Edge Security Acceleration (ESA) supports HTTPS secure acceleration. You can deploy Secure Sockets Layer (SSL) certificates on ESA and then enable the SSL/TLS feature to implement encrypted transmission between clients and ESA points of presence (POPs). ESA allows you to apply for free certificates or upload custom certificates.
Certificates
If your website runs small and medium-sized business or personal blogs and uses an exact match domain, we recommend that you apply for a free certificate.
If you want to use a certificate issued by a certificate authority (CA) with higher credibility or you have your own certificate, we recommend that you upload a custom certificate.
Item | Free certificate | Custom certificate |
CA | Lets' Encrypt | Any |
Validity period | 3 months | Subject to the validity period of the certificate |
Certificate type | Domain validated (DV) | DV, organization validated (OV), and extended validated (EV) |
Certificate algorithm | RSA | RSA and Elliptic Curve Cryptography (ECC) |
Domain type | Exact match domain and wildcard domain | Exact match domain and wildcard domain |
Domain control validation (DCV) | Automatic | Manual |
Certificate renewal | Automatic | Manual |
You can deploy free certificates and custom certificates for a website. All these certificates constitute a certificate pool. When a POP receives a request from a client, the POP automatically selects the most appropriate certificate from the pool to return to the client. For more information, see Priorities of certificates.
The number of supported certificates varies with the plan, which is shown in the following table:
Category
Basic
Standard
Advanced
Enterprise
Free certificate
10
30
50
100
Custom certificate
5
10
15
20
Apply for a free certificate
Free certificates are a convenient option for issuing and managing certificates. To apply for a free certificate, you only need to enter a domain name, and then the system handles the rest of the work, including DCV and future deployment and renewals.
When you apply for a free certificate, ESA automatically completes DCV. For more information, see Automatic DCV for free certificates.
ESA automatically renews a free certificate 15 days before it expires. If the renewal fails, you will be notified by an email. In this case, you need to upload a custom certificate to ensure interruption-free business.
Log on to the ESA console.
In the left-side navigation pane, click Websites.
On the Websites page, find the website that you want to manage, and click the website name or View Details in the Actions column.
In the left-side navigation tree, choose .
On the Edge Certificates page, click Apply for Free Certificate in the Certificate Management section and then select Single Domain Certificate or Wildcard Domain Certificate for Certificate Type.
You can specify up to 50 individual domain names for a single-domain certificate at a time. The domains can be exact match domains or wildcard domains, and they must correspond to the site.
Click OK and wait until the application for the free certificate is approved. You can view the status of the certificate application in the Certificate Management section.
Upload a custom certificate
You can apply for a certificate from Alibaba Cloud Certificate Management Service or a third-party CA and then deploy the certificate to ESA.
You can log on to the Certificate Management Service console to purchase an advanced certificate.
Certificates that are issued by third-party CAs must meet the certificate format requirements. For more information, see Certificate formats.
You can view your SSL certificates. Private keys are not displayed because they are sensitive information. Keep certificate-related information confidential.
Log on to the ESA console.
In the left-side navigation pane, click Websites.
On the Websites page, find the website that you want to manage, and click the website name or View Details in the Actions column.
In the left-side navigation tree, choose .
In the Certificate Management section, click Upload Custom Certificate.
If you have purchased a certificate from Alibaba Cloud Certificate Management Service, set the Certificate Source parameter to Certificate Purchased by Using Certificate Management Service, and select the certificate from the Certificate Name drop-down list.
NoteIf the certificate that you purchased is unavailable, check whether the domain name that is associated with the purchased certificate is your website domain name.
If you use a certificate that is issued by a third-party CA, set the Certificate Source parameter to Custom Certificate and configure the Certificate Name, Certificate (Public Key), and Private Key parameters. Then the certificate is stored in Alibaba Cloud Certificate Management Service. You can view the certificate on the SSL Certificate Management page in the Certificate Management Service console.
Parameter
Description
Certificate Name
Enter a name for the certificate that you want to upload.
The name can contain letters, digits, periods (.), underscores (_), and hyphens (-).
NoteA certificate name must be unique. You can view existing certificates on the SSL Certificate Management page in the Certificate Management Service console.
If the system prompts that the certificate already exists, change the certificate name and re-upload the certificate.
Certificate (Public Key)
Enter the content of the PEM-encoded certificate file.
You can use a text editor to open the certificate file in PEM format. Then, copy the content to the Certificate (Public Key) field.
Private Key
Enter the content of the PEM-encoded private key file of the certificate that you want to upload.
You can use a text editor to open the certificate file in PEM format. Then, copy the content to the Private Key field.
NoteIf you obtain a private key that starts with "----- BEGIN PRIVATE KEY -----" and ends with "----- END PRIVATE KEY -----", use an OpenSSL tool to run the following command to convert the private key. Then, copy the content of the
new_server_key.pemfile to the Private Key field.openssl rsa -in old_server_key.pem -out new_server_key.pem
Click OK.
Enable SSL/TLS
After you configure a certificate, you can enable the SSL/TLS feature to allow clients to access POPs over HTTPS.
Log on to the ESA console.
In the left-side navigation pane, click Websites.
On the Websites page, find the website that you want to manage, and click the website name or View Details in the Actions column.
In the left-side navigation tree, choose .
Turn on the SSL/TLS switch.
Check whether HTTPS takes effect
After you configure a certificate and enable SSL/TLS, you can check whether HTTPS secure acceleration takes effect by sending HTTPS requests to access resources. If the URL is displayed with a lock icon in the address bar of the browser, HTTPS secure acceleration is working as expected.
Update a custom certificate
ESA cannot automatically renew a custom certificate. To avoid issues caused by certificate expiration, we recommend that you update your certificate or configure a new custom certificate before your certificate expires. You will be notified by an email 30 days before your custom certificate expires.
Update an existing custom certificate
In the left-side navigation tree, choose . In the Certificate Management section, find the certificate that you want to update, click Modify in the Actions column, update the certificate, and then click OK.
Configure a new custom certificate
In the left-side navigation tree, choose . In the Certificate Management section, click Upload Custom Certificate.
Upload a new custom certificate by referring to Upload a custom certificate.
Select the certificate that is about to expire and click Delete in the Actions column. In the message that appears, click OK.
Automatic DCV for free certificates
Before issuing a certificate to a domain, a CA verifies that the applicant who requests the certificate is authorized to use the domain. DNS and HTTP methods are used for DCV in ESA.
For a website that is added by using NS setup, ESA uses the DNS method to perform DCV. After you apply for a free certificate for the website, ESA automatically adds a TXT record to the DNS records of your website domain.
For a website that is added by using CNAME setup, ESA uses the HTTP method to perform DCV. After you apply a free certificate for the website, HTTP requests on which DCV is performed are returned by ESA POPs.
Priorities of certificates
You can deploy free certificates and custom certificates for a website. All these certificates constitute a certificate pool. When a POP receives a request from a client, the POP automatically selects the most appropriate certificate from the pool to return to the client. The following section describes the priorities of certificates:
Certificates that are available are preferentially returned to clients. For example, certificates that are within the validity period and match the Server Name Indication (SNI) are preferentially returned to clients.
Certificates that match the encryption algorithms used by clients are preferentially returned. For example, if the client uses the ShangMi (SM) algorithm, the SM certificate is returned to the client. If the client supports the RSA and ECC algorithms, the ECC certificate is preferentially returned to the client.
Single-domain certificates are preferentially returned to clients.
Certificates that are configured most recently are preferentially returned to clients.