Enable HTTPS for a website by using a paid SSL certificate - Certificate Management Service

paid SSL certificates cover multiple types and brands and are suitable for websites of various scales, such as e-commerce sites, small businesses, large enterprises, and individual users. In addition, paid SSL certificates include wildcard, multi-domain, and hybrid domain certificates to meet different business requirements, such as protecting multiple subdomains or different domain names. This topic describes how to purchase, request, issue, and install a paid certificate.

Process overview

Deploying a paid SSL certificate on your server involves the following three steps:

Purchase a paid SSL certificate: Purchase the right to request a paid SSL certificate.
Request an SSL certificate: Fill in the required information and submit your request for review. After the request is approved, the certificate is issued.
Deploy the SSL certificate: After the certificate is issued, deploy it to your web server or a cloud product.

Prerequisites

If the website where you want to deploy the SSL certificate is hosted in the Chinese mainland, you must complete an ICP filing as required. Otherwise, the website may become inaccessible. For more information, see What is an ICP filing?.

Step 1: Purchase a paid SSL certificate

Log on to the Certificate Management Service console.
In the navigation pane on the left, choose Certificate Management > SSL Certificate Management.

On the Official Certificate tab, click Purchase Now. On the purchase page, select the certificate specifications as described in the following table. Then, click Buy Now and complete the payment.

Parameter	Description
Domain Name Type	Select Single Domain. This means one SSL certificate can be attached to one primary domain name, one subdomain, or one public IP address (IPv4). Examples include example.com and 1.1.X.X.
Brand	Select Alibaba Cloud. This is Alibaba Cloud's own SSL certificate brand. Alibaba Cloud brand certificates are more cost-effective than other brands.
Certificate Type	The default value is DV SSL. This is a domain validated (DV) certificate. It is suitable for personal websites, app services, display-only websites, and test websites for enterprises or individuals.
Quantity	The default value is 1 and cannot be changed. This means you are purchasing one certificate.
Service Period	Set the service period of the SSL certificate to 1 Year. This means the order includes one certificate that is valid for one year.

Note

For more information about the configurations for purchasing a paid certificate, see Purchase a paid certificate.

Step 2: Request an SSL certificate

After you purchase the certificate, return to the Paid Certificates tab. In the Actions column, click Request Certificate.

In the Request Certificate panel, configure the parameters as described in the following table and click Submit For Review.

Configuration Item	Description
Domain Name To Bind	Enter your website's domain name. For example, enter `example.com`.
Domain Name Validation Method	Select a method to verify that you own the domain name. In this example, the domain name `example.com` is not resolved using the current Alibaba Cloud account. It might be resolved by a third-party service or another Alibaba Cloud account. Therefore, you can only select Manual DNS Validation or File Validation. After you submit the request, you must complete the domain name validation as instructed on the page. Otherwise, the certificate cannot be issued. If the Alibaba Cloud DNS service for the domain name runs on the same Alibaba Cloud account, Automatic DNS Verification is automatically selected. After you submit the request, the system automatically completes the domain name validation. You do not need to perform any manual configurations. You only need to wait for the certificate to be issued.
Contact	From the drop-down list, click Create Contact to create a contact for this certificate request. If you have already created a contact, you can select an existing one. Make sure the contact information is accurate and valid.
Location	Select your city or region.
Key Algorithm	Select RSA. This is the encryption algorithm used by the SSL certificate. The RSA algorithm is a widely used asymmetric key encryption algorithm that offers good compatibility.
CSR Generation Method	Select System Generated. This indicates that Certificate Service automatically generates a Certificate Signing Request (CSR) file using the encryption algorithm you specified for Key Algorithm. A CSR file is a request file for an SSL certificate. It contains server and organization information and must be submitted to a CA for review.

Note

For more information about the parameter limits and configurations for requesting a certificate, see Request a certificate.

Optional: If you set Domain Name Validation Method to Manual DNS Validation or File Validation, complete the domain name validation as instructed on the page. For more information and examples of how to validate domain name ownership, see Domain name ownership validation.
If you set Domain Name Validation Method to Automatic DNS Validation, you do not need to perform any extra steps. Wait for the certificate to be issued. A DV certificate is typically issued in 1 to 15 minutes. After the certificate is issued, its status is displayed as shown in the following figure:

Step 3: Deploy the SSL certificate

Deploy the certificate to a web server

The following example uses the CentOS 8.0 64-bit operating system and Nginx 1.14.2. The deployment procedure may vary based on the operating system or web server version. If you have any questions, contact your business manager for assistance. For information about how to deploy an SSL certificate to other web servers, such as Apache, Tomcat, and IIS, see Log on to a server for deployment (supports international and GM SSL certificates).

Log on to the Certificate Management Service console.
In the navigation pane on the left, choose Certificate Management > SSL Certificate Management.
On the Paid Certificates tab, find the certificate that you want to deploy. In the Actions column, click More and then select Download.
In the row for the Nginx Server Type, click Download in the Actions column.

Decompress the downloaded SSL certificate package.

The files that you obtain after decompression vary depending on how the Certificate Signing Request (CSR) was generated when you submitted the certificate application.

CSR Generation Method	Files in the certificate package
Automatic or Select Existing CSR	Certificate file (PEM format): Nginx supports PEM files. A PEM certificate file is a Base64-encoded text file that contains the full certificate chain. After decompression, the file is named `Certificate ID_Bound Domain Name`. Private key file (KEY format): By default, this file is named after the bound domain name.
Manual	If you enter a CSR that was created in the Certificate Service console, the downloaded certificate file is the same as a file that is generated using the Automatic method. If you enter a CSR that was not created in the Certificate Service console, the download includes only the certificate file in the PEM format and does not include a certificate password or private key file. You can use a certificate tool to convert the certificate file and your private key file to the required format. For more information about how to convert the format of a certificate, see Convert the format of a certificate.

Log on to the server, open the terminal, and run the following commands to create a directory in the Nginx conf directory to store the certificate.

# Go to the default Nginx configuration file directory. This is the default directory if you manually compiled and installed Nginx. If you changed the default installation directory or used another installation method, adjust the path as needed.
cd /usr/local/nginx/conf  
# Create a certificate directory named cert.
mkdir cert

Upload the certificate file and the private key file to the certificate directory (/usr/local/nginx/conf/cert) on the Nginx server.
Note
You can use the local file upload feature of a remote logon tool, such as PuTTY, XShell, or WinSCP, to upload files. If you are using an Alibaba Cloud Elastic Compute Service (ECS) instance, for more information about how to upload files, see Upload or download files.

Edit the Nginx configuration file nginx.conf to modify the certificate-related configurations.

Run the following command to open the configuration file.
```
sudo vim /usr/local/nginx/conf/nginx.conf
```
Note
If you do not know the location of nginx.conf, you can run nginx -t to view the path of the Nginx configuration file.
In nginx.conf, find the HTTPS server property configuration.
Note
If the server block shown in the preceding figure does not exist in nginx.conf or in the file referenced by the include directive, add it manually.

Remove the comment symbol (#) from the beginning of the lines and modify the configuration as shown in the following example.

server {
     # The default access port for HTTPS is 443.
     # If you do not configure the default HTTPS port here, Nginx may fail to start.
     listen 443 ssl;
     
     # Enter the domain name bound to the certificate
     server_name <YOURDOMAIN>;
 
     # Enter the absolute path of the certificate file
     ssl_certificate cert/<cert-file-name>.pem;
     # Enter the absolute path of the private key file
     ssl_certificate_key cert/<cert-file-name>.key;
 
     ssl_session_cache shared:SSL:1m;
     ssl_session_timeout 5m;
	 
     # Customize the TLS protocol types and cipher suites to use (the following is an example configuration; evaluate whether you need to configure it)
     # The higher the TLS version, the more secure the HTTPS communication. However, higher TLS versions have poorer browser compatibility than lower versions.
     ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
     ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;

     # Indicates that server-side cipher suites are preferred. This is enabled by default.
     ssl_prefer_server_ciphers on;
 
 
    location / {
           root html;
           index index.html index.htm;
    }
}

Optional: Set HTTP requests to automatically redirect to HTTPS.
If you want all HTTP requests to automatically redirect to the HTTPS page, you can use the rewrite directive to redirect them to HTTPS.
Important
In the nginx.conf file, find the http server code block and add the redirection code.
If you cannot find the preceding code segment, you can add the following snippet after the server {} code block in the nginx.conf file. After you set HTTP requests to automatically redirect to HTTPS, the nginx.conf file contains two server {} code blocks.
```
server {
    listen 80;
    # Enter the domain name bound to the certificate
    server_name <YOURDOMAIN>;
    # Redirect all HTTP requests to HTTPS using the rewrite directive.
    rewrite ^(.*)$ https://$host$1;
    location / {
        index index.html index.htm;
    }
}
```
The following figure shows the resulting configuration:

Run the following command to restart the Nginx service.
```
# Go to the executable directory of the Nginx service.
cd /usr/local/nginx/sbin
# Reload the configuration file.
./nginx -s reload
```
Note
- Error: the "ssl" parameter requires ngx_http_ssl_module: You must recompile Nginx and add the --with-http_ssl_module configuration during compilation and installation.
- The error "/cert/3970497_demo.aliyundoc.com.pem":BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/cert/3970497_demo.aliyundoc.com.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file) means that you need to remove the leading / from the relative path of the certificate. For example, you need to remove the leading / from /cert/cert-file-name.pem and use the correct relative path cert/cert-file-name.pem.

Verify the deployment

After the certificate is deployed, you can verify the deployment by accessing the domain name to which the certificate is attached.

https://yourdomain   #Replace yourdomain with your actual domain name.

If the lock icon appears in the browser's address bar, the certificate is successfully installed.
Starting from Chrome 117, the HTTPS lock icon in the address bar is replaced with the tune icon . Click the icon. If the mark appears as shown in the following figure, the certificate is successfully installed.

Deploy the certificate to a cloud product

After an SSL certificate is issued, you can deploy it to your web server or an Alibaba Cloud product. This section uses Alibaba Cloud CDN as an example to describe how to deploy a certificate to a cloud product. For more information about how to deploy a certificate to other cloud products or a web server, see Deploy an SSL certificate.

Log on to the Certificate Management Service console.
In the navigation pane on the left, choose Certificate Management > SSL Certificate Management.
On the Paid Certificates tab, find the issued certificate. In the Actions column, click Deploy.
On the Select Resource page, select CDN and the target resource. Then, click Preview and Submit.
The system automatically detects and retrieves all resources from your cloud products. If you cannot find the target resource, check the Total Resources section to see if the resources have been synchronized. If the resources are being synchronized, as indicated by the grayed-out status in the figure, wait for the synchronization to complete. The time required to synchronize resources depends on the number of resources in your cloud product.
In the Task Preview panel, confirm the certificate instance and cloud product resource information. If everything is correct, click Submit.
The preview page shows the number of certificates that match the cloud product and the number of deployments that will be used. If the number of matched certificates is 0, the certificate that you selected does not match the cloud product resource. The deployment will fail. In this case, review the selected certificate.

Verify the deployment

Log on to the Alibaba Cloud CDN console.
In the left navigation pane, click Domain Names.
On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column.
In the left navigation tree of the domain name, click HTTPS.
View the information of the deployed SSL certificate, including its status and validity period. If HTTPS Certificate is set to Enabled, the certificate is successfully deployed.

Note

If you have just deployed the certificate, you may need to wait for the CDN cache to update before you can view the latest certificate information.

References

If the SSL certificate does not take effect after installation, see Troubleshoot certificate deployment issues based on browser error messages.
To manually deploy a certificate to a web application server, such as Nginx or Apache, see Deploy a certificate by logging on to a server (supports international and SM-series SSL certificates).