All Products
Search
Document Center

Certificate Management Service:Purchase and enable a private CA

Last Updated:Jun 04, 2026

Purchase and enable a private CA to issue and manage internal certificates.

An Enterprise Private CA lets you create root and intermediate CAs, customize issuer identity, and build a multi-tier hierarchy matching your enterprise structure.

Step 1: Purchase a private root CA

Purchase a private root CA as the foundation of your private CA hierarchy.

Private root CA

Each root CA instance includes one root CA, one intermediate CA, and a quota of 10 free private certificates.

Free quota rules:

  • Usage window: Issue certificates within 30 days of purchase. Unused quota expires after this window.

  • Certificate validity: Free-quota certificates are valid for 30 days from issuance. Renewing the root CA does not extend this period.

For separately purchased private certificates, set a custom validity period at the time of purchase.

  1. Log in to the Certificate Management Service console.

  2. In the navigation pane on the left, choose Certificate Management > Private Certificate Management. On the Private Certificate Management page, select the region where the PCA service is located.

  3. On the Private CAs tab, click Purchase Private Root CA.

  4. On the purchase page, select the certificate algorithm and duration, click Buy Now, and complete the payment.

    • Certificate Algorithm: The encryption algorithm used to issue certificates. Options: RSA, Private Key Algorithm, and ECC.

    • Validity Period: Select the subscription duration for the Private CA service. You can issue certificates within this period.

      Important
      • After the service expires, you can no longer issue certificates, even if you have remaining certificate quota.

      • The validity period of an issued certificate cannot exceed the subscription duration. For example, if you purchase the Private CA service for 1 month, issued certificates cannot be valid for more than 30 days.

Step 2: Enable private root and subordinate CAs

After purchase, enable the root CA first. Subordinate CAs can only be enabled after their parent root CA is enabled.

Enable the root CA

  1. On the Private CAs tab, find the target root CA and click Enable in the Actions column.

  2. In the CA Information panel, configure the root CA's information, and click Confirm and Enable.

    Multiple methods are available to enable a root CA.

    Create CA Certificate

    Parameter

    Description

    Enable Mode

    Select Create CA Certificate.

    Common Name (CN)

    The common name or abbreviation of the organization. Chinese and English characters are supported.

    Example: Alibaba Cloud.

    Organizational Unit (OU)

    The organizational unit name. Chinese and English characters are supported.

    Example: IT Department.

    Organization (O)

    The organization name. Chinese and English characters are supported.

    Example: Alibaba Cloud Computing Co., Ltd.

    City (L)

    The city where the organization is located. Chinese and English characters are supported.

    Example: Hangzhou.

    Province (S)

    The province or state where the organization is located. Chinese and English characters are supported.

    Example: Zhejiang.

    Country/Region (C)

    The country or region where the organization is located. Chinese and English characters are supported.

    Example: China.

    Private Key Algorithm

    The private key algorithm for the CA.

    The available options depend on the CA algorithm you selected at purchase:

    • If the CA algorithm is RSA, the available options are RSA_1024, RSA_2048, and RSA_4096.

    • If the CA algorithm is SM, the available option is Private Key Algorithm.

    • If the CA algorithm is Private Key Algorithm, the available options are ECC_256, ECC_384, and Private Key Algorithm.

    Validity Period

    The validity period of the root CA.

    The maximum validity period depends on your subscription duration:

    • If the subscription is less than 1 year, the supported validity period is 1 to 20 years.

    • If the subscription is 1 year or longer, the supported validity period is 1 to 100 years.

    Note

    After the service expires, you can no longer issue certificates or use any remaining private certificate resources.

    Enable CRL Service

    Enable or disable the CRL service. When enabled, revoked CA certificates are visible in the CRL. CRL Service.

    Upload CA Certificate and Private Key

    Parameter

    Description

    Enable Mode

    Select Upload CA Certificate and Private Key.

    Certificate File

    Enter the PEM-encoded certificate content.

    Open the certificate file (.pem or .crt) in a text editor, then copy and paste its content into the text box. You can also click Upload and Parse File to upload the file directly.

    Certificate Key

    Enter the PEM-encoded private key content.

    Open the private key file (.key) in a text editor, then copy and paste its content into the text box. You can also click Upload and Parse File to upload the file directly.

  3. In the Tip dialog box, confirm the information and click OK.

    After you enable the root CA, its status changes to Enabled. To correct any mistakes, you can reset the CA. For more information, see Reset a private CA.

Enable the subordinate CA

  1. On the Private CAs tab, find the target root CA, and click the expand icon (expand icon) next to its name.

  2. Find the target subordinate CA and click Enable in the Actions column.

  3. In the CA Information panel, configure the subordinate CA's information, and click Confirm and Enable.

    Multiple methods are available to enable a subordinate CA.

    Create CA Certificate

    Parameter

    Description

    Enable Mode

    Select Create CA Certificate.

    CA Usage

    The purpose of the subordinate CA. Select Intermediate CA or User CA.

    • Intermediate CA: Can issue subordinate CAs beneath it.

    • User CA: Can issue only end-entity certificates, such as server certificates and client certificates.

    Length Limit

    If you set CA Usage to Intermediate CA, configure the path length constraint. This parameter defines the maximum depth of the subordinate CA chain that this intermediate CA can issue.

    Valid values: 1 to 5.

    Important

    If Length Limit is set to 1, the subordinate CA must be a User CA.

    Common Name (CN)

    The common name or abbreviation of the organization. Chinese and English characters are supported.

    Example: Alibaba Cloud.

    Organizational Unit (OU)

    The organizational unit name. Chinese and English characters are supported.

    Example: IT Department.

    Organization (O)

    The organization name. Chinese and English characters are supported.

    Example: Alibaba Cloud Computing Co., Ltd.

    City (L)

    The city where the organization is located. Chinese and English characters are supported.

    Example: Hangzhou.

    Province (S)

    The province or state where the organization is located. Chinese and English characters are supported.

    Example: Zhejiang.

    Country/Region (C)

    The country or region where the organization is located. Chinese and English characters are supported.

    Example: China.

    Private Key Algorithm

    The private key algorithm for the CA.

    The available Private Key Algorithm options depend on the CA algorithm you selected during purchase:

    • If the CA algorithm is RSA, the available options are RSA_1024, RSA_2048, and Private Key Algorithm.

    • If the CA algorithm is SM2, the available option is SM2.

    • If the CA algorithm is Private Key Algorithm, the available options are Private Key Algorithm, Algorithm, and ECC_512.

    Validity Period

    The validity period of the subordinate CA.

    The maximum validity period depends on your subscription duration:

    • If the subscription is less than 1 year, the supported validity period is 1 to 20 years.

    • If the subscription is 1 year or longer, the supported validity period is 1 to 100 years.

    Enable CRL Service

    Enable or disable the CRL service. When enabled, revoked CA certificates are visible in the CRL. CRL Service.

    Extended Key Usage

    The intended purposes of the certificate's public key. Use this to categorize and differentiate certificates.

    Upload CA Certificate and Private Key

    Parameter

    Description

    Enable Mode

    Select Upload CA Certificate and Private Key.

    Certificate File

    Enter the PEM-encoded certificate content.

    Open the certificate file (.pem or .crt) in a text editor, then copy and paste its content into the text box. You can also click Upload and Parse File to upload the file directly.

    Certificate Key

    Enter the PEM-encoded private key content.

    Open the private key file (.key) in a text editor, then copy and paste its content into the text box. You can also click Upload and Parse File to upload the file directly.

  4. In the Tip dialog box, confirm the information and click OK.

    After you enable the subordinate CA, its status changes to Enabled. To correct any mistakes, you can reset the CA. For more information, see Reset a private CA.

Step 3: (Optional) Purchase a private subordinate CA

Purchase additional subordinate CAs under a root CA for different departments or organizational units. Newly purchased subordinate CAs do not include certificate resources.

  1. On the Private CAs tab, find the target root CA and click Create Private Intermediate CA in the Actions column.

  2. In the Create Private Intermediate CA panel, complete the purchase configuration.

    Important

    The subordinate CA's algorithm must match the root CA's algorithm. You cannot change it.

  3. Select Terms of Service, click Buy Now, and complete the payment.

Step 4: Configure private certificates

After purchasing and enabling a private CA, obtain a quota to issue private certificates. Purchase and allocate a private certificate quota.