All Products
Search
Document Center

Edge Security Acceleration:Configure edge certificates

Last Updated:Nov 25, 2024

Edge Security Acceleration (ESA) supports HTTPS secure acceleration. You can deploy Secure Sockets Layer (SSL) certificates on ESA and then enable the SSL/TLS feature to implement encrypted transmission between clients and ESA points of presence (POPs). ESA allows you to apply for free certificates or upload custom certificates.

Certificates

If your website runs small and medium-sized business or personal blogs and uses an exact match domain, we recommend that you apply for a free certificate.

If you want to use a certificate issued by a certificate authority (CA) with higher credibility or you have your own certificate, we recommend that you upload a custom certificate.

Item

Free certificate

Custom certificate

CA

Lets' Encrypt

Any

Validity period

3 months

Subject to the validity period of the certificate

Certificate type

Domain validated (DV)

DV, organization validated (OV), and extended validated (EV)

Certificate algorithm

RSA

RSA and Elliptic Curve Cryptography (ECC)

Domain type

Exact match domain and wildcard domain

Exact match domain and wildcard domain

Domain control validation (DCV)

Automatic

Manual

Certificate renewal

Automatic

Manual

Note
  • You can deploy free certificates and custom certificates for a website. All these certificates constitute a certificate pool. When a POP receives a request from a client, the POP automatically selects the most appropriate certificate from the pool to return to the client. For more information, see Priorities of certificates.

  • The number of supported certificates varies with the plan, which is shown in the following table:

    Category

    Entrance

    Pro

    Premium

    Enterprise

    Free certificate

    10

    30

    50

    100

    Custom certificate

    5

    10

    15

    20

Apply for a free certificate

Free certificates are a convenient option for issuing and managing certificates. To apply for a free certificate, you only need to enter a domain name, and then the system handles the rest of the work, including DCV and future deployment and renewals.

Note
  • When you apply for a free certificate, ESA automatically completes DCV. For more information, see Automatic DCV for free certificates.

  • ESA automatically renews a free certificate 15 days before it expires. If the renewal fails, you will be notified by an email. In this case, you need to upload a custom certificate to ensure interruption-free business.

  1. Log on to the ESA console.

  2. In the left-side navigation pane, click Websites.

  3. On the Websites page, find the website that you want to manage, and click the website name or View Details in the Actions column.

  4. In the left-side navigation pane, choose SSL/TLS > Overview.

  5. On the Edge Certificates page, click Apply for Free Certificate in the Certificate Management section and then select Single Domain Certificate or Wildcard Domain Certificate for Certificate Type.

Note

You can specify up to 50 individual domain names for a single-domain certificate at a time. The domains can be exact match domains or wildcard domains, and they must correspond to the site.

  1. Click OK and wait until the application for the free certificate is approved. You can view the status of the certificate application in the Certificate Management section.

    image

Upload a custom certificate

You can apply for a certificate from Alibaba Cloud Certificate Management Service or a third-party CA and then deploy the certificate to ESA.

Note
  • You can log on to the Certificate Management Service console to purchase an advanced certificate.

  • Certificates that are issued by third-party CAs must meet the certificate format requirements. For more information, see Certificate formats.

  • You can view your SSL certificates. Private keys are not displayed because they are sensitive information. Keep certificate-related information confidential.

  1. Log on to the ESA console.

  2. In the left-side navigation pane, click Websites.

  3. On the Websites page, find the website that you want to manage, and click the website name or View Details in the Actions column.

  4. In the left-side navigation pane, choose SSL/TLS > Overview.

  5. In the Certificate Management section, click Upload Custom Certificate.

    • If you have purchased a certificate from Alibaba Cloud Certificate Management Service, set the Certificate Source parameter to Certificate Purchased by Using Certificate Management Service, and select the certificate from the Certificate Name drop-down list.

      Note

      If the certificate that you purchased is unavailable, check whether the domain name that is associated with the purchased certificate is your website domain name.

    • If you use a certificate that is issued by a third-party CA, set the Certificate Source parameter to Custom Certificate and configure the Certificate Name, Certificate (Public Key), and Private Key parameters. Then the certificate is stored in Alibaba Cloud Certificate Management Service. You can view the certificate on the SSL Certificate Management page in the Certificate Management Service console.

      Parameter

      Description

      Certificate Name

      Enter a name for the certificate that you want to upload.

      The name can contain letters, digits, periods (.), underscores (_), and hyphens (-).

      Note
      • A certificate name must be unique. You can view existing certificates on the SSL Certificate Management page in the Certificate Management Service console.

      • If the system prompts that the certificate already exists, change the certificate name and re-upload the certificate.

      Certificate (Public Key)

      Enter the content of the PEM-encoded certificate file.

      You can use a text editor to open the certificate file in PEM format. Then, copy the content to the Certificate (Public Key) field.

      Private Key

      Enter the content of the PEM-encoded private key file of the certificate that you want to upload.

      You can use a text editor to open the certificate file in PEM format. Then, copy the content to the Private Key field.

      Note

      If you obtain a private key that starts with "----- BEGIN PRIVATE KEY -----" and ends with "----- END PRIVATE KEY -----", use an OpenSSL tool to run the following command to convert the private key. Then, copy the content of the new_server_key.pem file to the Private Key field.

      openssl rsa -in old_server_key.pem -out new_server_key.pem
  6. Click OK.

Enable SSL/TLS

After you configure a certificate, you can enable the SSL/TLS feature to allow clients to access POPs over HTTPS.

  1. Log on to the ESA console.

  2. In the left-side navigation pane, click Websites.

  3. On the Websites page, find the website that you want to manage, and click the website name or View Details in the Actions column.

  4. In the left-side navigation pane, choose SSL/TLS > Overview.

  5. Turn on the SSL/TLS switch.image

Check whether HTTPS takes effect

After you configure a certificate and enable SSL/TLS, you can check whether HTTPS secure acceleration takes effect by sending HTTPS requests to access resources. If the URL is displayed with a lock icon in the address bar of the browser, HTTPS secure acceleration is working as expected.

image

Update a custom certificate

ESA cannot automatically renew a custom certificate. To avoid issues caused by certificate expiration, we recommend that you update your certificate or configure a new custom certificate before your certificate expires. You will be notified by an email 30 days before your custom certificate expires.

Update an existing custom certificate

In the left-side navigation tree, choose SSL/TLS > Edge Certificates. In the Certificate Management section, find the certificate that you want to update, click Modify in the Actions column, update the certificate, and then click OK.

Configure a new custom certificate

  1. In the left-side navigation tree, choose SSL/TLS > Edge Certificates. In the Certificate Management section, click Upload Custom Certificate.

  2. Upload a new custom certificate by referring to Upload a custom certificate.

  3. Select the certificate that is about to expire and click Delete in the Actions column. In the message that appears, click OK.

Automatic DCV for free certificates

Before issuing a certificate to a domain, a CA verifies that the applicant who requests the certificate is authorized to use the domain. DNS and HTTP methods are used for DCV in ESA.

  • For a website that is added by using NS setup, ESA uses the DNS method to perform DCV. After you apply for a free certificate for the website, ESA automatically adds a TXT record to the DNS records of your website domain.

  • For a website that is added by using CNAME setup, ESA uses the HTTP method to perform DCV. After you apply a free certificate for the website, HTTP requests on which DCV is performed are returned by ESA POPs.

Priorities of certificates

You can deploy free certificates and custom certificates for a website. All these certificates constitute a certificate pool. When a POP receives a request from a client, the POP automatically selects the most appropriate certificate from the pool to return to the client. The following section describes the priorities of certificates:

  • Certificates that are available are preferentially returned to clients. For example, certificates that are within the validity period and match the Server Name Indication (SNI) are preferentially returned to clients.

  • Certificates that match the encryption algorithms used by clients are preferentially returned. For example, if the client uses the ShangMi (SM) algorithm, the SM certificate is returned to the client. If the client supports the RSA and ECC algorithms, the ECC certificate is preferentially returned to the client.

  • Single-domain certificates are preferentially returned to clients.

  • Certificates that are configured most recently are preferentially returned to clients.