All Products
Search

This Product

    Certificate Management Service:Install SSL certificates on cloud products (such as SLB,CDN,and WAF)

    Document Center

    Certificate Management Service:Install SSL certificates on cloud products (such as SLB,CDN,and WAF)

    Last Updated:Dec 04, 2025

    This topic describes how to create a deployment task to deploy one or more SSL certificates to Alibaba Cloud services at a specified time.

    Prerequisites

    • This topic does not apply to ECS or Simple Application Server. To deploy a certificate to an ECS instance or a Simple Application Server instance, see Update a certificate (not the first deployment) on an Alibaba Cloud ECS instance or a Simple Application Server instance.

    • You have purchased and requested a certificate from Certificate Management Service, and its Status is Issued. For more information, see Purchase a commercial certificate and Request a certificate.

    • The name of the issued SSL certificate cannot contain Chinese characters. The following figure shows an example.

      image

    • Confirm the certificate status and verify that the certificate matches the destination domain name.

      Confirm the certificate status and domain name match

      On the SSL Certificate Management page, find the certificate that you want to deploy and confirm the following information:

      1. Certificate Status: The status must be Issued. If the status is About to Expire or Expired, you must renew the SSL certificate.

      2. Bound Domains: The certificate must match all domain names that you want to protect. Otherwise, a security warning is displayed when users access an unmatched domain name over HTTPS. For more information about how to add or change domain names, see Add and replace domain names.

        Check whether the certificate matches the destination domain name

        The Bound Domains of a certificate can include multiple exact-match domain names and wildcard domain names. The following matching rules apply:

        • Exact-match domain name: The certificate is valid only for the specified domain name.

          • example.com is valid only for example.com.

          • www.example.com is valid only for www.example.com.

        • Wildcard domain name: The certificate is valid only for first-level subdomains.

          • *.example.com is valid for first-level subdomains such as www.example.com and a.example.com.

          • *.example.com is not valid for the root domain example.com or multi-level subdomains such as a.b.example.com.

        Note

        To match a multi-level subdomain, the Bound Domains must include the specific subdomain, such as a.b.example.com, or a corresponding wildcard domain name, such as *.b.example.com.

    Limits

    • Deploy an international certificate

      Note

      • If the product you are using is not supported by the cloud product deployment feature, see the documentation for that cloud product to deploy the certificate.

      • In the following table, "Update existing certificate" indicates a scenario where a certificate has already been deployed to the cloud product and needs to be replaced.

      Cloud product

      Deployment task scenarios

      Certificate configuration scenario

      Container Service for Kubernetes (ACK)

      Update an existing certificate

      ACK managed and dedicated clusters: Update the AlbConfig certificate configuration and update the Secret certificate.

      Important

      After you deploy to a Secret, do not manually modify the Secret in Container Service for Kubernetes (ACK).

      Serverless App Engine - Gateway routing

      Update an existing certificate

      Configuring HTTPS forwarding for a gateway route (ALB and CLB)

      Function Compute (FC)

      Update an existing certificate

      HTTP function scenario

      Microservices Engine - cloud-native gateway

      Update an existing certificate

      Cloud-native gateway routing scenarios

      API Gateway

      Update an existing certificate

      Accessing an API over HTTPS using a domain name

      Global Accelerator (GA)

      Update an existing certificate

      Securely accelerating access to an HTTPS domain name

      • Application Load Balancer (ALB)

      • Network Load Balancer (NLB)

      Update an existing certificate

      Using an HTTPS listener to forward requests over the HTTPS protocol (server certificate)

      Note

      To deploy a client certificate, see Configure end-to-end HTTPS to encrypt communication.

      Alibaba Cloud CDN (CDN)

      First-time deployment, certificate update

      HTTPS secure acceleration scenario

      Dynamic Content Delivery Network (DCDN)

      First-time deployment, certificate update

      HTTPS secure acceleration scenario

      Edge Security Acceleration (ESA)

      Update an existing certificate

      HTTPS secure acceleration scenario

      Object Storage Service (OSS)

      Update an existing certificate

      Accessing OSS over HTTPS

      Note

      If a CDN-accelerated domain name is attached, you must replace the certificate in the CDN console.

      Web Application Firewall (WAF)

      Update an existing certificate

      CNAME access scenario

      Anti-DDoS Pro and Anti-DDoS Premium

      Update an existing certificate

      Website Config for Anti-DDoS Pro and Anti-DDoS Premium

      Platform for AI (PAI)

      Update an existing certificate

      Elastic Algorithm Service (EAS): Use a custom domain name with a dedicated gateway

    Procedure

    Step 1: Purchase deployment quotas

    Note

    The deployment quota applies only to certificates of the Uploaded type. For certificate types other than Uploaded, proceed to Step 2: Check authorizations.

    • If you do not have a sufficient deployment quota, purchase a deployment package. .

    • Deployment quotas are not consumed when you deploy certificates that are not of the Uploaded type. Quotas are also not consumed for certificates that are shared between different Alibaba Cloud accounts that belong to the same verified individual or enterprise. If a deployment fails, the consumed deployment quota is returned.

    Step 2: Check authorizations

    Note

    If the deployment task is not for Container Service for Kubernetes (ACK), skip to Step 3: Deploy the certificate to a cloud service resource.

    Before you deploy a certificate to Container Service for Kubernetes (ACK), log on to the ACK console with your Alibaba Cloud account and grant the AliyunCASDefaultRole role to manage the destination cluster. Otherwise, the Digital Certificate Management Service console cannot detect the cluster's namespace.

    1. Go to the ACK Authorization Management page. On the RAM Roles tab, enter AliyunCASDefaultRole and click Modify Permissions.

    2. On the Permission Management tab, grant the O&M Engineer permission to the destination cluster.

      image

    Step 3: Deploy the certificate to a cloud service resource

    Deploy a single certificate to a cloud service resource

    1. If this is the first time you use the deployment service, follow the on-screen prompts to grant the required permissions. After you grant the permissions, you can create deployment tasks. For more information about authorization, see Grant permissions to access cloud resources.

    2. Log on to the Certificate Service console.

    3. In the navigation pane on the left, choose Certificate Management > SSL Certificate Management.

    4. On the SSL Certificate Management page, click the tab for your certificate type. In the certificate list, find the certificate and click Deploy in the Actions column.

      Certificates issued by Private CA are synchronized to the Manage Uploaded Certificates tab. You can manage them on that tab.

    5. On the Select Resource step of the Create Task page, select one or more cloud services and their resources. You can also adjust the selected resources. Then, click Preview and Submit.

      • The system automatically matches the selected SSL certificate with cloud service resources that already have an SSL certificate configured. In the dialog box that appears, click Submit. The system adds the matched resources to the Selected Resources section. You can then adjust the selection.

        image

      • The system automatically detects and retrieves all resources of your cloud services. If you cannot find the destination resource in the corresponding cloud service, check the following items:

        • In the Total Resources section, check whether the resources are synchronized. If the resources are being synchronized (the status is grayed out as shown in the figure), wait for the synchronization to complete. The synchronization time varies based on the number of resources in your cloud service.

          image

        • If you still cannot find the resource after synchronization is complete, check whether the prerequisites for certificate deployment are met.

    6. In the Task Preview panel, confirm the information about the certificate instance and cloud service resources. If everything is correct, click Submit.

      The preview page shows the number of matched certificates for the cloud service and the number of deployment quotas that will be consumed. If the number of matched certificates is 0, it means the selected certificate does not match the cloud service resource and the deployment will fail. In this case, review the selected certificate.

    Deploy certificates in batches to cloud service resources

    1. If this is the first time you use the deployment service, follow the on-screen prompts to grant the required permissions. After you grant the permissions, you can create deployment tasks. For more information about authorization, see Grant permissions to access cloud resources.

    2. Log on to the Certificate Service console.

    3. In the navigation pane on the left, choose Deployment and Resource Management > Deployment to Cloud Services.

    4. On the Deployment to Cloud Services page, click Create Task and follow these steps to deploy the SSL certificates.

      1. On the Configure Basic Information step, configure the task name, contact, and deployment time. Then, click Next.

        Configuration item

        Description

        Task Name

        Enter a custom name for the deployment task.

        Contact

        Select contacts to receive notifications for the deployment task. You can add up to 10 contacts.

        Deployed At

        • Deploy: Deploys the certificate to the Alibaba Cloud service immediately.

        • Custom Time: Specifies a time for the deployment task. The system starts the deployment task at the specified time.

      2. On the Select Certificate step, select the SSL certificates that correspond to the cloud service resources. Then, click Next.

        • Certificates issued by Private CA are synchronized to the Uploaded Certificate tab. You can select them on that tab.

        • A deployment task can include certificates of only one type.

      3. On the Select Resource step, select one or more cloud services and their resources. You can also adjust the selected resources. Then, click Preview and Submit.

        Note

        Batch deployment is not supported for scenarios where a single SLB listener is attached to multiple server certificates.

        • The system automatically matches the selected SSL certificates with cloud service resources that already have an SSL certificate configured. In the dialog box that appears, click OK. The system adds the matched resources to the Selected Resources section. You can then adjust the selection.

          image

        • The system automatically detects and retrieves all resources of your cloud services. If you cannot find the destination resource in the corresponding cloud service, check the following items:

          • In the Total Resources section, check whether the resources are synchronized. If the resources are being synchronized (the status is grayed out as shown in the figure), wait for the synchronization to complete. The synchronization time varies based on the number of resources in your cloud service.

            image

          • If you still cannot find the resource after synchronization is complete, check whether the deployment prerequisites are met. For more information, see Prerequisites.

      4. In the Task Preview panel, confirm the information about the certificate instances and cloud service resources. If everything is correct, click Submit.

        The preview page shows the number of matched certificates for each cloud service and the number of deployment quotas that will be consumed. If the number of matched certificates is 0, it means the selected certificates do not match the cloud service resources and the deployment will fail. In this case, review the selected certificates.

    Related operations

    View deployment task details

    1. On the Deployment to Cloud Services page, find the deployment task and click Details in the Actions column.

    2. On the task details page, you can view the deployment status of instance resources in the destination cloud service. If deployment to a resource fails, you can view the cause of the failure in the Actions column and resolve the issue.

      If you cannot identify the cause of the failure, contact your account manager for assistance.

    Delete a deployment task

    Important

    Deleted tasks cannot be recovered. Proceed with caution.

    On the Deployment to Cloud Services page, find the deployment task and click Delete in the Actions column. You can also select multiple deployment tasks and click Delete at the bottom of the list.

    FAQ

    Can I deploy an SSL certificate to an Alibaba Cloud service across different Alibaba Cloud accounts?

    You cannot directly deploy an Alibaba Cloud SSL certificate across accounts.

    • If multiple accounts belong to the same identity verification entity, you can use the certificate sharing feature to deploy certificates across accounts for free. For more information, see Upload, sync, and share SSL certificates.

    • If the accounts belong to different identity-verified entities, you must download the certificate from the source account and then manually upload and deploy it in the destination account.

    If a certificate has been deployed, is HTTPS automatically enabled for the Alibaba Cloud service?

    After you deploy a certificate to an Alibaba Cloud service from the Certificate Management Service console, the certificate is only pushed to the corresponding service. You still need to go to the console of that service to verify the deployment.

    Why does the number of Alibaba Cloud service resources show 0 during certificate deployment?

    When you create a deployment task, the system automatically detects and retrieves resources from all Alibaba Cloud services. If you cannot find the target resource, check the following:

    • In the Total Resources area, check whether resource synchronization is complete. If resources are being synchronized, which is indicated by a gray status, wait for the process to complete. The synchronization time depends on the number of resources in the current cloud product.

      image

    • If you still cannot find the corresponding resource after the cloud product resource synchronization is complete, check whether the initial configuration for certificate deployment is complete. If it is not, go to the console of the corresponding cloud product to perform the deployment.