Certificate Management Service uses a Hardware Security Module (HSM) to protect certificate private keys through envelope encryption. The HSM is certified by the State Cryptography Administration (SCA) or compliant with FIPS 140-2 Level 3, and serves as the core of the key management system.
This protection covers all private keys managed by the service: keys you upload manually and keys generated when you create a Certificate Signing Request (CSR) in the console. The service never stores a plaintext private key at rest.
Upload flow
When you upload a certificate with a plaintext private key:
Certificate Management Service calls the HSM to encrypt the plaintext private key.
The resulting ciphertext is stored in Object Storage Service (OSS).
The plaintext private key is discarded — only the ciphertext is retained.
Download flow
When you download a certificate with a plaintext private key:
Certificate Management Service calls the HSM to decrypt the private key ciphertext stored in OSS.
Certificate Management Service temporarily stores the resulting plaintext private key in OSS and returns a download link.
As soon as the download completes or the download link expires, the service automatically and immediately destroys the plaintext private key.
