Alibaba Cloud Certificate Management Service calls a hardware security module to encrypt and protect certificate private keys, using envelope encryption method. The hardware security module, which serves as the core of key management system, is certified by the State Cryptography Administration (SCA) or is compliant with FIPS 140-2 Level 3.
This protection applies to all private keys managed by the service, including keys you upload manually and keys generated when you create a Certificate Signing Request (CSR) in the Certificate Management Service console.
When you upload a certificate with plaintext private key, Certificate Management Service calls the hardware security module to encrypt the plaintext and stores the ciphertext in Object Storage Service (OSS). The service does not store the plaintext private key.
When you download a certificate with plaintext private key, Certificate Management Service calls the hardware security module to decrypt the private key ciphertext. The service temporarily stores the resulting plaintext private key in OSS and returns a download link. The system automatically and immediately destroys this plaintext key as soon as the download completes or the download link expires.
