This topic describes how to select an SSL certificate deployment plan based on your business needs to enable secure HTTPS access for your websites and applications.
Deploy an SSL certificate on the server (required): You must deploy an SSL certificate on the server to enable HTTPS for a website, API, or application.
Install a root certificate on the client (usually not required): A client requires a pre-installed root certificate to ensure secure communication and verify the server's identity. Most client operating systems and browsers have root certificates pre-installed. You need to install a root certificate on a client only if you are accessing a system that uses a self-signed certificate, the client device cannot recognize the certification authority (CA), or the root certificate is missing or has expired.
Deploy an SSL certificate on the server
Scope
Before you begin, make sure that the following conditions are met:
Certificate status: You have an SSL certificate that is issued by a trusted certification authority (CA). The Certificate Status is Issued. To purchase and request a certificate, see Purchase a commercial certificate and Submit a certificate request to a CA.
Domain name matching: Ensure the certificate matches all domain names you intend to secure. To add or modify domains, see Append and replace domain names.
Exact-match domain name: Applies only to the specified domain.
example.comprotects onlyexample.com.www.example.comprotects onlywww.example.com.
Wildcard domain name: Applies only to its first-level subdomains.
*.example.comapplies to first-level subdomains such aswww.example.comanda.example.com.*.example.comdoes not protect the root domainexample.comor multi-level subdomains such asa.b.example.com.
NoteTo protect multi-level subdomains, the Bound Domains field must contain the exact domain, such as
a.b.example.com, or a corresponding wildcard domain, such as*.b.example.com.DNS resolution: The domain's DNS record is configured and resolves to the server's public IP address.
Determine the certificate deployment location
When processing HTTPS traffic, you must deploy SSL certificates on all relevant network nodes. These nodes include web servers such as Nginx, Apache, and IIS, Application Load Balancer (ALB), a content delivery network (CDN), Web Application Firewall (WAF), and API Gateway. Deploying SSL certificates on these nodes provides end-to-end encryption from the client to the server, which prevents plaintext transmission across intermediate links and ensures secure communication.
Traffic directly reaches the server: When a user accesses a website using the public IP address of a server, the traffic directly reaches the server without passing through other intermediate nodes.
Traffic passes through multiple network nodes: When a user accesses a website using a domain name, the traffic usually passes through multiple network nodes, such as a content delivery network (CDN) and an Application Load Balancer (ALB), before it is forwarded to the origin server for processing.
Traffic directly reaches the server
When Internet traffic directly accesses the origin web server without any intermediate network proxies, you need to deploy the SSL certificate only on that web server.
Traffic passes through multiple network nodes
If traffic passes through multiple intermediate nodes, such as CDN and WAF, before it reaches the origin server, you must deploy a certificate on each node that processes HTTPS traffic.
This topic uses the complex architecture "User → CDN → WAF → Server Load Balancer (ALB) → Origin server" as an example. This architecture is used only to demonstrate the certificate deployment method in a multi-node scenario. You must deploy certificates on the appropriate nodes based on your actual network architecture.
The following table describes the certificate deployment nodes and the scope of transmission encryption in different scenarios.
Scenario | Encrypted link (HTTPS) | Plaintext link (HTTP) | Nodes that require a certificate | Description |
Scenario 1 | User ↔ CDN | CDN → WAF → ALB → Origin server | CDN | Encrypts only the traffic from the client to CDN. This is the most cost-effective option, but it poses a risk of plaintext transmission on the internal network. |
Scenario 2 | User ↔ WAF | WAF → ALB → Origin server | CDN, WAF | The encryption scope now includes WAF for improved security. |
Scenario 3 | User ↔ ALB | ALB → Origin server | CDN, WAF, ALB | Only the hop before the origin server uses plaintext transmission. This provides high security. |
Scenario 4 | User ↔ Origin server | None | CDN, WAF, ALB, origin server | Implements end-to-end encryption to provide the highest level of security. |
Determine the certificate deployment plan
If you need assistance during the certificate deployment process, contact your business manager for assistance.
Before you decide on an SSL certificate deployment plan, determine the hosting method for your server or cloud product. Then, select a specific deployment plan based on the following scenarios:
Deploy a certificate to Alibaba Cloud
Select a suitable plan from the following options to deploy the certificate to an ECS instance, a Simple Application Server instance, or other cloud products.
ECS and Simple Application Server
Select the certificate deployment tutorial that corresponds to the web server and operating system that you use.
If you are unsure of your web server type, see How do I find my web server type?.
Server operating system | Certificate deployment tutorial |
Linux | Install an SSL certificate on an Nginx or Tengine server (Linux) |
Install an SSL certificate in a Spring Boot application (Linux) | |
Install an SSL certificate in a Python Flask application (Linux) | |
Windows | |
Other Alibaba Cloud products (excluding ECS and Simple Application Server)
Deploy a certificate that uses internationally accepted algorithms
Deploy from the Digital Certificate Management Service console
In the following scenarios, you can use the cloud product deployment feature in the Digital Certificate Management Service console. This feature lets you push certificates to other cloud products with a single click and eliminates the need to manually upload SSL certificates. For more information, see Deploy a certificate to an Alibaba Cloud product (excluding ECS and Simple Application Server).
NoteIf the product you are using is not supported by the cloud product deployment feature, see the documentation for that cloud product to deploy the certificate.
In the following table, "Update existing certificate" indicates a scenario where a certificate has already been deployed to the cloud product and needs to be replaced.
Cloud product
Deployment task scenarios
Certificate configuration scenario
Container Service for Kubernetes (ACK)
Update an existing certificate
ACK managed and dedicated clusters: Update the AlbConfig certificate configuration and update the Secret certificate.
ImportantAfter you deploy to a Secret, do not manually modify the Secret in Container Service for Kubernetes (ACK).
Serverless App Engine - Gateway routing
Update an existing certificate
Configuring HTTPS forwarding for a gateway route (ALB and CLB)
Function Compute (FC)
Update an existing certificate
HTTP function scenario
Microservices Engine - cloud-native gateway
Update an existing certificate
Cloud-native gateway routing scenarios
API Gateway
Update an existing certificate
Accessing an API over HTTPS using a domain name
Global Accelerator (GA)
Update an existing certificate
Securely accelerating access to an HTTPS domain name
Application Load Balancer (ALB)
Network Load Balancer (NLB)
Update an existing certificate
Using an HTTPS listener to forward requests over the HTTPS protocol (server certificate)
NoteTo deploy a client certificate, see Configure end-to-end HTTPS to encrypt communication.
Alibaba Cloud CDN (CDN)
First-time deployment, certificate update
HTTPS secure acceleration scenario
Dynamic Content Delivery Network (DCDN)
First-time deployment, certificate update
HTTPS secure acceleration scenario
Edge Security Acceleration (ESA)
Update an existing certificate
HTTPS secure acceleration scenario
Object Storage Service (OSS)
Update an existing certificate
Accessing OSS over HTTPS
NoteIf a CDN-accelerated domain name is attached, you must replace the certificate in the CDN console.
Web Application Firewall (WAF)
Update an existing certificate
CNAME access scenario
Anti-DDoS Pro and Anti-DDoS Premium
Update an existing certificate
Website Config for Anti-DDoS Pro and Anti-DDoS Premium
Platform for AI (PAI)
Update an existing certificate
Elastic Algorithm Service (EAS): Use a custom domain name with a dedicated gateway
Deploy from the cloud product console
Find the corresponding cloud product in the following table, go to the console of the product, and follow the instructions in the documentation listed in the References column to complete the certificate deployment.
Cloud product
Certificate configuration scenario
References
Container Service for Kubernetes (ACK)
ACK managed and dedicated clusters: Update AlbConfig certificate configuration, Update Secret certificate
ImportantWhen deploying to a Secret, do not manually modify it in Container Service for Kubernetes (ACK).
Serverless App Engine - Gateway routing
Gateway routing: HTTPS forwarding protocol configuration (ALB and CLB)
Function Compute (FC)
HTTP function scenario
Microservices Engine - Cloud-native gateway
Cloud-native gateway routing scenarios
API Gateway
Accessing an API over HTTPS using a domain name
Global Accelerator (GA)
Securely accelerating access over HTTPS using a domain name
Application Load Balancer (ALB)
Network Load Balancer (NLB)
Using an HTTPS listener to forward requests over the HTTPS protocol (server certificate)
NoteTo deploy a client certificate, see Configure end-to-end HTTPS to encrypt communication.
Alibaba Cloud CDN (CDN)
HTTPS secure acceleration scenario
Dynamic Content Delivery Network (DCDN)
HTTPS secure acceleration scenario
Edge Security Acceleration (ESA)
HTTPS secure acceleration scenario
Object Storage Service
Accessing OSS over HTTPS
NoteIf a CDN-accelerated domain name is attached, replace the certificate in the CDN console.
Web Application Firewall (WAF)
CNAME access scenario
Anti-DDoS Pro and Anti-DDoS Premium
Website Config scenarios for Anti-DDoS Pro and Anti-DDoS Premium
Platform for AI (PAI)
Elastic Algorithm Service (EAS): A dedicated gateway uses a custom domain name
Deploy a certificate to Tencent Cloud, Huawei Cloud, and AWS
Deploy from the Digital Certificate Management Service console
Use the Alibaba Cloud Digital Certificate Management Service console to deploy certificates to third-party cloud platforms. For more information, see Deploy a certificate to a third-party cloud platform. The following cloud platforms and services are supported:
Tencent Cloud: Content Delivery Network (CDN), Web Application Firewall (WAF), and Classic Load Balancer (CLB)
AWS: Amazon CloudFront (CDN) and Load Balancer (ALB, Network Load Balancer (NLB), and Classic Load Balancer (CLB))
Huawei Cloud: Content Delivery Network (CDN) and Elastic Load Balancing (ELB)
Refer to the cloud vendor's official documentation
Refer to the official documentation of the relevant cloud vendor to deploy the certificate.
Deploy to other vendors or self-managed servers
Refer to the official documentation of the relevant vendor or see Log on to a server to deploy a certificate (supports international/SM SSL certificates).
Install a root certificate on a client
Some clients, such as IoT devices, embedded systems, internal enterprise systems, offline apps, older browsers, and Java clients, do not have pre-installed CA root certificates. Consequently, these clients may not trust the SSL certificate after it is deployed. To resolve this issue, you must download and install the root certificate on the client.
Install the root certificate on the client.
FAQ
How do I download a root certificate?
To download root certificates supported by Alibaba Cloud, see Download root certificates.
What do I do if the certificate chain is incomplete or an intermediate certificate is missing?
If a root or intermediate certificate on the client is missing or expired, see Resolve an incomplete SSL certificate chain. You can download and install the missing certificate, and then try to access the website again.
Why do I receive the "One or more intermediate certificates in the certificate chain are missing" error during certificate deployment?
This error can occur when you deploy an SSL certificate on certain server systems, such as Internet Information Services (IIS) on Windows Server 2008 R2. To resolve this issue, you must install the missing root or intermediate certificate on the server.
How do I find my web server type?
Use browser developer tools
Use a browser to access your domain name.
Press F12 to open the developer tools and find the server type, as shown in the following figure.
Use a command
Log on to your server.
On your server, run the following command to find the web server type.
curl -i yourdomainNoteyourdomainis a required parameter. Replace it with your actual website domain name. For example,curl -i www.aliyundoc.com.The following figure shows an example of the command output.
Contact your website development engineer
If you still cannot determine the web server type, contact your web developer. If you encounter other issues, contact your business manager for assistance.