Deploy certificates to Alibaba Cloud services - - Alibaba Cloud Documentation Center

After an SSL certificate is issued, you can deploy the certificate to Alibaba Cloud services by using Certificate Management Service. The certificate can provide trusted identity authentication and security data transmission for your website. This topic describes how to deploy a certificate to Alibaba Cloud services in the Certificate Management Service console.

Background information

You can deploy a paid certificate that is issued to supported Alibaba Cloud services in the Certificate Management Service console. Then, you can use the certificate in a quick manner.

Alibaba Cloud services to which certificates can be deployed in the Certificate Management Service console

You can deploy certificates to the following Alibaba Cloud services in the Certificate Management Service console: Web Application Firewall (WAF), Application Load Balancer (ALB), and Network Load Balancer (NLB).

Note

If issues occur when you deploy certificates, contact your account manager.

Alibaba Cloud services to which certificates cannot be deployed in the Certificate Management Service console

If your Alibaba Cloud service is not included in the following table or you need to deploy an SM certificate, contact your account manager of the service or refer to the documentation of the service.
The following table provides the references of deploying certificates on some cloud services.
Note
The following Alibaba Cloud services support SM certificates: CDN, DCDN, and Anti-DDoS.

Prerequisites

A certificate is issued. For more information, see Purchase an SSL certificate and Apply for an SSL certificate.
The Alibaba Cloud service to which you want to deploy the certificate is activated, and certificate-related settings such as HTTPS are configured in the console of the service. If you have questions, contact your account manager of the service.
References
Cloud service
Reference
WAF
WAF 3.0: Overview of website configuration
WAF 2.0: Tutorial
NLB
Create a listener that uses SSL over TCP
ALB
Add an HTTPS listener

Procedure

Log on to the Certificate Management Service console.
In the left-side navigation pane, click SSL Certificates.
On the Manage Certificates tab, select Issued from the status drop-down list above the certificate list, find the certificate that you want to deploy, and then click Deploy in the Actions column.
The first time you deploy a certificate, the system prompts you that you do not have the permissions to deploy the certificate. Click OK to go to the Resource Access Management (RAM) console and authorize Certificate Management Service to access your cloud service.
Optional. If the system prompts you that the private key does not exist, perform the following steps to upload the private key:
Note
A possible cause is that you selected Select Existing CSR for CSR Generation but Certificate Management Service does not match the private key of the certificate signing request (CSR) because the CSR is generated by using a third-party tool. You must upload the private key of a certificate before you can deploy the certificate to an Alibaba Cloud service.
1. On the SSL Certificates page, find the certificate that you want to deploy, click the icon, and then click Upload Private Key in the Actions column.
2. In the Upload Private Key dialog box, enter the content of the private key file. Then, click OK.
  You can use one of the following methods to enter the content. Method 1: Use a text editor to open the private key file in the KEY format. Then, copy the content to the Private Key Content field. Method 2: Click Upload below the Private Key Content field. Then, select the private key file from your computer to upload the content of the file.
In the Resources section, select your cloud service and the region where the cloud service resides. In the Actions column, click Deploy.
Important
When you deploy a certificate, Certificate Management Service automatically identifies cloud service resources that meet the specified conditions and pulls the resources, which requires approximately 5 to 20 minutes.
- If your domain name list remains empty after a period of time, check whether the domain name bound to the certificate is configured in the cloud services.
- Resources pulled by Certificate Management Service may differ from the actual resources of the cloud services due to various reasons, such as different cloud service versions, network environments, cache latency, and certificate matching rules. The resources displayed in the consoles of the cloud services shall prevail. If the resources are not all displayed, go to the consoles of the cloud services to deploy the certificate.
If the issue persists, contact your account manager.
You can perform the following operations to deploy a certificate to multiple domain names and cloud services at a time: Select multiple domain names or cloud services in the right-side Pending Deployment Resources panel and click Deploy All.
After the certificate is deployed, you can go to the Manage Certificates tab to view the cloud services to which the certificate is deployed in the Deployed column.
Note
After the deployment is complete, you may need to wait a few minutes for the certificate to take effect due to network latency. If the issue persists, contact your account manager.

Cloud service	Reference
WAF	WAF 3.0: Overview of website configuration WAF 2.0: Tutorial
NLB	Create a listener that uses SSL over TCP
ALB	Add an HTTPS listener