All Products
Search

This Product

    Edge Security Acceleration:Client certificates

    Document Center

    Edge Security Acceleration:Client certificates

    Last Updated:Oct 22, 2024

    Configuring client certificates enables mutual TLS (mTLS) authentication between clients and points of presence (POPs) in Edge Security Acceleration (ESA). This improves security levels of client connections.

    Issue client certificates

    You can use ESA-managed certificate authority (CA) to create client certificates and deploy the client certificates on your mobile apps. A unique CA is created for each Alibaba Cloud account. All client certificates issued by ESA-managed CA are considered trusted by POPs.

    Create a certificate

    1. Log on to the ESA console.

    2. In the left-side navigation pane, click Websites.

    3. On the Websites page, find the website that you want to manage, and click the website name or View Details in the Actions column.

    4. In the left-side navigation pane, choose SSL/TLS > Client Certificates.

    5. In the Client Certificates section, click Create Certificate.

    6. Set the CSR Generation, Private Key Type, and Certificate Validity fields based on your requirements.

      Note

      The default validity period of a certificate is one year.

    7. Click OK.

      Important

      In the Preview Certificate dialog box, click Copy Certificate and Copy Private Key and paste the content to your client. After you close the dialog box, the certificate and private key are no longer displayed in ESA.

    Associate a client certificate with domain names

    1. Log on to the ESA console.

    2. In the left-side navigation pane, click Websites.

    3. On the Websites page, find the website that you want to manage, and click the website name or View Details in the Actions column.

    4. In the left-side navigation tree, choose SSL/TLS > Client Certificates.

    5. In the Domain Names section of the Client Certificates page, click Configure.

    6. Specify domain names in the Domain Name field.

      Note

      • The specified domain names must be subdomains of the website.

      • You can associate a client certificate with up to 50 subdomains of the website at the same time.

    7. Click OK.

    Revoke a certificate

    If you no longer use a certificate, you can revoke the certificate by using the following steps:

    1. Log on to the ESA console.

    2. In the left-side navigation pane, click Websites.

    3. On the Websites page, find the website that you want to manage, and click the website name or View Details in the Actions column.

    4. In the left-side navigation tree, choose SSL/TLS > Client Certificates.

    5. Click Client Certificates. On the Client Certificates page, find the certificate and click Revoke in the Actions column.

    6. In the message that appears, select the I confirm that the certificate is no longer required check box and click OK.