When configuring an HTTPS listener, you can use a certificate from the SSL Certificate Service or upload the necessary third-party server and CA certificates to CLB to secure data transmission.
CLB supports certificates obtained from two sources:
-
Alibaba Cloud SSL Certificate Service: Choose from Alibaba Cloud SSL Certificate Service for certificate expiration reminders and one-click renewal (client CA certificates not yet supported).
-
Third-party issued certificates: Upload your public and private key files, supporting both HTTPS server certificates and client CA certificates.
Certificate description
To add an HTTPS listener, upload a server certificate or CA certificate. Below is a comparison of certificates:
Certificate | Description | Required for one-way authentication | Required for mutual authentication |
Certificate | Description | Required for one-way authentication | Required for mutual authentication |
Server Certificate | Used to authenticate the identity of a server. Your browser is used to check whether the certificate sent by the server is issued by a trusted center. For more information, see What is an SSL Certificate. | Yes The server certificate must be uploaded to the Certificate Management of Server Load Balancer. | Yes The server certificate must be uploaded to the certificate management system of Server Load Balancer. |
CA Certificate | The server uses the CA certificate to authenticate the signature of the client certificate. If the authentication fails, the connection is rejected. For more information, see Generate a CA Certificate. Note A client certificate is used to authenticate the identity of the client when the client communicates with the server. You need to install a client certificate only on the client. | No | Yes The CA certificate must be uploaded to the certificate management system of Server Load Balancer. |
Notes
Before creating a certificate, consider the following:
Prerequisites
-
To use a certificate from the SSL Certificate Service, log on to the SSL Certificates Console, purchase a certificate, or upload a third-party certificate. For more information about the SSL Certificate Service, see What is an SSL Certificate.
-
Before uploading a third-party certificate, ensure the following requirements are met:
-
A server certificate is purchased.
-
A CA certificate and a client certificate are generated. For more information, see Generate a CA Certificate.
Select an Alibaba Cloud issued certificate
Upload a third-party issued certificate
- Log on to the CLB console.
-
In the left-side navigation pane, select .
-
On the Certificate Management page, you can click Create Certificate.
-
In the Create Certificate panel, choose Alibaba Cloud Issued Certificate , select the desired SSL certificate from the list, and choose the region for certificate deployment.
Certificates cannot be used across regions. To use a certificate in multiple regions, select all the regions where you want to use it.
-
Click Create. Return to the Certificate Management page to view the certificate you created.
- Log on to the CLB console.
-
In the left-side navigation pane, select .
-
On the Certificates page, click Add Certificate.
-
In the Add Certificate panel, select Upload A Third-party Issued Certificate, fill in the required information, and then click Create.
Configuration | Description |
Certificate Type | Select the type of certificate that you want to upload: Server Certificate: Configure HTTPS one-way authentication. You only need to upload the server certificate and private key. CA Certificate: Configure HTTPS mutual authentication. In addition to uploading the server certificate, you also need to upload the CA certificate.
|
Public Key Certificate | Paste the content of the server certificate or CA certificate to the field. The public key certificate contains information about the public key and the signature. CLB uses certificates in the Nginx format. The certificate files obtained from the certificate provider are usually suffixed with .pem, but may also be suffixed with .crt or others. Click View Sample to view the correct certificate style. For more information, see Certificate Requirements. |
Private Key | Paste the content of the private key of the server certificate to the field. The certificate files obtained from the certificate provider in the Nginx format are usually suffixed with .key. Click View Sample to view the correct certificate style. For more information, see Private Key Format Requirements. Important A private key is required only when you upload a server certificate. |
Region | Select the region where you want to deploy the certificate. You cannot use a certificate in regions where the certificate is not deployed. If you want to use the certificate in multiple regions, select all the regions where you want to use the certificate. |