All Products
Search
Document Center

Certificate Management Service:Installation overview

Last Updated:Jun 20, 2024

After you purchase an SSL certificate in the Certificate Management Service console and the certificate is issued, you must download the certificate and install the certificate on a server for the certificate to take effect. This topic describes how to download and install a certificate.

Installation scenarios

Scenario

Description

Installation on a server

Install a downloaded certificate on a server and enable HTTPS listening to implement HTTPS communication between the server and clients. For more information, see Download a certificate to your computer and Install the certificate on your server.

Download a certificate to your computer

Different types of servers support different formats of certificates. To facilitate certificate installation, Certificate Management Service provides certificate packages that are suitable for servers such as NGINX, Spring Boot, Apache Tomcat, Apache HTTPD, and Internet Information Services (IIS) servers. You can download and use the packages without the need to convert the formats of certificates. If you do not know the type of your server, you must query the type of the server. For more information, see How do I view the type of a server?

If you have purchased a certificate in the Certificate Management Service console and the certificate is issued, you can perform the following steps to download the certificate to your computer.

Important

For data security purposes, you are not allowed to download the third-party certificates that you uploaded to Certificate Management Service.

  1. Log on to the Certificate Management Service console.

  2. In the left-side navigation pane, choose Manage Certificates > SSL Certificate Management.

  3. On the Manage Certificates tab of the SSL Certificates page, find the certificate that you want to download and click Download in the Actions column.

    Note

    The Download button appears in the Actions column only when the certificate is in the Issued, Pending Expiration, or Expired state. If the certificate is in a different state, the Download button does not appear.

  4. In the Download Certificate panel, find the certificate and click Download in the Actions column.

    Certificate Management Service automatically converts the certificate into different formats that are suitable for different types of servers and compresses the certificate into packages. After you download the certificate package, you can extract the certificate files from the package. The following table describes the files that can be extracted from certificates other than SM2 certificates.

    Note

    In most cases, SM2 certificates are in the PEM format. A downloaded package of SM2 certificates contains the following files:

    • Signing certificate: server_sign.pem and server_sign.key.

    • Encryption certificate: server_enc.pem and server_enc.key.

    If the format of the downloaded certificate does not suit your server, you can use a tool to convert the certificate to the required format. For more information about how to convert certificate formats, see Convert the format of a certificate.

    If your servers are accessed by using client browsers, you do not need to install root certificates because the root certificates are built into the client browsers. If your servers are accessed by using clients such as Java clients, you must install root certificates and intermediate certificates on the clients because no root certificates or intermediate certificates are built into the clients. For more information, see Download a root certificate and an intermediate certificate.

    Server type

    Certificate file description

    Tomcat

    In most cases, you must install a PFX certificate or a JKS certificate on a Tomcat server. To download a JKS certificate, find the certificate package for JKS and click Download in the Actions column. A PFX certificate package contains the following files:

    • domain name.pfx: a certificate file in the PFX format

    • pfx-password.txt: a password file

    Note

    If you do not set CSR Generation to Automatic when you apply for a certificate, the certificate package that you download does not include the TXT password file.

    Apache

    In most cases, you must install a CRT certificate on an Apache server. A CRT certificate package contains the following files:

    • domain name_public.crt: a certificate file

    • domain name_chain.crt: a certificate chain file

    • domain name.key: a private key file

    Nginx

    In most cases, you must install a PEM certificate on an NGINX server. A PEM certificate package contains the following files:

    • domain name.pem: a certificate file

    • domain name.key: a private key file

    IIS

    In most cases, you must install a PFX certificate on an IIS server. A PFX certificate package contains the following files:

    • domain name.pfx: a certificate file

    • pfx-password.txt: a password file

    JKS

    In most cases, you must install a JKS certificate on a JKS server. A JKS certificate package contains the following files:

    • domain name.jks: a certificate file

    • jks-password.txt: a password file

    Other

    You must install a PEM certificate on a server of other types. A PEM certificate package contains the following files:

    • domain name.pem: a certificate file in the PEM format

    • domain name.key: a private key file

Install the certificate on your server

After you download the certificate to your computer, you must upload the certificate to your server and modify the server settings for the certificate to take effect. For more information about how to download a certificate, see Download a certificate to your computer.

The operations to install a certificate vary based on server types. The following table lists the methods to install a certificate on different types of servers.

Note

If the type of your server is not listed in the following table or you do not know how to configure server settings, contact your account manager.

Server type

Certificate installation method

NGINX and Tengine

Install SSL certificates on NGINX servers or Tengine servers

Spring Boot

Enable HTTPS on Spring Boot

Apache Tomcat 7 and earlier

Apache Tomcat 8 and later

Install SSL certificates on Tomcat 8.5 or 9.0 servers that run CentOS

Apache HTTPD

Install SSL certificates on Apache servers

Apache 2

Install SSL certificates on Apache 2 servers that run Ubuntu

IIS

Install SSL certificates on IIS servers

Jetty

Install SSL certificates on Jetty servers

GlassFish

Install SSL certificates on GlassFish servers

Deploy a certificate to an Alibaba Cloud service

You can directly deploy a certificate to an Alibaba Cloud service in the Certificate Management Service console without the need to download the certificate. You can deploy a certificate to the following Alibaba Cloud services in the Certificate Management Service console: Serverless App Engine (SAE) - Gateway Routing, Microservices Engine (MSE) - Cloud-native Gateway, API Gateway, Global Accelerator (GA), Function Compute, Object Storage Service (OSS), Web Application Firewall (WAF), Application Load Balancer (ALB), Network Load Balancer (NLB), Simple Application Server, and Elastic Compute Service (ECS). For more information, see Deploy a certificate to a cloud server.

If your Alibaba Cloud service is other than the preceding services or you want to deploy an SM certificate, contact your account manager or refer to the service documentation. You can deploy SM certificates only to Alibaba Cloud CDN (CDN), Dynamic Content Delivery Network (DCDN), and Anti-DDoS. The following table provides the references of deploying certificates on some cloud services.

Cloud service

Reference

CDN

SetCdnDomainSMCertificate

DCDN

Enable SM for HTTPS

Anti-DDoS

Upload an SSL certificate

Note

If issues occur when you deploy certificates, contact your account manager.