Certificate Management Service:Deploy a certificate to a cloud service of Alibaba Cloud

Limits

You can deploy a certificate only to the following Alibaba Cloud services in the Certificate Management Service console: Serverless App Engine (SAE) - Gateway Routing, Microservices Engine (MSE) - Cloud-native Gateway, API Gateway, Global Accelerator (GA), Function Compute, Object Storage Service (OSS), Web Application Firewall (WAF), Application Load Balancer (ALB), Network Load Balancer (NLB), Alibaba Cloud CDN (CDN), Dynamic Content Delivery Network (DCDN), and Anti-DDoS Proxy.

If you want to deploy a certificate to other Alibaba Cloud services or if you want to deploy an SM certificate, contact your account manager or refer to the related service documentation. You can deploy SM certificates only to CDN, DCDN, and Anti-DDoS. The following table provides the references for deploying certificates on specific cloud services.

Prerequisites

• A certificate is issued. For more information, see Purchase an SSL certificate and Apply for an SSL certificate.

• The first time you deploy a certificate to a cloud service, you must enable HTTPS for the cloud service and configure the related settings in the console of the cloud service. If issues occur, contact your account manager.

  References

  Cloud service	References
  WAF	WAF 3.0: Overview WAF 2.0: Tutorial
  Server Load Balancer (SLB)	ALB: Add an HTTPS listener NLB: Add a TCP/SSL listener Note If an HTTPS listener for which mutual authentication is enabled is configured for your SLB instance, you must deploy a server certificate to the SLB instance in the Certificate Management Service console and deploy a client certificate in the SLB console. For more information about how to deploy a client certificate, see Configure end-to-end HTTPS encryption for data transfers. If Certificate 1 is deployed to an SLB instance, you can deploy Certificate 2 to the SLB instance to replace Certificate 1 by using Certificate Management Service only if the domain name bound to Certificate 2 is or contains the domain name bound to Certificate 1. For example, if you deployed Certificate 1 to which the single domain name example.com is bound to an SLB instance, you can deploy Certificate 2 to the SLB instance in the Certificate Management Service console to replace Certificate 1 only if the domain name bound to Certificate 2 is or contains example.com. The domain name bound to Certificate 2 can be example.com, www.example.com, or *.example.com.
  CDN	Add a domain name
  OSS	Host SSL certificates
  Anti-DDoS Proxy	Add one or more websites
  Function Compute	Configure a custom domain name
  GA	Accelerate HTTP websites over HTTPS Note If Certificate 1 is deployed to GA, you can deploy Certificate 2 to GA to replace Certificate 1 by using Certificate Management Service only if the domain name bound to Certificate 2 is or contains the domain name bound to Certificate 1. For example, if you deployed Certificate 1 to which the single domain name example.com is bound to GA, you can deploy Certificate 2 to GA in the Certificate Management Service console to replace Certificate 1 only if the domain name bound to Certificate 2 is or contains example.com. The domain name bound to Certificate 2 can be example.com, www.example.com, or *.example.com.
  Microservices Engine - Cloud-native Gateway	Create a domain name for a cloud-native gateway
  Serverless App Engine - Gateway Routing	Configure gateway routing for an application by using an ALB instance Configure gateway routing for an application by using a CLB instance

• If you want to deploy uploaded certificates, you must purchase a deployment quota. For more information, visit the deployment quota buy page.

  If you deploy official certificates, the deployment quota is not consumed.

Procedure

1. Log on to the Certificate Management Service console.

2. In the left-side navigation pane, choose Deployment and Resource Management > Deployment to Cloud Services.

3. On the Deployment to Cloud Services page, click Create Task and perform the following steps to deploy a certificate:

   The first time you use the deployment feature, you must complete authorization based on the instructions. After you complete authorization, you can create a deployment task.

   1. In the Configure Basic Information step, configure the following parameters and click Next.

      Parameter	Description
      Task Name	Specify a name for the deployment task.
      Contact	Select a contact to receive notifications for the deployment task. You can select up to 10 contacts.
      Deployed At	Deploy: If you select this option, the certificate is immediately deployed to the Alibaba Cloud service. Custom Time: If you select this option, you must specify the point in time at which you want the deployment task to run. The system starts the deployment task at the specified point in time.

   2. In the Select Certificate step, select one or more certificates for the cloud service and click Next.

      Parameter	Description
      Certificate Type	The type of the certificates that you want to deploy. You can deploy an official certificate or an uploaded certificate. You can select only one certificate type for a deployment task. If you deploy an uploaded certificate, the deployment quota is consumed.

   3. In the Select Resource step, select one or more cloud services and resources and click Preview and Submit.

      The system intelligently matches cloud service resources based on the selected certificates. The system does not match cloud service resources for which HTTPS is disabled. You can click OK in the Prompt message to add the matched cloud service resources to the Selected Resources section. You can change the selected cloud service resources based on your business requirements.

      

      Note

      The system automatically identifies and synchronizes the resources of all cloud services. If the required resources are not found, click Intelligently Match Cloud Service Resources above the resource list.

   4. In the Task Preview panel, confirm the information about the certificates and cloud services and click Submit.

      The panel displays the number of certificates that match the cloud services and the amount of deployment quota to be consumed.

      • If the number of certificates is 0, the certificate does not match the cloud service resources. In this case, the deployment task fails. Check the certificates that you selected.

      • The amount of deployment quota to be consumed is determined based on the number of resources that match the certificates. If the deployment task fails, the amount of deployment quota that is consumed by the deployment task is reverted.

What to do next

View the details of the deployment task

1. On the Deployment to Cloud Services page, find the deployment task and click Details in the Actions column.

2. On the task details page, view the certificate deployment status of resources on each cloud service tab. If a certificate fails to be deployed to a resource, you can view the cause in the Actions column.

   If no cause is provided, contact your account manager.

Roll back the deployment task

After the deployment task is complete, you can perform the following steps to roll back the deployment task if the deployed certificates do not meet your requirements or if you want to undo the deployment for specific reasons:

1. On the Deployment to Cloud Services page, find the deployment task and click Details in the Actions column.

2. On the task details page, click the related cloud service tab, find the required resource, and then click Roll Back in the Actions column.

   After the rollback is complete, the status of the deployment task changes to Rolled Back.

Delete the deployment task

On the Deployment to Cloud Services page, find the deployment task and click Delete in the Actions column. You can also select multiple deployment tasks and click Delete below the task list.

References

For more information about how to deploy a certificate to a cloud server such as an Elastic Compute Service (ECS) instance or a simple application server, see Deploy a certificate to an ECS instance or a simple application server.