Configure third-party cloud accounts and deploy certificates to third-party cloud products - Certificate Management Service

If your cloud products are hosted on platforms other than Alibaba Cloud, you can use Digital Certificate Management Service to deploy your issued SSL Certificates to those third-party cloud products. This simplifies the certificate migration and configuration process.

Limits

You can deploy certificates to the following third-party cloud products:

Cloud platform	Cloud product
Tencent Cloud	Content Delivery Network (CDN) Cloud Load Balancer (CLB) Web Application Firewall (WAF)
AWS	Amazon CloudFront (CDN) Elastic Load Balancing (ALB, NLB, and CLB)
Huawei Cloud	CDN Elastic Load Balance (ELB)

Note

To request deployment support for other cloud products, contact your business manager to submit your request to the product team.

Prerequisites

You have purchased and requested a certificate from Certificate Management Service, and its Status is Issued. For more information, see Purchase a commercial certificate and Request a certificate.
On the SSL Certificate Management page, find the target certificate and confirm the following information:
1. Status: Ensure the status is Issued. If it is Pending Expiration or Expired, you must renew the SSL certificate.
2. Bound Domains: Ensure that this field includes all domain names that you want to protect. Otherwise, a security warning appears when you access an unlisted domain name over HTTPS. To add or modify domain names, see Append and replace domain names.
  How to determine if the Bound Domains matches all the domain names that require protection
  A certificate's Bound Domains can include multiple exact-match and wildcard domain names. The matching rules for each type of domain name are as follows:
  - Exact-match domain name: applies only to the specified domain name.
    example.com applies only to example.com.
    www.example.com applies only to www.example.com.
  - Wildcard domain name: applies only to its first-level subdomains.
    *.example.com applies to first-level subdomains such as www.example.com and a.example.com.
    *.example.com does not apply to the root domain example.com or multi-level subdomains such as a.b.example.com.
  Note
  To match multi-level subdomains, the Bound Domains must be a specific subdomain (such as a.b.example.com) or the corresponding wildcard domain name (such as *.b.example.com).

Procedure

Step 1: Purchase deployment quotas

Note

Deployment quotas apply only to certificates of the Uploaded type. For certificate types other than Uploaded, go directly to Step 2: Connect to a third-party cloud account.

If you have insufficient deployment quotas, you can purchase a deployment quota package. .
Deployment quotas are not consumed for certificate types other than Uploaded, or for certificates shared between Alibaba Cloud accounts owned by the same verified individual or enterprise. If a deployment fails, the consumed quota is returned.

Step 2: Connect to a third-party cloud account

Before you can deploy an SSL Certificate to a third-party cloud product, you must grant the required access permissions to a sub-user on the third-party cloud platform and add the sub-user's AccessKey pair to Alibaba Cloud. The following steps describe how to do this:

Log on to the Certificate Management Service console.
In the navigation pane on the left, choose Comprehensive Management > Multi-cloud AK Management.
On the Multi-cloud AK Management page, click Add Authorization.
Click the target cloud service provider and follow the on-screen instructions to configure the user account for that provider.
The following steps show how to authorize a Tencent Cloud sub-user as an example. The steps are for reference only.
1. Log on to the Tencent Cloud console, go to the User List, and click Create User.
2. On the Create User page, click Quick Create.
3. On the Quick Create User page, set the user information.
  - Username: Enter a custom username.
  - Access Mode: Click the icon and select Programmatic Access.
  - User Permissions: Click the icon. Select QcloudSSLFullAccess (full read and write permissions for SSL certificates) and the read and write permissions for the corresponding cloud product.
    Note
    For example, to deploy an Alibaba Cloud certificate to Tencent Cloud CDN, you must grant the QcloudCDNFullAccess permission (full read and write permissions for Content Delivery Network).
  The following figure shows an example of a successfully created user:
4. In the Submit AK wizard on the Alibaba Cloud Digital Certificate Management Service console, configure your Tencent Cloud sub-user or main account and click OK.

Step 3: Deploy the SSL Certificate to a third-party cloud product

In the navigation pane on the left, choose Deployment and Resource Management > Multi-cloud Deployment.

On the Multi-cloud Deployment page, click Create Task and follow the steps to deploy an Alibaba Cloud SSL Certificate to a third-party cloud product.

On the Configure Basic Information wizard page, enter a task name, select an AccessKey pair, a contact, and a deployment time. Then, click Next.

Configuration item	Description
Task Name	Enter a custom name for the deployment task.
Select AK	Select the account for the third-party cloud that you connected in Step 2. If no AccessKey pair is available, click Add New AK and follow the instructions in Limits to configure the AccessKey pair.
Contact	Select contacts to receive notifications for the deployment task. You can add up to 10 contacts.
Deployed At	Deploy: Deploys the certificate to the cloud product immediately. Custom Time: Specifies a time for the deployment task to run. The system starts the task at the specified time.

In the Select Certificate wizard, select one or more SSL Certificates for your cloud product resources, and then click Next.
- Certificates issued by the Private CA service are synchronized to the Manage Uploaded Certificates tab for you to select.
- In a deployment task, you can select certificates of only one type.
On the Select Resource wizard page, the system automatically detects and pulls all resources from the relevant cloud products. You can select one or more cloud products and resources. Then, click Preview and Submit.
On the Task Preview page, confirm the certificate instances and cloud product resources to be deployed. If the details are correct, click Submit.
The preview page shows the number of matching certificates for the cloud product and the number of deployment quotas that will be consumed.
- If the number of matching certificates is 0, the selected certificates do not match the cloud product resources, which will cause the deployment to fail. In this case, carefully check the certificates that you selected.
- The number of consumed deployment quotas is based on the number of resources that match the uploaded certificates. If a match is found but the deployment fails after the task starts, the quota consumed for that resource is returned.

Step 4: Verify the SSL Certificate installation

Access the domain name that is bound to the certificate over HTTPS. For example, https://yourdomain.com. Replace yourdomain.com with your actual domain name.
If a lock icon is displayed in the address bar of the browser, the certificate is successfully deployed. If an access exception occurs or no lock icon is displayed, clear the browser cache or use incognito (private) mode and try again. If the problem persists, see the FAQ section for troubleshooting.
Note
Starting from version 117, the icon in the address bar of Chrome has been replaced with the new icon. You must click the new icon to view the lock information.

Note

If the issue persists, see the FAQ section for troubleshooting.

FAQ

After I install or update a certificate, the certificate does not take effect or HTTPS access fails

This issue can occur for several reasons:

The accessed domain name is not included in the certificate's Bound Domains. For more information, see Check if the certificate matches the target domain name.
The certificate file was not replaced correctly. Check whether the certificate file is the latest and valid version.
The domain name is connected to cloud products such as CDN, SLB, or WAF, but the certificate is not installed on the corresponding product. For more information, see Deploy a certificate on a cloud product.
The DNS record of the domain name points to multiple servers, but the certificate is installed on only some of them. You must install the certificate on each server.

Note

For further troubleshooting, see Troubleshoot certificate deployment issues based on browser error messages and Self-service troubleshooting guide for SSL certificate deployment failures.

Can I deploy an SSL Certificate to a cloud product in another Alibaba Cloud account?

You cannot directly deploy an Alibaba Cloud SSL Certificate across accounts.

If multiple accounts belong to the same verified entity, you can use the certificate sharing feature to deploy certificates across accounts for free. For more information, see Upload, sync, and share SSL certificates.
If the accounts belong to different verified entities, you must download the certificate from the source account and then manually upload and deploy it in the destination account.

If a certificate is successfully deployed, does it mean HTTPS is enabled on the cloud product?

Deploying a certificate to a cloud product from the Digital Certificate Management Service console only pushes the certificate to that product. You still need to go to the console of the cloud product to verify the deployment.