All Products
Search

This Product

    Certificate Management Service:Purchase and enable a private CA

    Document Center

    Certificate Management Service:Purchase and enable a private CA

    Last Updated:Dec 17, 2025

    Private CAs are typically used to encrypt enterprise application data , such as internal OA and HR systems. This topic describes how to purchase and enable the Private CA service.

    Private CA selection

    Before you begin, select the Private CA type that meets your business requirements. The Private CA service offers Enterprise Private CA and Alibaba Cloud Shared CA, which differ in customization capabilities, enable modes, architectural flexibility, and cost.

    Feature

    Enterprise Private CA

    Alibaba Cloud Shared CA

    CA customization

    Supported. You can fully customize the issuer identity, organization, and other information for the root CA and sub CAs.

    Not supported. You share an Alibaba Cloud-managed root CA with other users.

    Enable mode

    Manual activation. Upon purchase, you must manually configure and enable the root and sub CAs.

    Automatic activation. The root CA and sub CAs are enabled by default upon purchase and can be used immediately.

    Organizational structure

    Supported. You can create a multi-level intermediate CA hierarchy to match complex enterprise departmental or organizational structures.

    Not supported. You cannot create a multi-level CA hierarchy; the structure is flat.

    Cost

    Higher cost. Ideal for large enterprises requiring strict CA control and brand customization.

    Lower cost. Suitable for scenarios requiring rapid, low-cost encryption for internal applications.

    Enterprise Private CA

    With an Enterprise Private CA, you create the root or intermediate CA yourself, which allows you to customize the issuer identity and organization information. You can also create multi-level intermediate CAs to meet your enterprise's organizational requirements.

    Step 1: Purchase a private root CA

    To create a private CA for the first time, you must purchase a private root CA. Upon purchase, you receive one root CA and one sub CA. The root CA includes a quota of 10 private certificates by default (which allows you to issue 10 certificates).

    1. Log on to the Certificate Management Service console.

    2. In the left navigation pane, choose Certificate Management > PCA Certificate Management. On the PCA Certificate Management page, select the region where the PCA service is located.

    3. On the Private CAs tab, click Purchase Private Root CA.

    4. On the buy page, select the certificate algorithm and duration, click Buy Now, and complete the payment.

      • Algorithm: The encryption algorithm used to issue certificates. Options: RSA, Chinese Cryptographic Algorithm (SM), ECC.

      • Subscription Duration: Select the Private CA service usage duration. You can issue certificates within this period.

        Important

        • After the service expires, you can no longer issue certificates, even if you have remaining certificate quota.

        • The validity period of a certificate issued by the CA cannot exceed the purchase duration of the Private CA service. For example, if you purchase 1 month of Private CA service, the validity of issued certificates cannot exceed 30 days.

    Step 2: Enable the private root CA and sub CA

    Once purchased, the private root CA must be enabled before the subordinate CA can be enabled.

    Enable the root CA

    1. On the Private CAs tab, find the target root CA. In the Actions column, click Enable.

    2. In the CA Information panel, configure the root CA information and click Confirm and Enable.

      The Certificate Management Service supports multiple ways to enable a root CA. Select a method based on your business requirements:

      Create CA Certificate

      Parameter

      Description

      Enable Mode

      Select Create CA Certificate.

      Common Name (CN)

      The common name or abbreviation of the organization. Chinese and English are supported.

      Example: Alibaba Cloud.

      Organizational Unit (OU)

      The organizational unit name. Chinese and English are supported.

      Example: IT Dept.

      Organization (O)

      The organization's name. Chinese and English are supported.

      Example: Alibaba Cloud.

      City (L)

      The organization's city. Chinese and English are supported.

      Example: Hangzhou.

      Province (S)

      The organization's state or province. Chinese and English are supported.

      Example: Zhejiang.

      Country/Region (C)

      The organization's country or region. Chinese and English are supported.

      Example: China.

      Private Key Algorithm

      The private key encryption algorithm used by the CA.

      Available private key algorithms depend on the Certificate Algorithm selected during purchase:

      • If the algorithm is RSA, options include: RSA_1024, RSA_2048, RSA_4096.

      • If the algorithm is Chinese Cryptographic Algorithm (SM), options include: SM2_256.

      • If the algorithm is ECC, options include: ECC_256, ECC_384, ECC_512.

      Validity Period

      The validity period of the root CA.

      The validity period depends on the duration of the root CA service you purchased:

      • If the duration is < 1 year, the supported validity range is 1 to 20 years.

      • If the duration is ≥ 1 year, the supported validity range is 1 to 100 years.

      Note

      You can issue certificates only while the Private CA service is active. After the service expires, you cannot issue new certificates, and unused private certificate resources become unavailable.

      Enable CRL Service

      Specifies whether to enable the Certificate Revocation List (CRL) service. If enabled, you can view revoked CA certificates through the CRL. For more information, see CRL Service.

      Upload CA Certificate and Private Key

      Parameter

      Description

      Enable Mode

      Select Upload CA Certificate and Private Key.

      Certificate File

      Enter the PEM-encoded content of the certificate file.

      You can use a text editor to open the PEM or CRT certificate file, copy the content, and paste it into this field. Alternatively, click Upload and Parse File below the field, select the certificate file from your local computer, and upload its content.

      Certificate Key

      Enter the PEM-encoded content of the certificate private key.

      You can use a text editor to open the KEY certificate private key file, copy the content, and paste it into this field. Alternatively, click Upload and Parse File below the field, select the private key file from your local computer, and upload its content.

    3. In the Tip dialog box, review the information and click OK.

      After you successfully enable the root CA, its state changes to Enabled. If you need to modify incorrect CA information, reset the CA. For more information, see Reset a private CA.

    Enable the sub CA

    1. On the Private CAs tab, find the target root CA and click the Fold icon icon next to its name.

    2. Locate the target sub CA. In the Actions column, click Enable.

    3. In the CA Information panel, configure the sub CA information and click Confirm and Enable.

      The Certificate Management Service supports multiple ways to enable a sub CA. Select a method based on your business requirements:

      Create CA Certificate

      Parameter

      Description

      Enable Mode

      Select Create CA Certificate.

      CA Usage

      Select Intermediate CA or User CA based on the sub CA's purpose.

      • Intermediate CA: Can be used to issue subordinate CAs.

      • User CA: Can only be used to issue user certificates, such as server or client certificates.

      Length Limit

      When CA Usage is set to Intermediate CA, you must configure the path length constraint, which indicates the maximum depth of subordinate CAs that this intermediate CA can issue.

      Values range from 1 to 5.

      Important

      If Length Limit is 1, the subordinate CA must be a User CA.

      Common Name (CN)

      The common name or abbreviation of the organization. Chinese and English are supported.

      Example: Alibaba Cloud.

      Organizational Unit (OU)

      The organizational unit name. Chinese and English are supported.

      Example: IT Dept.

      Organization (O)

      The organization's name. Chinese and English are supported.

      Example: Alibaba Cloud.

      City (L)

      The organization's city. Chinese and English are supported.

      Example: Hangzhou.

      Province (S)

      The organization's state or province. Chinese and English are supported.

      Example: Zhejiang.

      Country/Region (C)

      The organization's country or region. Chinese and English are supported.

      Example: China.

      Private Key Algorithm

      The private key encryption algorithm used by the CA.

      Available private key algorithms depend on the Certificate Algorithm selected during purchase:

      • If the algorithm is RSA, options include: RSA_1024, RSA_2048, RSA_4096.

      • If the algorithm is Chinese Cryptographic Algorithm (SM), options include: SM2_256.

      • If the algorithm is ECC, options include: ECC_256, ECC_384, ECC_512.

      Validity Period

      The validity period of the sub CA.

      The validity period depends on the duration of the private sub CA you purchased:

      • If the purchase duration is < 1 year, the sub CA validity range is 1 to 20 years.

      • If the purchase duration is ≥ 1 year, the sub CA validity range is 1 to 100 years.

      Enable CRL Service

      Specifies whether to enable the CRL service. If enabled, you can view revoked CA certificates through the CRL. For more information, see CRL Service.

      Extended Key Usage

      Select the Extended Key Usage (EKU) extension to identify the purpose of the certificate.

      Upload CA Certificate and Private Key

      Parameter

      Description

      Enable Mode

      Select Upload CA Certificate and Private Key.

      Certificate File

      Enter the PEM-encoded content of the certificate file.

      You can use a text editor to open the PEM or CRT certificate file, copy the content, and paste it into this field. Alternatively, click Upload and Parse File below the field, select the certificate file from your local computer, and upload its content.

      Certificate Key

      Enter the PEM-encoded content of the certificate private key.

      You can use a text editor to open the KEY certificate private key file, copy the content, and paste it into this field. Alternatively, click Upload and Parse File below the field, select the private key file from your local computer, and upload its content.

    4. In the Tip dialog box, review the information and click OK.

      After you successfully enable the sub CA, its state changes to Enabled. If you need to modify incorrect CA information, you can reset the CA. For more information, see Reset a private CA.

    Step 3: (Optional) Purchase a private sub CA

    You can create multiple sub CAs under an existing root CA to match your organizational structure (for example, separate sub CAs for different departments). Newly purchased sub CAs do not include any certificate quota by default.

    1. On the Private CAs tab, find the target root CA. In the Actions column, click Create Private Intermediate CA.

    2. In the Certificate manager service panel, configure the purchase settings.

      Important

      The algorithm used by the sub CA must match the root CA and cannot be changed.

    3. click Buy Now, read and confirm Terms of Service. Follow the on-screen instructions to complete the payment.

    Step 4: Configure private certificates

    After purchasing and enabling the private CA, you must configure private certificates. For more information, see Manage private certificates.