All Products
Search
Document Center

Certificate Management Service:Upload and share an SSL certificate

Last Updated:Aug 06, 2024

If you have multiple Alibaba Cloud accounts and the accounts belong to the same individual or enterprise user who passed real-name verification, Certificate Management Service allows you to share an official certificate or an individual test certificate among the accounts. You can deploy the shared certificates to Alibaba Cloud services free of charge. If you use a certificate that is issued by a third-party service provider, you can click Upload Certificate in the Certificate Management Service console to upload the certificate for centralized management. The issued certificate can use an internationally accepted algorithm or the SM2 algorithm.

Upload a certificate

Before you upload a certificate, prepare the following files:

  • A PEM-encoded certificate file in the PEM or CRT format and a PEM-encoded private key file in the KEY format. If the certificate is in another format, you can use a tool to convert the certificate to the required format. For more information, see Convert the format of a certificate.

  • A certificate file and a private key file for your signing certificate, and a certificate file and a private key file for your encryption certificate. The preceding files are required when you upload an SM2 certificate. If you do not know the algorithm of your certificate, you can view the algorithm in the certificate details. For more information, see View information about a certificate.

Note

After you upload a certificate to the Certificate Management Service console, you cannot download the certificate. This helps ensure the data security of your certificate.

  1. Log on to the Certificate Management Service console.

  2. In the left-side navigation pane, choose Manage Certificates > SSL Certificate Management.

  3. On the Manage Uploaded Certificates tab, click Manage Uploaded Certificates.

  4. In the Manage Uploaded Certificates panel, configure the parameters and click OK.

    The parameters that you must configure when you set Certificate Algorithm to Internationally Accepted Algorithm are different from the parameters that you must configure when you set Certificate Algorithm to SM2 Algorithm. The following tables describe the parameters.

    • Internationally Accepted Algorithm

      Parameter

      Description

      Certificate Algorithm

      Select Internationally Accepted Algorithm. This type of algorithm is released by the National Security Agency (NSA) of the United States. Certificate Management Service supports the Rivest-Shamir-Adleman (RSA) algorithm, which is an asymmetric cryptography algorithm.

      Certificate Name

      Enter a name for the certificate that you want to upload.

      The name can contain letters, digits, periods (.), underscores (_), and hyphens (-).

      Certificate File

      Enter the content of the PEM-encoded certificate file.

      You can use one of the following methods to enter the content. Method 1: Use a text editor to open the certificate file in the PEM or CRT format. Then, copy the content to the Certificate File field. Method 2: Click Upload below the Certificate File field. Then, select the certificate file from your computer to upload the content of the file.

      Certificate Key

      Enter the content of the PEM-encoded private key file. You can use one of the following methods:

      • Manually specify the content: Use a text editor to open the private key file in the KEY format. Then, copy the content to the Certificate Key field.

      • Upload the private key file: Click Upload below the Certificate Key field. Then, select the private key file from your computer to upload the file content to the field.

      • Select an existing CSR: You can select a certificate signing request (CSR) that is created in or uploaded to the Certificate Management Service console. The system automatically matches the CSR of the specified certificate file. For more information about how to manage CSRs, see Manage CSRs.

      Note

      If the system reports an error indicating that the certificate and private key do not match after you upload the private key file, the private key file may contain RSA characters. You can run the openssl rsa -in <Original name of the private key file> -out <New custom name of the private key file> command to convert the characters and re-upload the file.

      Certificate Chain

      Optional. Enter the content of the certificate chain file. If the certificate file contains the complete certificate chain, you do not need to configure this parameter. For more information about how to check the integrity of a certificate chain in a certificate file, see How do I troubleshoot the issue that the certificate chain of a website is incomplete?

      You can use one of the following methods to enter the content. Method 1: Use a text editor to open the certificate chain file. Then, copy the content to the Certificate Chain field. Method 2: Click Upload below the Certificate Chain field. Then, select the certificate chain file from your computer to upload the content of the file.

    • SM2 Algorithm

      Parameter

      Description

      Certificate Algorithm

      Select SM2 Algorithm. This type of algorithm is released by the State Cryptography Administration (SCA) of China. Certificate Management Service supports the SM2 algorithm, which is an asymmetric cryptography algorithm.

      Certificate Name

      Enter a name for the certificate that you want to upload.

      The name can contain letters, digits, underscores (_), and hyphens (-).

      Certificate File

      Enter the content of the PEM-encoded certificate file of the signing certificate that you want to upload.

      You can use one of the following methods to enter the content. Method 1: Use a text editor to open the certificate file in the PEM or CRT format. Then, copy the content to the Certificate File field. Method 2: Click Upload below the Certificate File field. Then, select the certificate file from your computer to upload the content of the file.

      Certificate Key

      Enter the content of the PEM-encoded private key file of the signing certificate that you want to upload.

      You can use one of the following methods to enter the content. Method 1: Use a text editor to open the private key file in the KEY format. Then, copy the content to the Certificate Key field. Method 2: Click Upload below the Certificate Key field. Then, select the private key file from your computer to upload the content of the file.

      Encryption Certificate

      Enter the content of the PEM-encoded certificate file of the encryption certificate that you want to upload.

      You can use one of the following methods to enter the content. Method 1: Use a text editor to open the certificate file in the PEM or CRT format. Then, copy the content to the Certificate File field. Method 2: Click Upload below the Certificate File field. Then, select the certificate file from your computer to upload the content of the file.

      Encryption Private Key

      Enter the content of the PEM-encoded private key file of the encryption certificate that you want to upload.

      You can use one of the following methods to enter the content. Method 1: Use a text editor to open the private key file in the KEY format. Then, copy the content to the Certificate Key field. Method 2: Click Upload below the Certificate Key field. Then, select the private key file from your computer to upload the content of the file.

    After the certificate is uploaded, you can view the certificate in the certificate list. If you do not want to manage an uploaded certificate in the Certificate Management Service console, you can find the certificate and click Delete in the Actions column to delete the certificate. For more information, see Delete a certificate.

    Important

    After a certificate is deleted, the certificate is removed from the list of uploaded certificates. The validity period of the certificate is not affected. A deleted certificate cannot be restored. Proceed with caution.

Share a certificate

If you have multiple Alibaba Cloud accounts and the accounts belong to the same individual or enterprise user who passed real-name verification, Certificate Management Service allows you to share a certificate among the accounts. After you share a certificate among multiple accounts, you can use one of the accounts to deploy the certificate to Alibaba Cloud services free of charge.

Limits

You cannot share a certificate in the following scenarios:

  • You cannot share a certificate that is applied for by using an Alibaba Cloud account on the China site (aliyun.com) with an Alibaba Cloud account on the international site (alibabacloud.com). You cannot share a certificate that is applied for by using an Alibaba Cloud account on the international site (alibabacloud.com) with an Alibaba Cloud account on the China site (aliyun.com).

  • You cannot share a certificate that is shared to the current Alibaba Cloud account with another Alibaba Cloud account. For example, you have Alibaba Cloud accounts A, B, and C. After you use Account A to share a certificate with Account B, you cannot use Account B to share the certificate with Account C.

  • You cannot share an uploaded certificate.

If you do not meet the conditions for sharing a certificate, you can download a certificate by using the current account and upload the certificate by using another account. For more information, see Download a certificate to your computer and Upload an SSL certificate.

Procedure

  1. Log on to the Certificate Management Service console.

  2. In the left-side navigation pane, choose Manage Certificates > SSL Certificate Management.

  3. On the Official Certificate tab, find the issued certificate that you want to share and go to the Share Certificate panel.分享证书

  4. In the Share Certificate panel, set the Account ID parameter to the ID of the Alibaba Cloud account to which you want to share the certificate. Then, click Confirm and Share.

    After a certificate is shared, you can log on to the Certificate Management Service console by using the Alibaba Cloud account to which the certificate is shared and go to the Manage Uploaded Certificates tab of the SSL Certificate Management page to view the certificate. The 共享图标 icon is displayed in the Status column of the shared certificate.

References

Enable hosting for an issued certificate or an uploaded certificate by renewing the certificate