All Products
Search

This Product

    Server Load Balancer:FAQ about CLB certificates

    Document Center

    Server Load Balancer:FAQ about CLB certificates

    Last Updated:Jan 27, 2026

    Common questions and solutions for certificate errors in Classic Load Balancer (CLB).

    "Invalid parameter" when uploading a third-party certificate

    The certificate content or encoding format is invalid.

    To verify the certificate:

    openssl x509 -noout -text -in certificate.pem

    If the command returns an error, the certificate content is corrupted or incomplete.

    CLB requires certificates encoded in RFC 4648 Base64. If your certificate uses a different encoding, convert it before uploading.

    "The specified Server Certificate format is invalid" when uploading a third-party certificate

    The private key content is invalid.

    To verify the private key:

    openssl rsa -in private.key -check

    If the command returns RSA key ok, the key is valid. Otherwise, obtain a valid private key that matches your certificate.

    "No certificate chain is found in the certificate content"

    The certificate file is missing the intermediate CA certificate(s).

    Most certificates from commercial CAs include a certificate chain: your server certificate plus one or more intermediate certificates. Contact your CA to obtain the complete certificate chain, then concatenate them in this order:

    1. Server certificate (your certificate)

    2. Intermediate certificate(s)

    3. Root certificate (optional, usually omitted)

    "The format of the private key content is invalid"

    CLB requires RSA private keys in PKCS#1 format, which must start with -----BEGIN RSA PRIVATE KEY----- and end with -----END RSA PRIVATE KEY-----. If your private key is encrypted or in PKCS#8 format, convert it first.

    openssl rsa -in pkcs8_key.pem -out pkcs1_key.pem -traditional
    The -traditional flag is required for OpenSSL 3.x, which defaults to PKCS#8 output.

    "The format of the certificate content is invalid"

    The public key content doesn't match the expected PEM format. It must start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.

    Check for:

    • Extra whitespace or line breaks

    • Missing header or footer lines

    • Incorrect copy-paste (partial content)

    If the format looks correct, contact your CA to verify the certificate content.

    "The certificate does not exist" when selecting a certificate for an HTTPS listener

    The CLB instance and the certificate were created using different account types. For example, the CLB instance was created with an Alibaba Cloud account, but the certificate was uploaded using an Alibaba Finance Cloud account.

    Solution: Use the same account to create both the CLB instance and the certificate.

    "The request processing has failed due to some unknown error, exception or failure" (500) when calling UploadServerCertificate

    The AliCloudCertificateRegionId parameter value is incorrect. This parameter specifies the region where the SSL certificate was issued, not the region of your CLB instance.

    Certificate issued in

    AliCloudCertificateRegionId

    Chinese mainland

    cn-hangzhou

    Outside Chinese mainland

    ap-southeast-1