Promo Center

50% off for new user

Direct Mail-46% off

Learn More
This topic was translated by AI and is currently in queue for revision by our editors. Alibaba Cloud does not guarantee the accuracy of AI-translated content. Request expedited revision

Create Certificate

Updated at: 2025-02-19 01:51

When configuring an HTTPS listener, you can use a certificate from the SSL Certificate Service or upload the necessary third-party server and CA certificates to CLB to secure data transmission.

CLB supports certificates obtained from two sources:

  • Alibaba Cloud SSL Certificate Service: Choose from Alibaba Cloud SSL Certificate Service for certificate expiration reminders and one-click renewal (client CA certificates not yet supported).

  • Third-party issued certificates: Upload your public and private key files, supporting both HTTPS server certificates and client CA certificates.

Certificate description

To add an HTTPS listener, upload a server certificate or CA certificate. Below is a comparison of certificates:

Certificate

Description

Required for one-way authentication

Required for mutual authentication

Certificate

Description

Required for one-way authentication

Required for mutual authentication

Server Certificate

Used to authenticate the identity of a server.

Your browser is used to check whether the certificate sent by the server is issued by a trusted center. For more information, see What is an SSL Certificate.

Yes

The server certificate must be uploaded to the Certificate Management of Server Load Balancer.

Yes

The server certificate must be uploaded to the certificate management system of Server Load Balancer.

CA Certificate

The server uses the CA certificate to authenticate the signature of the client certificate. If the authentication fails, the connection is rejected. For more information, see Generate a CA Certificate.

Note

A client certificate is used to authenticate the identity of the client when the client communicates with the server. You need to install a client certificate only on the client.

No

Yes

The CA certificate must be uploaded to the certificate management system of Server Load Balancer.

Notes

Before creating a certificate, consider the following:

  • Region and Quantity Limitations

    • For use in multiple regions, select all intended regions.

    • You can create up to 100 server certificates and 100 client CA certificates per region.

  • Certificate Upload Limitations

  • Certificate Management

    • Once uploaded to CLB, the certificate is managed by CLB and does not need to be attached to the backend server.

    • Uploading, loading, and verifying a certificate may take a few minutes, so an HTTPS listener will not be immediately available after creation. It typically takes 1 to 3 minutes to enable an HTTPS listener.

Prerequisites

  • To use a certificate from the SSL Certificate Service, log on to the SSL Certificates Console, purchase a certificate, or upload a third-party certificate. For more information about the SSL Certificate Service, see What is an SSL Certificate.

  • Before uploading a third-party certificate, ensure the following requirements are met:

    • A server certificate is purchased.

    • A CA certificate and a client certificate are generated. For more information, see Generate a CA Certificate.

Procedure

Select an Alibaba Cloud issued certificate
Upload a third-party issued certificate
  1. Log on to the CLB console.
  2. In the left-side navigation pane, select Classic Load Balancer (CLB) > Certificate Management.

  3. On the Certificate Management page, you can click Create Certificate.

  4. In the Create Certificate panel, choose Alibaba Cloud Issued Certificate , select the desired SSL certificate from the list, and choose the region for certificate deployment.

    Certificates cannot be used across regions. To use a certificate in multiple regions, select all the regions where you want to use it.

  5. Click Create. Return to the Certificate Management page to view the certificate you created.

  1. Log on to the CLB console.
  2. In the left-side navigation pane, select CLB > Certificates.

  3. On the Certificates page, click Add Certificate.

  4. In the Add Certificate panel, select Upload A Third-party Issued Certificate, fill in the required information, and then click Create.

    Configuration

    Description

    Certificate Type

    Select the type of certificate that you want to upload:

    • Server Certificate: Configure HTTPS one-way authentication. You only need to upload the server certificate and private key.

    • CA Certificate: Configure HTTPS mutual authentication. In addition to uploading the server certificate, you also need to upload the CA certificate.

    Public Key Certificate

    Paste the content of the server certificate or CA certificate to the field. The public key certificate contains information about the public key and the signature.

    CLB uses certificates in the Nginx format. The certificate files obtained from the certificate provider are usually suffixed with .pem, but may also be suffixed with .crt or others.

    Click View Sample to view the correct certificate style. For more information, see Certificate Requirements.

    Private Key

    Paste the content of the private key of the server certificate to the field. The certificate files obtained from the certificate provider in the Nginx format are usually suffixed with .key.

    Click View Sample to view the correct certificate style. For more information, see Private Key Format Requirements.

    Important

    A private key is required only when you upload a server certificate.

    Region

    Select the region where you want to deploy the certificate.

    You cannot use a certificate in regions where the certificate is not deployed. If you want to use the certificate in multiple regions, select all the regions where you want to use the certificate.

Additional information

Can SSL certificates be used across accounts?

No, SSL certificates cannot be used across accounts.

Solution:

Step 1: Log on to the SSL Certificates Console with the Alibaba Cloud account that created the SSL certificate and download the Nginx format certificate.

Step 2: Log on to the SSL Certificates Console with the Alibaba Cloud account that needs the SSL certificate and upload the certificate.

Step 3: Log on to the Classic Load Balancer CLB Console to create and deploy the certificate. For more information, see Select an Alibaba Cloud Issued Certificate and Add an HTTPS Listener.

References

  • On this page (1)
  • Certificate description
  • Notes
  • Prerequisites
  • Procedure
  • Additional information
  • Can SSL certificates be used across accounts?
  • References
Feedback
phone Contact Us

Chat now with Alibaba Cloud Customer Service to assist you in finding the right products and services to meet your needs.

alicare alicarealicarealicare