cost

    Higher cost. Suitable for large enterprises that require strong control over CAs and brand customization.

    Lower cost. Suitable for scenarios that require fast, low-cost encryption for internal applications.

    Enterprise private CA

    With an enterprise private CA, you can create the root CA and intermediate CAs. This lets you customize information such as the issuer identity and organization. You can also create multi-level intermediate CAs to meet the requirements of a multi-level organizational structure.

    Step 1: Purchase a private root CA

    When you create a private CA for the first time, you must purchase a private root CA. After you complete the purchase, you receive one root CA and one intermediate CA. By default, the root CA includes resources to issue 10 private certificates.

    1. Log on to the Certificate Management Service console.

    2. In the navigation pane on the left, choose Certificate Management > PCA Certificate Management. On the PCA Certificate Management page, select the region where the PCA service is located.

    3. On the Private CAs tab, click Purchase Private Root CA.

    4. On the Purchase page, select a certificate algorithm and a subscription duration, click Buy Now, and complete the payment.

      • Certificate Algorithm: The encryption algorithm used to issue certificates. Options: RSA, SM, or ECC.

      • Subscription Duration: The subscription period for the Private Certificate Authority (PCA) service. You can issue certificates during this period.

        Important

        • After the service expires, you can no longer issue certificates, even if you have a remaining certificate issuance quota.

        • The validity period of a certificate that is issued by a certificate authority (CA) cannot exceed the subscription duration of the PCA service. For example, if you subscribe to the PCA service for one month, a certificate issued by the CA cannot be valid for more than 30 days.

    Step 2: Enable the private root CA and intermediate CA

    After you purchase a private root CA, you must enable the root CA and then the intermediate CA. You can enable an intermediate CA only after the root CA is enabled.

    Enable the root CA

    1. On the Private CAs tab, find the target root CA. In the Actions column, click Enabled.

    2. In the CA Information panel, configure the root CA information, and click Confirm and Enable.

      Certificate Management Service supports multiple methods to enable a root CA. Select a method based on your requirements and complete the configuration.

      Create CA Certificate

      Parameter

      Description

      Enable Mode

      Select Create CA Certificate.

      Common Name (CN)

      The common name or abbreviation of the organization to associate with the CA. Chinese and English are supported.

      Example: Alibaba Cloud.

      Organizational Unit (OU)

      The name of the organizational unit to associate with the CA. Chinese and English are supported.

      Example: IT Department.

      Organization (O)

      The name of the organization to associate with the CA. Chinese and English are supported.

      Example: Alibaba Cloud Computing Co., Ltd.

      City (L)

      The city where the organization is located. Chinese and English are supported.

      Example: Hangzhou.

      Province (S)

      The province where the organization is located. Chinese and English are supported.

      Example: Zhejiang.

      Country/Region (C)

      The country or region where the organization is located. Chinese and English are supported.

      Example: China.

      Private Key Algorithm

      The private key encryption algorithm used by the CA.

      The supported private key algorithms vary based on the encryption algorithm that you selected when you purchased the PCA service. The following list describes the options:

      • If the CA encryption algorithm is RSA, the supported private key algorithms are RSA_1024, RSA_2048, and RSA_4096.

      • If the CA encryption algorithm is Chinese Cryptographic Algorithm (SM), the supported private key algorithm is SM2_256.

      • If the CA encryption algorithm is ECC, the supported private key algorithms are ECC_256, ECC_384, and ECC_512.

      Validity Period

      The validity period of the root CA.

      The validity period of the root CA depends on the subscription duration of the root CA service. The following list describes the details:

      • If the subscription duration of the root CA service is less than 1 year, the validity period of the root CA can be from 1 to 20 years.

      • If the subscription duration of the root CA service is 1 year or longer, the validity period of the root CA can be from 1 to 100 years.

      Note

      You can issue certificates only within the subscription duration of the PCA service. After the service expires, you cannot issue certificates, and unused private certificate resources become unavailable.

      Enable CRL Service

      Specifies whether to enable the Certificate Revocation List (CRL) service. If you enable this service, you can view information about revoked CA certificates in the CRL. For more information, see CRL service.

      Upload CA Certificate and Private Key

      Configuration item

      Description

      Enable Mode

      Select Upload CA Certificate and Private Key.

      Certificate File

      Enter the PEM-encoded content of the certificate file.

      You can use a text editor to open the certificate file in PEM or CRT format, copy the content, and paste it into the text box. You can also click Upload and Parse File, select the certificate file from your computer, and upload the file content to the text box.

      Certificate Key

      Enter the PEM-encoded content of the private key file.

      You can use a text editor to open the private key file in KEY format, copy the content, and paste it into the text box. You can also click Upload and Parse File, select the private key file from your computer, and upload the file content to the text box.

    3. In the Tip dialog box, confirm the information and click OK.

      After the root CA is enabled, its status changes to Enabled. If the root CA information is incorrect, you can reset the CA to modify the information. For more information, see Reset a private CA.

    Enable the intermediate CA

    1. On the Private CAs tab, find the target root CA and click the Collapse icon icon next to the root CA name.

    2. Find the target intermediate CA. In the Actions column, click Enable.

    3. In the CA Information panel, configure the intermediate CA information, and click Confirm and Enable.

      Certificate Management Service supports multiple methods to enable an intermediate CA. Select a method based on your requirements and complete the configuration.

      Create CA Certificate

      Configuration item

      Description

      Enable Mode

      Select Create CA Certificate.

      CA Usage

      Select Intermediate CA or User CA based on the purpose of the intermediate CA.

      • Intermediate CA: Can be used to issue subordinate CAs.

      • User CA: Can only be used to issue end-entity certificates, such as server certificates and client certificates.

      Length Limit

      If you set CA Usage to Intermediate CA, you must configure the path length constraint. This parameter specifies the maximum depth of the certification path that can be issued from this intermediate CA.

      Valid values: 1 to 5.

      Important

      If Length Limit is set to 1, the subordinate CA is a user CA.

      Common Name (CN)

      The common name or abbreviation of the organization to associate with the CA. Chinese and English are supported.

      Example: Alibaba Cloud.

      Organizational Unit (OU)

      The name of the organizational unit to associate with the CA. Chinese and English are supported.

      Example: IT Department.

      Organization (O)

      The name of the organization to associate with the CA. Chinese and English are supported.

      Example: Alibaba Cloud Computing Co., Ltd.

      City (L)

      The city where the organization is located. Chinese and English are supported.

      Example: Hangzhou.

      Province (S)

      The province where the organization is located. Chinese and English are supported.

      Example: Zhejiang.

      Country/Region (C)

      The country or region where the organization is located. Chinese and English are supported.

      Example: China.

      Private Key Algorithm

      The private key encryption algorithm used by the CA.

      The supported private key algorithms vary based on the Encryption Algorithm that you selected when you purchased the PCA service. The following list describes the options:

      • If the CA encryption algorithm is RSA, the supported private key algorithms are RSA_1024, RSA_2048, and RSA_4096.

      • If the CA encryption algorithm is Chinese Cryptographic Algorithm (SM), the supported private key algorithm is SM2_256.

      • If the CA encryption algorithm is ECC, the supported private key algorithms are ECC_256, ECC_384, and ECC_512.

      Validity Period

      The validity period of the intermediate CA.

      The validity period of the intermediate CA depends on the subscription duration of the private intermediate CA. The following list describes the details:

      • If the subscription duration is less than 1 year, the validity period of the intermediate CA can be from 1 to 20 years.

      • If the subscription duration is 1 year or longer, the validity period of the intermediate CA can be from 1 to 100 years.

      Enable CRL Service

      Specifies whether to enable the CRL service. If you enable this service, you can view information about revoked CA certificates in the CRL. For more information about CRL, see CRL service.

      Extended Key Usage

      Select an extended key usage. This serves as a certificate identifier to help you distinguish between certificates.

      Upload CA Certificate and Private Key

      Configuration item

      Description

      Enable Mode

      Select Upload CA Certificate and Private Key.

      Certificate File

      Enter the PEM-encoded content of the certificate file.

      You can use a text editor to open the certificate file in PEM or CRT format, copy the content, and paste it into the text box. You can also click Upload and Parse File, select the certificate file from your computer, and upload the file content to the text box.

      Certificate Key

      Enter the PEM-encoded content of the private key file.

      You can use a text editor to open the private key file in KEY format, copy the content, and paste it into the text box. You can also click Upload and Parse File, select the private key file from your computer, and upload the file content to the text box.

    4. In the Tip dialog box, confirm the information and click OK.

      After the intermediate CA is enabled, its status changes to Enabled. If the intermediate CA information is incorrect, you can reset the CA to modify the information. For more information, see Reset a private CA.

    Step 3: (Optional) Purchase a private intermediate CA

    You can create multiple private intermediate CAs under an existing root CA to match your enterprise's organizational structure. For example, you can create separate intermediate CAs for different departments within your enterprise. A newly purchased intermediate CA does not include any certificate resources by default.

    1. On the Private CAs tab, find the target root CA. In the Actions column, click Create Private Intermediate CA.

    2. In the Certificate manager service panel, configure the purchase parameters.

      Important

      The algorithm of the intermediate CA must be the same as the algorithm of the root CA and cannot be changed.

    3. Click Buy Now, confirm the Terms of Service, and then click Pay to complete the payment.

    Step 4: Configure private certificates

    After you purchase and enable the private CA, you can configure private certificates. For more information, see Manage private certificates.