Get started with official certificates - Certificate Management Service

Official certificates include various types and brands of certificates for different types of websites, such as personal websites, e-commerce websites, and websites of small- and large-sized enterprises. Official certificates also include wildcard, multi-domain, and hybrid certificates to meet different business requirements, such as protecting multiple subdomains or different domain names. This topic describes how to purchase, apply for, issue, and install an official certificate. In this example, an official certificate is deployed to Alibaba Cloud CDN.

Procedure

To install an SSL certificate on your server, perform the following steps:

Purchase an official certificate.
Apply for the certificate. You need to specify information about the certificate and apply for the certificate.
Install the certificate. After the certificate is issued, you can install the certificate on your web server or deploy the certificate to a cloud service.

Prerequisites

If you want to deploy the website on which your certificate is installed to a server located in the Chinese mainland, you must complete an Internet Content Provider (ICP) filing for the domain name bound to the certificate as required by the Ministry of Industry and Information Technology (MIIT). Otherwise, the website cannot be accessed as expected. For more information, see What is an ICP filing?

Step 1: Purchase an official SSL certificate

Log on to the Certificate Management Service console.
In the left-side navigation pane, choose Certificate Management > SSL Certificate Management.

On the Official Certificate tab, click Buy Now. On the buy page, configure the following parameters and click Buy Now to complete the payment.

Parameter	Description
Certificate Type	Select Single Domain. You can bind a primary domain name, a subdomain, or a public IPv4 address to a certificate. Examples: example.com and 1.1.X.X.
Brand	Select Alibaba Cloud. Alibaba Cloud certificates are more cost-effective than other certificate brands.
Certificate Specifications	The default value is DV SSL. Domain validated (DV) certificates are suitable for personal websites used for app services, information display, enterprise testing, and personal testing.
Quantity	The value is 1 by default and cannot be changed. This parameter specifies the number of SSL certificates.
Service Duration	Select 1 Year. In this case, one certificate whose validity period is one year is provided.

Note

For more information, see Purchase an official certificate.

Step 2: Apply for a certificate

Return to the Official Certificate tab, find the certificate that you want to manage and click Apply for Certificate in the Actions column.

In the Apply for Certificate panel, configure the parameters and click Submit.

Parameter	Description
Domains to Bind	Enter the domain name of your website. Example: `example.com`.
Domain Verification Method	Select a method to verify the ownership of the domain name. In this example, you can select only Manual DNS Verification or File Verification because `example.com` does not belong to the current Alibaba Cloud account. In this example, `example.com` is registered with a third-party platform or belong to another Alibaba Cloud account. After you submit the certificate application, you must complete domain name ownership verification as prompted. Otherwise, the certificate cannot be issued. If Alibaba Cloud DNS is activated within the Alibaba Cloud account of the certificate applicant, Automatic DNS Verification is automatically selected. No manual configuration is required. In this case, Alibaba Cloud automatically verifies the ownership of the domain name.
Contact	Select a contact from the drop-down list. If you have not created contacts, you can click Create Contact to create one. Make sure that the contact information is correct and valid.
Location	Select the city or region where the applicant is located.
Encryption Algorithm	Select RSA. The RSA algorithm is an asymmetric algorithm that is widely used in the world and provides high compatibility.
CSR Generation	Select Automatic. Alibaba Cloud automatically generates a CSR file based on the key algorithm that you specify for Encryption Algorithm and the certificate information. A CSR file includes your request for a certificate. A CSR file contains your server and company information. You must submit the CSR file to a CA for review.

Note

For more information about the parameters, see Apply for a certificate.

Optional. Complete domain name ownership verification if you select Manual DNS Verification or File Verification for Domain Verification Method. For more information, see Verify the ownership of a domain name.
If you select Automatic DNS Verification for Domain Verification Method, you can wait for the certificate to be issued. DV certificates are issued in 1 to 15 minutes on average.

Step 3: Install the certificate

Install the certificate on a web application server

In this section, an NGINX 1.14.2 server that runs a 64-bit CentOS 8.0 operating system is used as an example to illustrate the installation. Installation operations vary based on the versions of servers and operating systems. If you have questions, contact your account manager. For more information about how to install a certificate on another web application server, such as an Apache, Tomcat, or IIS server, see Manually install an SSL certificate on a web application server.

Log on to the Certificate Management Service console.
In the left-side navigation pane, choose Certificate Management > SSL Certificate Management.
On the Official Certificate tab, find the certificate that you want to manage and click More in the Actions column. On the page that appears, click the Download tab.
Find Nginx in the Server Type column and click Download in the Actions column.

Decompress the downloaded certificate package.

The following table describes the files that you can extract from the package. The files vary based on the certificate signing request (CSR) generation method that you use when you submit the certificate application.

Value of the CSR Generation parameter	File extracted from the certificate package
Automatic or Select Existing CSR	Certificate file in the PEM format: NGINX servers support PEM files. A certificate file in the PEM format is a Base64-encoded text file that contains a complete certificate chain. The file is named in the `Certificate ID_Domain name bound to the certificate` format after decompression. Private key file in the KEY format: By default, the private key file is named in the Domain name bound to the certificate format.
Manual	If you specify a CSR that is created in the Certificate Management Service console, the certificate file that is extracted from the downloaded certificate package is the same as the certificate file that is obtained in scenarios when you set the CSR Generation parameter to Automatic. If you specify a CSR that is not created in the Certificate Management Service console, only the PEM certificate file can be extracted from the downloaded certificate package. The password file or private key file cannot be extracted. You can use the certificate toolkit to convert your certificate file, password file, or private key file to the required format. For more information about how to convert certificate formats, see Convert the format of a certificate.

Log on to the NGINX server, open the CLI, and run the following commands to create a directory in the conf directory of the server to store the certificate:

# The directory is used when you manually compile and install NGINX. If you changed the default NGINX installation directory or installed NGINX by using other methods, specify the actual directory.
cd /usr/local/nginx/conf  
# Create a directory named cert.
mkdir cert

Upload the certificate file and private key file to the following directory of the NGINX server: /usr/local/nginx/conf/cert.
Note
You can upload the file by using the file upload feature of a remote logon tool, such as PuTTY, XShell, and WinSCP. For more information about how to upload a file to an Alibaba Cloud Elastic Compute Service (ECS) instance, see Use Remote Desktop Connection or Windows App to transfer files to a Windows instance or Upload a file to a Linux instance.

Open the nginx.conf configuration file of the NGINX server and modify certificate-related settings in the file.

Run the following command to open the configuration file:
```
sudo vim /usr/local/nginx/conf/nginx.conf
```
Note
If you do not know the path to the nginx.conf configuration file, run the nginx -t command to obtain the path to the configuration file.
Find the server configuration item in the nginx.conf configuration file.
Note
If the nginx.conf configuration file or the file that is referenced by the include directive does not contain the server configuration item, manually add the server configuration item.

Remove the # comment symbol from the beginning of each line and modify the settings based on the following sample code:

server {
     # Specify the default HTTPS port 443.
     # If you do not specify the default HTTPS port, the NGINX service may fail to start.
     listen 443 ssl;
     
     # Enter the domain name that is bound to the certificate.
     server_name <YOURDOMAIN>;
 
     # Enter the absolute path to the certificate file.
     ssl_certificate cert/<cert-file-name>.pem;
     # Enter the absolute path to the private key file.
     ssl_certificate_key cert/<cert-file-name>.key;
 
     ssl_session_cache shared:SSL:1m;
     ssl_session_timeout 5m;
	 
     # Specify the Transport Layer Security (TLS) protocols and custom cipher suites that you want to use. The following sample code is only for reference.
     # A later TLS version offers higher security but lower compatibility with browsers.
     ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
     ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;

     # A server-side cipher suite is preferentially used. The default value is on.
     ssl_prefer_server_ciphers on;
 
 
    location / {
           root html;
           index index.html index.htm;
    }
}

Optional. Configure settings to automatically redirect HTTP requests to HTTPS requests.
If you want to redirect all HTTP requests to HTTPS requests, you can add the rewrite directive to your configuration file.
Important
Find the configuration item of http server in the nginx.conf configuration file, and add redirection settings.
If you cannot find the configuration item, you can append the following redirection settings to the server {} configuration item in the nginx.conf configuration file. After you configure the redirection settings, the nginx.conf file contains two server {} configuration items.
```
server {
    listen 80;
    # Enter the domain name that is bound to the certificate.
    server_name <YOURDOMAIN>;
    # Add the rewrite directive to redirect all HTTP requests to HTTPS requests.
    rewrite ^(.*)$ https://$host$1;
    location / {
        index index.html index.htm;
    }
}
```
The following figure shows the result after configuration.

Run the following commands to restart the NGINX service:
```
# Go to the executable directory of the NGINX service.
cd /usr/local/nginx/sbin
# Reload the configuration file.
./nginx -s reload
```
Note
- If the error the "ssl" parameter requires ngx_http_ssl_module is reported, recompile NGINX and add --with-http_ssl_module when you install NGINX.
- If the error "/cert/3970497_demo.aliyundoc.com.pem":BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/cert/3970497_demo.aliyundoc.com.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file) is reported, remove the forward slash (/) that precedes the relative path to a certificate file. For example, remove the forward slash (/) that precedes the relative path /cert/cert-file-name.pem. The required relative path is cert/cert-file-name.pem.

Check whether the certificate is installed

After you install a certificate, you can access the domain name that is bound to the certificate to verify whether the certificate is installed.

https://yourdomain   # Replace yourdomain with the domain name that is bound to your certificate.

If the icon appears in the address bar of your browser, the certificate is installed.
Starting in Google Chrome 117, the icon is changed to the icon. If the icon appears after you click the icon, the certificate is installed.

Deploy the certificate to a cloud service

After the certificate is issued, you can install the certificate on your web application server or deploy the certificate to an Alibaba Cloud service. In this section, Alibaba Cloud CDN is used as an example to illustrate the deployment. For more information about how to deploy a certificate to another cloud service or to a web application server, see Deploy SSL certificates.

Log on to the Certificate Management Service console.
In the left-side navigation pane, choose Certificate Management > SSL Certificate Management.
On the Official Certificate tab, find the issued certificate that you want to manage and click Deploy in the Actions column.
In the Select Resource step, click CDN and select the required resources. Then, click Preview and Submit.
The system automatically identifies and synchronizes the resources of all cloud services. If you cannot find the required resources, check whether all resources are synchronized in the Total Resources section. If resources are being synchronized, the Synchronize Cloud Resources button is displayed in gray, as shown in the following figure. Wait until the resources are synchronized. The time required for resource synchronization varies based on the number of resources within your cloud service.
In the Task Preview panel, confirm the information about the certificate and cloud service and click Submit.
The preview panel displays the number of certificates that match the cloud service and the amount of deployment quota to be consumed. If the number of certificates is 0, the certificate does not match the resources of the cloud service. In this case, the deployment task fails. Check the certificate that you selected.

Check whether the certificate is deployed

Log on to the Alibaba Cloud CDN console.
In the left-side navigation pane, click Domain Names.
On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column.
In the left-side navigation tree of the domain name, click HTTPS.
View the information about the certificate, including the certificate status and the validity period. If Enabled is displayed for HTTPS Certificate, the certificate is deployed.

Note

After you deploy the certificate, you must wait for a period of time for the certificate to be synchronized to CDN before you can view the latest information about the certificate.

References

For more information about how to troubleshoot the issue that the certificate does not take effect after installation, see How do I resolve certificate deployment issues based on browser prompts?
For more information about how to manually install a certificate on a web application server, such as NGINX and Apache, see Manually install an SSL certificate on a web application server.