Before you configure HTTPS listeners for Classic Load Balancer (CLB) instances, you must add a certificate to CLB for use. You can use certificates from the native Certificate Management Service or import certificates obtained outside of Alibaba Cloud.
Certificate sources
CLB supports two types of certificates:
Alibaba Cloud-issued certificates: purchased and managed in Certificate Management Service. Only server certificates are supported.
Third-party certificates:
You can import such a certificate to CLB, dedicated to CLB use. Both server and CA certificates are supported.
Or, you can import it to Certificate Management Service for unified management. Only server certificates are supported.
Authentication modes
To determine which certificates you will need, refer to the following information:
Certificate types:
Server certificates: deployed on the server and will be sent to the client. The browser of a client verifies whether a server certificate is issued by a trusted CA.
CA certificates: deployed on the client and server for verifying the certificate signature of each other. If a certificate fails the authentication, connections initiated from that side will be denied.
Client certificates: deployed on the client and will be sent to the server if required. The server checks whether a client certificate is issued by a trusted CA.
You can deploy either one-way or mutual authentication for your CLB service:
One-way authentication: CLB has to prove its identity to the client to ensure the data received by the client is trustworthy. This mode is common for scenarios such as HTTPS website access and API requests. Only a server certificate is required on CLB.
Mutual authentication: The client and CLB verify the identities of each other to ensure that both sides are trusted. This mode is useful in scenarios such as enterprise VPNs and online banking. Both a server certificate and a CA certificate are required on CLB.
Limitations
You can add at most 100 server certificates and 100 CA certificates for a region.
For imported certificates:
CLB supports only RSA certificates with 1024-, 2048-, and 4096-bit key lengths.
Certificates must be in PEM format. You can convert the certificate format for importing.
Prerequisites
You have a certificate available in Certificate Management Service.
Alternatively, you have an unimported third-party certificate ready to use.
Procedure
- Log on to the CLB console.
In the left-side navigation pane, choose .
On the Certificates page, click Add Certificate.
In the Add Certificate panel, choose Alibaba Cloud Certificates or Third-party Certificates.
Select the certificate that you want to use from the Certificates drop-down list.
Select the regions where you want to use the certificate.
Once a certificate is added, the regions where it can be used cannot be modified, so remember to select all regions where you want to use it.
Click Create.
Return to the Certificates page and check the certificate list.
Perform the configurations as described below, and click Create:
Certificate Type: Select the type of certificate that you want to import.
Server Certificate: For HTTPS one-way authentication, only the server certificate and the private key are required.
CA Certificate: For HTTPS mutual authentication, both the server certificate and CA certificate are required.
Public Key Certificate: Paste the content of the server certificate or CA certificate to the field. The public key certificate contains information about the public key and the signature.
CLB instances use NGINX certificates obtained from a certificate provider. In most cases, NGINX certificates are suffixed with .pem, and some certificates may be suffixed with .crt.
Click View Sample to view valid certificate formats. For more information, see Certificate requirements and certificate format conversion.
Private Key: A private key is required only for importing a server certificate. Paste the private key of the server certificate to the field. In most cases, NGINX certificates are obtained from a certificate provider and are suffixed with .key.
Click View Sample to view valid certificate formats. For more information, see Certificate requirements and certificate format conversion.
Region: Select the regions where you want to deploy the certificate.
You cannot use a certificate in regions where the certificate is not deployed. Once a certificate is imported, you cannot modify this parameter, so remember to select all regions where you want to use it.
FAQs
How can I use a certificate from Certificate Management Service of another account?
Suppose you have account A with a purchased certificate and account B to use the certificate.
Step 1: Log on to the Certificate Management Service console with account A and download the certificate in PEM format.
Step 2: Log on to the Certificate Management Service console with account B and import the certificate.
Step 3: Log on to the CLB console and add the certificate, as described in this topic.
Now you can use the certificate to create an HTTPS listener.
Do I need to upload a certificate to backend servers after I add it to CLB?
No, you don't. CLB manages the certificate.
How long does it take for a certificate to take effect?
After you add a certificate to CLB, it takes about 1 to 3 minutes for it to take effect.
References
To use API operations to add a certificate, refer to the following topics:
