After you create and enable a private certificate authority (CA) in the Certificate Management Service console, you can apply for private certificates from a private intermediate CA of the private CA. The private certificates can be used for application identity authentication and data encryption and decryption within your enterprise. This topic describes how to configure private certificates.
Background information
Only private intermediate CAs can issue private certificates. Private certificates are terminal entity certificates, including server certificates and client certificates. Trusted communication can be established between a server and a client only after private certificates are installed on both the server and the client.
Initial configuration
If this is your first time to configure a private certificate, perform the following steps:
Prerequisites
A private CA is purchased and enabled. For more information, see Purchase and enable a private CA.
Purchase a private certificate
If the default quota for private certificates that is provided by a private root CA cannot meet your business requirements, you can purchase an additional quota for private certificates for the private root CA. The additional quota applies to all private intermediate CAs of the private root CA.
Log on to the Certificate Management Service console.
In the left-side navigation pane, choose . On the PCA Certificate Management page, select the region where your PCA resides.
On the Private CAs tab, find the required private root CA and click Purchase Certificate in the Actions column.
In the Purchase Certificate panel, enter the quota for the private certificates that you want to purchase. Then, click Purchase to complete the payment.
NoteIf the quota for private certificates that you purchase for a private root CA exceeds a specific threshold, you are not charged for the excess certificates. For more information about the threshold, contact your account manager.
Assign the quota for private certificates
Only private intermediate CAs can issue private certificates. Private root CAs cannot issue private certificates. Before you apply for a private certificate from a private intermediate CA, you must assign the quota of the private root CA to the private intermediate CA. The quota can be assigned only when the private root CA and the private intermediate CA meet the following conditions:
The private root CA and the private intermediate CA are in the Enabled state.
The remaining quota of the private root CA is not 0.
Log on to the Certificate Management Service console.
In the left-side navigation pane, choose . On the PCA Certificate Management page, select the region where your PCA resides.
On the Private CAs tab, find the required private root CA and click Assign Certificate in the Remaining Certificate Quota column.
In the Assign Certificate panel, select the private intermediate CA to which you want to assign the quota, configure the Remaining Certificate Quota parameter, and then click OK.
Apply for a private certificate
You can apply for a private certificate from a private intermediate CA only if the value of the Remaining Certificate Quota parameter of the private intermediate CA is not 0.
Log on to the Certificate Management Service console.
In the left-side navigation pane, choose . On the PCA Certificate Management page, select the region where your PCA resides.
On the Private CAs tab, find the required private intermediate CA and click Apply for Certificate in the Actions column.
In the Apply for Certificate panel, configure the parameters and click Confirm.
The private certificate is immediately issued after the certificate application is submitted. After the private certificate is issued, you can view the details of the private certificate on the Certificates page. To go to the page, find the private intermediate CA and click Certificates in the Actions column.
Server Certificate: A server certificate must be installed on an application server.
Client Certificate: A client certificate must be installed on a client that accesses an application.
If the service duration of PCA is less than one year, the validity period of the private certificate must be less than or equal to the service duration of PCA. For example, if the service duration of PCA that you purchase is one month, the validity period of a private certificate issued from your private intermediate CA cannot exceed 31 days. If you require a longer validity period for your private certificate, we recommend that you renew PCA to extend its service duration. For more information about renewal, see Renewal policy.
If the service duration of PCA is greater than or equal to one year, the validity period of the private certificate can range from 1 to 100 years.
If you need to apply the certificate to multiple entities, you can add the information about other entities by using SAN attributes.
You can enter a domain name or an IP address for a server certificate. You can enter an email address or a Uniform Resource Identifier (URI) for a client certificate.
You can add up to 10 SAN attributes.
Parameter | Description |
Certificate Type | |
Common Name (CN) | The common name of the private certificate holder. |
Validity Period | The validity period of the private certificate. The validity period of a private certificate varies based on the service duration of Private Certificate Authority (PCA). |
SAN | The subject alternative name (SAN) attribute of the private certificate. Note SAN is an extension defined in the SSL X.509 standard. An SSL certificate that uses SAN attributes can be associated with multiple domain names. A URI can uniquely identify an Alibaba Cloud resource to which a certificate belongs. For example, a URI can identify an Elastic Compute Service (ECS) instance to which a private certificate is deployed. |
More | If you want to specify the name of the private certificate and add company and department information for the private certificate, click More and configure the parameters. |
CRL Status | By default, the certificate revocation list (CRL) feature is enabled. For more information, see Use the CRL feature. |
Download a private certificate
After a private certificate is issued from a private intermediate CA, you can download the private certificate and deliver the private certificate to a specified user for installation and use.
Log on to the Certificate Management Service console.
In the left-side navigation pane, choose . On the PCA Certificate Management page, select the region where your PCA resides.
On the Private CAs tab, find the required private intermediate CA and click Certificates in the Actions column.
On the Certificates page, find the private certificate that you want to download and click Download in the Actions column.
In the Download Certificate dialog box, select a certificate format and click Confirm and Download.
Install a private certificate
After you download a private certificate, you must install a server certificate on an application server and install a client certificate on a client browser. The operations to install a server certificate are the same as the operations to install a certificate that is purchased by using Certificate Management Service. For more information, see Installation overview.
Revoke a private certificate
If you no longer require a private certificate, you can revoke the private certificate in the Certificate Management Service console before the private certificate expires.
Private certificates that are revoked or deleted are no longer trusted by the internal environments of enterprises and cannot be restored or re-enabled. Proceed with caution.
Log on to the Certificate Management Service console.
In the left-side navigation pane, choose . On the PCA Certificate Management page, select the region where your PCA resides.
On the Private CAs tab, find the required private intermediate CA and click Certificates in the Actions column.
On the Certificates page, find the private certificate that you want to revoke and click Revoke in the Actions column.
In the Confirmation message, click Revoke.
The private certificate is immediately revoked. After the value in the Status column of the private certificate changes to Revoke, you can delete the private certificate from the list of private certificates.