Get started with official certificates - Certificate Management Service

Official certificates include various types and brands of certificates for different types of websites, such as personal websites, e-commerce websites, and websites of small- and large-sized enterprises. Official certificates also include wildcard, multi-domain, and hybrid certificates to meet different business requirements, such as protecting multiple subdomains or different domain names. This topic describes how to purchase, apply for, issue, and install an official certificate. In this example, an official certificate is deployed to Alibaba Cloud CDN.

Prerequisites

If you want to deploy the website on which your certificate is installed to a server located in the Chinese mainland, you must complete an Internet Content Provider (ICP) filing for the domain name bound to the certificate as required by the Ministry of Industry and Information Technology (MIIT). Otherwise, the website cannot be accessed as expected. For more information, see What is an ICP filing?

Step 1: Purchase an official SSL certificate

Log on to the Certificate Management Service console.
In the left-side navigation pane, choose Certificate Management > SSL Certificate Management.

On the Official Certificate tab, click Buy Now. On the buy page, configure the following parameters and click Buy Now to complete the payment.

Parameter	Description
Certificate Type	Select Single Domain. You can bind a primary domain name, a subdomain, or a public IPv4 address to a certificate. Examples: example.com and 1.1.X.X.
Brand	Select Alibaba Cloud. Alibaba Cloud certificates are more cost-effective than other certificate brands.
Certificate Specifications	The default value is DV SSL. Domain validated (DV) certificates are suitable for personal websites used for app services, information display, enterprise testing, and personal testing.
Quantity	The value is 1 by default and cannot be changed. This parameter specifies the number of SSL certificates.
Service Duration	Select 1 Year. In this case, one certificate whose validity period is one year is provided.

Note

For more information, see Purchase an official certificate.

Step 2: Create and apply for a certificate

Log on to the Certificate Management Service console.
In the left-side navigation pane, choose Certificate Management > SSL Certificate Management.
On the Official Certificate tab, click Create Certificate.

In the Create Certificate panel, configure the parameters and click OK. The following table describes the parameters.

After you complete the configuration, the certificate application is reviewed. You need to only wait for the certificate to be issued. In most cases, a DV certificate is issued within 1 to 15 minutes. The following figure shows an issued DV certificate.

Parameter	Description
Certificate Type	Select Single Domain.
Certificate Specifications	Select Alibaba DV Single Domain.
Domain Name	Enter the domain name of your website. Example: example.com.
Validity Period (Years)	The validity period of the certificate. Default value: 1.
Quick Issue	Select the check box. Then, configure the following parameters: Domain Verification Method: In this example, example.com is resolved by using Alibaba Cloud DNS, which is activated within the current account. Therefore, the system automatically selects Automatic DNS Verification. After you complete the purchase, the system automatically verifies the ownership of the domain name. You need to only wait for the certificate to be issued. Note If Alibaba Cloud DNS is not activated within the Alibaba Cloud account of the certificate applicant, you can use one of the following methods: Manual DNS Verification: You must log on to the system of your DNS service provider. Then, you must add a TXT record for the domain name to the DNS list of the system. The TXT record must be the same as the DNS record that is provided in the Certificate Management Service console. File Verification: You must create a specific file on the web application server of the domain name. Then, Alibaba Cloud verifies the ownership of the domain name. For more information about the verification methods, see Step 3: Verify the ownership of a domain name. Contact: Click Create Contact in the drop-down list to create a contact for the certificate application. You can also select an existing contact. Make sure that your contact information is accurate and valid. Location: Select the city or region of the certificate applicant. Encryption Algorithm: Select RSA. This parameter specifies the encryption algorithm used by the certificate. Rivest-Shamir-Adleman (RSA) is an asymmetric algorithm that is widely used in the world and provides high compatibility. CSR Generation: Select Automatic. In this case, Certificate Management Service uses the selected encryption algorithm to generate a Certificate Signing Request (CSR) file. A CSR file is the request file that contains the server and company information of the certificate applicant. When you apply for a certificate, you must prepare a CSR file for the certificate authority (CA) to review.

Note

For more information about how to create and apply for a certificate, see Step 1: Create a certificate and Step 2: Apply for a certificate.

Step 3: Install the certificate

Install the certificate on a web application server

In this section, an NGINX 1.14.2 server that runs a 64-bit CentOS 8.0 operating system is used as an example to illustrate the installation. Installation operations vary based on the versions of servers and operating systems. If you have questions, contact your account manager. For more information about how to install a certificate on another web application server, such as an Apache, Tomcat, or IIS server, see Manually install an SSL certificate on a web application server.

Log on to the Certificate Management Service console.
In the left-side navigation pane, choose Certificate Management > SSL Certificate Management.
On the Official Certificate tab, find the certificate that you want to manage and click More in the Actions column. On the page that appears, click the Download tab.
Find Nginx in the Server Type column and click Download in the Actions column.

Decompress the downloaded certificate package.

The following table describes the files that you can extract from the package. The files vary based on the certificate signing request (CSR) generation method that you use when you submit the certificate application.

Value of the CSR Generation parameter	File extracted from the certificate package
Automatic	Certificate file in the PEM format: NGINX servers support PEM files. A certificate file in the PEM format is a Base64-encoded text file that contains a complete certificate chain. The file is named in the `Certificate ID_Domain name bound to the certificate` format after decompression. Private key file in the KEY format: By default, the private key file is named in the Domain name bound to the certificate format.
Manual	If you specify a CSR that is created in the Certificate Management Service console, the certificate file that is extracted from the downloaded certificate package is the same as the certificate file that is obtained in scenarios when you set the CSR Generation parameter to Automatic. If you specify a CSR that is not created in the Certificate Management Service console, only the PEM certificate file can be extracted from the downloaded certificate package. The password file or private key file cannot be extracted. You can use the certificate toolkit to convert your certificate file, password file, or private key file to the required format. For more information about how to convert certificate formats, see Convert the format of a certificate.

Log on to the NGINX server, open the CLI, and run the following commands to create a directory in the conf directory of the server to store the certificate:

# The directory is used when you manually compile and install NGINX. If you changed the default NGINX installation directory or installed NGINX by using other methods, specify the actual directory.
cd /usr/local/nginx/conf  
# Create a directory named cert.
mkdir cert

Upload the certificate file and private key file to the following directory of the NGINX server: /usr/local/nginx/conf/cert.
Note
You can upload the file by using the file upload feature of a remote logon tool, such as PuTTY, Xshell, and WinSCP. For more information about how to upload a file to an Alibaba Cloud Elastic Compute Service (ECS) instance, see Use Remote Desktop Connection or Windows App to transfer files to a Windows instance or Upload a file to a Linux instance.
Open the nginx.conf configuration file of the NGINX server and modify certificate-related settings in the file.
1. Run the following command to open the configuration file:
```
sudo vim /usr/local/nginx/conf/nginx.conf
```
  Important
  By default, the nginx.conf configuration file is stored in the /usr/local/nginx/conf directory. If you moved the nginx.conf configuration file to a different location, you can run the nginx -t command to obtain the new path to the configuration file and replace /usr/local/nginx/conf/nginx.conf with the new path.
2. Find the server configuration item in the nginx.conf configuration file.
  Note
  If the nginx.conf configuration file or the file that is referenced by the include directive does not contain the server configuration item, manually add the server configuration item.
3. Remove the # comment symbol from the beginning of each line and modify the settings based on the following sample code:
```
server {
     # Specify the default HTTPS port 443.
     # If you do not specify the default HTTPS port, the NGINX service may fail to start.
     listen 443 ssl;
     
     # Enter the domain name that is bound to the certificate.
     server_name <YOURDOMAIN>;
 
     # Enter the absolute path to the certificate file.
     ssl_certificate cert/<cert-file-name>.pem;
     # Enter the absolute path to the private key file.
     ssl_certificate_key cert/<cert-file-name>.key;
 
     ssl_session_cache shared:SSL:1m;
     ssl_session_timeout 5m;
	 
     # Specify the Transport Layer Security (TLS) protocols and custom cipher suites that you want to use. The following sample code is only for reference.
     # A later TLS version offers higher security but lower compatibility with browsers.
     ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
     ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;

     # A server-side cipher suite is preferentially used. The default value is on.
     ssl_prefer_server_ciphers on;
 
 
    location / {
           root html;
           index index.html index.htm;
    }
}
```
4. Optional. Configure settings to automatically redirect HTTP requests to HTTPS requests.
  If you want to redirect all HTTP requests to HTTPS requests, you can add the rewrite directive to your configuration file.
  Important
  Find the configuration item of http server in the nginx.conf configuration file, and add redirection settings.
  If you cannot find the configuration item, you can append the following redirection settings to the server {} configuration item in the nginx.conf configuration file. After you configure the redirection settings, the nginx.conf file contains two server {} configuration items.
```
server {
    listen 80;
    # Enter the domain name that is bound to the certificate.
    server_name <YOURDOMAIN>;
    # Add the rewrite directive to redirect all HTTP requests to HTTPS requests.
    rewrite ^(.*)$ https://$host$1;
    location / {
        index index.html index.htm;
    }
}
```
  The following figure shows the result after configuration.
Run the following commands to restart the NGINX service:
```
# Go to the executable directory of the NGINX service.
cd /usr/local/nginx/sbin
# Reload the configuration file.
./nginx -s reload
```
Note
- If the error the "ssl" parameter requires ngx_http_ssl_module is reported, recompile NGINX and add --with-http_ssl_module when you install NGINX.
- If the error "/cert/3970497_demo.aliyundoc.com.pem":BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/cert/3970497_demo.aliyundoc.com.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file) is reported, remove the forward slash (/) that precedes the relative path to a certificate file. For example, remove the forward slash (/) that precedes the relative path /cert/cert-file-name.pem. The required relative path is cert/cert-file-name.pem.

Check whether the certificate is installed

After you install a certificate, you can access the domain name that is bound to the certificate to verify whether the certificate is installed.

https://yourdomain   # Replace yourdomain with the domain name that is bound to your certificate.

If the icon appears in the address bar of your browser, the certificate is installed.
Starting in Google Chrome 117, the icon is changed to the icon. If the icon appears after you click the icon, the certificate is installed.

Deploy the certificate to a cloud service

After the certificate is issued, you can install the certificate on your web application server or deploy the certificate to an Alibaba Cloud service. In this section, Alibaba Cloud CDN is used as an example to illustrate the deployment. For more information about how to deploy a certificate to another cloud service or to a web application server, see Deploy SSL certificates.

Log on to the Certificate Management Service console.
In the left-side navigation pane, choose Certificate Management > SSL Certificate Management.
On the Official Certificate tab, find the issued certificate that you want to manage and click Deploy in the Actions column.
In the Select Resource step, click CDN and select the required resources. Then, click Preview and Submit.
The system automatically identifies and synchronizes the resources of all cloud services. If you cannot find the required resources, check whether all resources are synchronized in the Total Resources section. If resources are being synchronized, the Synchronize Cloud Resources button is displayed in gray, as shown in the following figure. Wait until the resources are synchronized. The time required for resource synchronization varies based on the number of resources within your cloud service.
In the Task Preview panel, confirm the information about the certificate and cloud service and click Submit.
The preview panel displays the number of certificates that match the cloud service and the amount of deployment quota to be consumed. If the number of certificates is 0, the certificate does not match the resources of the cloud service. In this case, the deployment task fails. Check the certificate that you selected.

Check whether the certificate is deployed

Log on to the Alibaba Cloud CDN console.
In the left-side navigation pane, click Domain Names.
On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column.
In the left-side navigation tree of the domain name, click HTTPS.
View the information about the certificate, including the certificate status and the validity period. If Enabled is displayed for HTTPS Certificate, the certificate is deployed.

Note

After you deploy the certificate, you must wait for a period of time for the certificate to be synchronized to CDN before you can view the latest information about the certificate.

References

For more information about how to troubleshoot the issue that the certificate does not take effect after installation, see After I install a certificate on a website, the certificate does not take effect or the website is reported as insecure when I access the website. What do I do?
For more information about how to manually deploy a certificate to a web application server, such as NGINX and Apache, see Manually install an SSL certificate on a web application server.