This topic describes how to use a private certificate authority (CA) to issue a client certificate or a server certificate.
Prerequisites
A private intermediate CA is purchased and enabled. For more information, see Purchase and enable a private CA.
The value of the Remaining Certificate Quota parameter for the private intermediate CA is not 0. For more information about how to purchase and assign a quota on private certificates, see Assign a quota on private certificates.
Procedure
Log on to the Certificate Management Service console.
In the left-side navigation pane, choose . On the PCA Certificate Management page, select the region where your PCA resides.
On the Private CAs tab, find the private intermediate CA that you want to use and click Apply for Certificate in the Actions column.
In the Apply for Certificate panel, configure the parameters and click Confirm. The following table describes the parameters.
After you submit a certificate application, the private certificate is immediately issued. Then, you can click Certificates in the Actions column to view the information about the private certificate.
Parameter
Description
Certificate Type
Server Certificate: A server certificate must be installed on an application server.
Client Certificate: A client certificate must be installed on a client that accesses an application.
Personal Name
This parameter is required only if you set the Certificate Type parameter to Client Certificate.
Specify a unique identifier for the client certificate holder.
Common Name (CN)
This parameter is required only if you set the Certificate Type parameter to Server Certificate.
Specify the domain name or IP address that you want to bind to the certificate.
Validity Period
Specify the validity period of the private certificate. The valid values vary based on the service duration of the private intermediate CA.
If the service duration of the private intermediate CA is less than one year, the validity period of the private certificate must be less than or equal to the service duration of the private intermediate CA. For example, if the service duration of the private intermediate CA that you use is one month, the validity period of a private certificate that is issued from the private intermediate CA cannot exceed 31 days. If you require a longer validity period for your private certificate, we recommend that you renew the private intermediate CA to extend its service duration. For more information about renewal, see Renewal policy.
If the service duration of the private intermediate CA is greater than or equal to one year, the validity period of the private certificate can range from 1 to 100 years.
SAN
Specify the subject alternative name (SAN) attribute of the private certificate.
If you want to apply the certificate to multiple entities, you can add the information about other entities by using SAN attributes.
You can enter a domain name or an IP address for a server certificate. You can enter an email address or a Uniform Resource Identifier (URI) for a client certificate.
You can add up to 10 SAN attributes.
NoteSAN is an extension defined in the SSL X.509 standard. An SSL certificate that uses SAN attributes can be associated with multiple domain names.
A URI can uniquely identify an Alibaba Cloud resource to which a certificate belongs. For example, a URI can identify an Elastic Compute Service (ECS) instance to which a private certificate is deployed.
More
If you want to specify the name of the private certificate and add company and department information for the private certificate, click More and configure the related parameters.
Include CRL Address
By default, the certificate revocation list (CRL) feature is enabled. For more information, see Use the CRL feature.
What to do next
After a private certificate is issued, you can download the private certificate to your computer and install the private certificate on a client or a server. For more information, see Download a private certificate.