Deploy certificates to Alibaba Cloud services (excluding ECS and Simple Application Server) — Cloud service deployment - Certificate Management Service

This topic describes how to create a deployment task to deploy one or more SSL certificates to Alibaba Cloud services at a specified time.

Prerequisites

This topic does not apply to ECS or Simple Application Server. To deploy a certificate to an ECS instance or a Simple Application Server instance, see Update a certificate (not the first deployment) on an Alibaba Cloud ECS instance or a Simple Application Server instance.
You have purchased and applied for a certificate in Certificate Management Service, and its Status is Issued. To purchase and apply for a certificate, see Purchase a commercial certificate and Apply for a certificate.
The name of the issued SSL certificate cannot contain Chinese characters. The following figure shows an example.
Confirm the certificate status and verify that the certificate matches the destination domain name.
Confirm the certificate status and domain name match
On the SSL Certificate Management page, find the certificate that you want to deploy and confirm the following information:
1. Certificate Status: The status must be Issued. If the status is About to Expire or Expired, you must renew the SSL certificate.
2. Bound Domains: The certificate must match all domain names that you want to protect. Otherwise, a security warning is displayed when users access an unmatched domain name over HTTPS. For more information about how to add or change domain names, see Add and replace domain names.
  Check whether the certificate matches the destination domain name
  The Bound Domains of a certificate can include multiple exact-match domain names and wildcard domain names. The following matching rules apply:
  Exact-match domain name: The certificate is valid only for the specified domain name.
  example.com is valid only for example.com.
  www.example.com is valid only for www.example.com.
  Wildcard domain name: The certificate is valid only for first-level subdomains.
  *.example.com is valid for first-level subdomains such as www.example.com and a.example.com.
  *.example.com is not valid for the root domain example.com or multi-level subdomains such as a.b.example.com.
  Note
  To match a multi-level subdomain, the Bound Domains must include the specific subdomain, such as a.b.example.com, or a corresponding wildcard domain name, such as *.b.example.com.

Limits

Deploy an international certificate

Note

If the product you are using is not supported by the cloud product deployment feature, see the documentation for that cloud product to deploy the certificate.
In the following table, "Update existing certificate" indicates a scenario where a certificate has already been deployed to the cloud product and needs to be replaced.

Cloud product	Deployment task scenarios	Certificate configuration scenario
Container Service for Kubernetes (ACK)	Update an existing certificate	ACK managed and dedicated clusters: Update the AlbConfig certificate configuration and update the Secret certificate. Important After you deploy to a Secret, do not manually modify the Secret in Container Service for Kubernetes (ACK).
Serverless App Engine - Gateway routing	Update an existing certificate	Configuring HTTPS forwarding for a gateway route (ALB and CLB)
Function Compute (FC)	Update an existing certificate	HTTP function scenario
Microservices Engine - cloud-native gateway	Update an existing certificate	Cloud-native gateway routing scenarios
API Gateway	Update an existing certificate	Accessing an API over HTTPS using a domain name
Global Accelerator (GA)	Update an existing certificate	Securely accelerating access to an HTTPS domain name
Application Load Balancer (ALB) Network Load Balancer (NLB)	Update an existing certificate	Using an HTTPS listener to forward requests over the HTTPS protocol (server certificate) Note To deploy a client certificate, see Configure end-to-end HTTPS to encrypt communication.
Application Load Balancer (ALB) Network Load Balancer (NLB)	Update an existing certificate
Alibaba Cloud CDN (CDN)	First-time deployment, certificate update	HTTPS secure acceleration scenario
Dynamic Content Delivery Network (DCDN)	First-time deployment, certificate update	HTTPS secure acceleration scenario
Edge Security Acceleration (ESA)	Update an existing certificate	HTTPS secure acceleration scenario
Object Storage Service (OSS)	Update an existing certificate	Accessing OSS over HTTPS Note If a CDN-accelerated domain name is attached, you must replace the certificate in the CDN console.
Web Application Firewall (WAF)	Update an existing certificate	CNAME access scenario
Anti-DDoS Pro and Anti-DDoS Premium	Update an existing certificate	Website Config for Anti-DDoS Pro and Anti-DDoS Premium
Platform for AI (PAI)	Update an existing certificate	Elastic Algorithm Service (EAS): Use a custom domain name with a dedicated gateway

Procedure

Step 1: Purchase deployment quotas

Note

The deployment quota applies only to certificates of the Uploaded type. For certificate types other than Uploaded, proceed to Step 2: Check authorizations.

If you do not have a sufficient deployment quota, purchase a deployment package. .
Deployment quotas are not consumed when you deploy certificates that are not of the Uploaded type. Quotas are also not consumed for certificates that are shared between different Alibaba Cloud accounts that belong to the same verified individual or enterprise. If a deployment fails, the consumed deployment quota is returned.

Step 2: Check authorizations

Note

If the deployment task is not for Container Service for Kubernetes (ACK), skip to Step 3: Deploy the certificate to a cloud service resource.

Before you deploy a certificate to ACK, log on to the ACK console with your Alibaba Cloud account and grant the AliyunCASDefaultRole role to manage the destination cluster. Otherwise, the Digital Certificate Management Service console cannot detect the cluster's namespace.

Go to the ACK Authorization Management page. On the RAM Roles tab, enter AliyunCASDefaultRole and click Modify Permissions.
On the Permission Management tab, grant the O&M Engineer permission to the destination cluster.

Step 3: Deploy the certificate to a cloud service resource

Deploy a single certificate to a cloud service resource

If this is the first time you use the deployment service, follow the on-screen prompts to grant the required permissions. After you grant the permissions, you can create deployment tasks. For more information about authorization, see Grant permissions to access cloud resources.
Log in to the Certificate Management Service console.
In the navigation pane on the left, choose Certificate Management > SSL Certificate Management.
On the SSL Certificate Management page, click the tab for your certificate type. In the certificate list, find the certificate and click Deploy in the Actions column.
Certificates issued by Private CA are synchronized to the Manage Uploaded Certificates tab. You can manage them on that tab.
On the Select Resource step of the Create Task page, select one or more cloud services and their resources. You can also adjust the selected resources. Then, click Preview and Submit.
- The system automatically matches the selected SSL certificate with cloud service resources that already have an SSL certificate configured. In the dialog box that appears, click Submit. The system adds the matched resources to the Selected Resources section. You can then adjust the selection.
- The system automatically detects and retrieves all resources of your cloud services. If you cannot find the destination resource in the corresponding cloud service, check the following items:
  - In the Total Resources section, check whether the resources are synchronized. If the resources are being synchronized (the status is grayed out as shown in the figure), wait for the synchronization to complete. The synchronization time varies based on the number of resources in your cloud service.
  - If you still cannot find the resource after synchronization is complete, check whether the prerequisites for certificate deployment are met.
In the Task Preview panel, confirm the information about the certificate instance and cloud service resources. If everything is correct, click Submit.
The preview page shows the number of matched certificates for the cloud service and the number of deployment quotas that will be consumed. If the number of matched certificates is 0, it means the selected certificate does not match the cloud service resource and the deployment will fail. In this case, review the selected certificate.

Deploy certificates in batches to cloud service resources

If this is the first time you use the deployment service, follow the on-screen prompts to grant the required permissions. After you grant the permissions, you can create deployment tasks. For more information about authorization, see Grant permissions to access cloud resources.
Log in to the Certificate Management Service console.
In the navigation pane on the left, choose Deployment and Resource Management > Deployment to Cloud Services.

On the Deployment to Cloud Services page, click Create Task and follow these steps to deploy the SSL certificates.

On the Configure Basic Information step, configure the task name, contact, and deployment time. Then, click Next.

Configuration item	Description
Task Name	Enter a custom name for the deployment task.
Contact	Select contacts to receive notifications for the deployment task. You can add up to 10 contacts.
Deployment Time	Deploy Now: Deploys the certificate to the Alibaba Cloud service immediately. Custom Time: Specifies a time for the deployment task. The system starts the deployment task at the specified time.

On the Select Certificate step, select the SSL certificates that correspond to the cloud service resources. Then, click Next.
- Certificates issued by Private CA are synchronized to the Uploaded Certificate tab. You can select them on that tab.
- A deployment task can include certificates of only one type.
On the Select Resource step, select one or more cloud services and their resources. You can also adjust the selected resources. Then, click Preview and Submit.
Note
Batch deployment is not supported for scenarios where a single SLB listener is attached to multiple server certificates.
- The system automatically matches the selected SSL certificates with cloud service resources that already have an SSL certificate configured. In the dialog box that appears, click OK. The system adds the matched resources to the Selected Resources section. You can then adjust the selection.
- The system automatically detects and retrieves all resources of your cloud services. If you cannot find the destination resource in the corresponding cloud service, check the following items:
  - In the Total Resources section, check whether the resources are synchronized. If the resources are being synchronized (the status is grayed out as shown in the figure), wait for the synchronization to complete. The synchronization time varies based on the number of resources in your cloud service.
  - If you still cannot find the resource after synchronization is complete, check whether the deployment prerequisites are met. For more information, see Prerequisites.
In the Task Preview panel, confirm the information about the certificate instances and cloud service resources. If everything is correct, click Submit.
The preview page shows the number of matched certificates for each cloud service and the number of deployment quotas that will be consumed. If the number of matched certificates is 0, it means the selected certificates do not match the cloud service resources and the deployment will fail. In this case, review the selected certificates.

Related operations

View deployment task details

On the Deployment to Cloud Services page, find the deployment task and click Details in the Actions column.
On the task details page, you can view the deployment status of instance resources in the destination cloud service. If deployment to a resource fails, you can view the cause of the failure in the Actions column and resolve the issue.
If you cannot identify the cause of the failure, contact your account manager for assistance.

Delete a deployment task

Important

Deleted tasks cannot be recovered. Proceed with caution.

On the Deployment to Cloud Services page, find the deployment task and click Delete in the Actions column. You can also select multiple deployment tasks and click Delete at the bottom of the list.

FAQ

Can SSL certificates be deployed to cloud products across different Alibaba Cloud accounts?

SSL certificates cannot be directly deployed across different accounts.

If accounts belong to the same entity that has completed identity verification, you can use the certificate sharing feature for free cross-account deployment. For more information, see Upload, sync, and share SSL certificates.
If the accounts belong to different entities, you must download the certificate from the original account and then manually upload and deploy it in the target account.

After a certificate is successfully deployed, is HTTPS automatically enabled on the cloud product?

No. A successful deployment in the Certificate Management Service console only means the certificate has been delivered to the corresponding cloud product. You must still go to that product's console to enable and configure it for HTTPS traffic.

Why is the number of cloud resources displayed as 0 during deployment?

When you create a deployment task, the system automatically discovers resources. If you cannot find a target resource, check the following:

In the Total Resources area, confirm that resource synchronization is complete. If resources are still being synchronized (indicated by a grayed-out state), wait. The synchronization time depends on the number of your resources.
If you still cannot find the resource after synchronization is complete, confirm if your scenario supports initial deployment. If not, you may need to deploy it in the console of the corresponding cloud product first. For more information, see initial configuration.