Download an SSL certificate to your computer - Certificate Management Service

Different types of servers support different formats of SSL certificates. To facilitate certificate installation, Certificate Management Service provides certificate packages that are suitable for servers such as NGINX, Spring Boot, Apache Tomcat, Apache HTTPD, and Internet Information Services (IIS) servers. You can download and use the packages without the need to convert the formats of certificates.

Prerequisites

A certificate is issued by using the Certificate Management Service console. For more information, see Purchase SSL certificates.

Important

For data security purposes, you are not allowed to download the third-party certificates that you uploaded to Certificate Management Service.
If you do not know the type of your server, you must query the server type. For more information, see How do I view the type of a server?

Procedure

Log on to the Certificate Management Service console.
In the left-side navigation pane, choose Manage Certificates > SSL Certificate Management.
On the Official Certificate tab, find the certificate that you want to download and click Download in the Actions column.
The download operations for different types of certificates are the same. In this topic, an official certificate is used as an example.
Note
The Download button appears in the Actions column only when the certificate is in the Issued, Pending Expiration, or Expired state.

In the Download Certificate panel, find the required server type and click Download in the Actions column.

Certificate Management Service automatically converts the certificate into different formats that are suitable for different types of servers and compresses the certificate into packages. After you download the certificate package, you must extract the certificate-related files from the package. The following table describes the files that can be extracted from certificates.

Note

If the format of the downloaded certificate is not supported by your server, you can convert the certificate to the required format by using a tool. For more information about how to convert certificate formats, see Convert the format of a certificate.
In most cases, a downloaded certificate package includes an intermediate certificate. If the intermediate certificate is untrusted when you install the certificate, contact your account manager.

Certificate type	Server type	Certificate format	Extracted certificate file
Certificates that use internationally accepted algorithms	NGINX	PEM, which is a Base64-encoded format. You can directly view the content of a PEM certificate. In most cases, PEM certificates are used by applications or servers such as NGINX servers.	domain name.pem: a certificate file. domain name.key: a private key file.
	Tomcat	PFX, which is a binary format and is also known as PKCS#12. A PFX certificate contains a public key and a private key. In most cases, PFX certificates are used by servers such as Tomcat, IIS, and Exchange servers.	domain name.pfx: a certificate file in the PFX format. pfx-password.txt: a password file. Note If you do not set the CSR Generation parameter to Automatic when you apply for a certificate, the certificate package that you download does not include the TXT password file.
	Apache	CRT, which is a binary format. A CRT certificate contains a certificate file and the related metadata, including the issuer information, validity period, and subject. A CRT certificate does not contain a private key. In most cases, CRT certificates are used by Apache servers.	domain name_public.crt: a certificate file. domain name_chain.crt: a certificate chain file. domain name.key: a private key file.
	IIS	PFX, which is a binary format and is also known as PKCS#12. A PFX certificate contains a public key and a private key. In most cases, PFX certificates are used by servers such as Tomcat, IIS, and Exchange servers.	domain name.pfx: a certificate file. pfx-password.txt: a password file.
	JKS	JKS, which is a keystore format dedicated to Java. In most cases, JKS certificates are used by Java-based applications and services, such as Tomcat and Jetty servers.	A JKS certificate package contains the following files: domain name.jks: a certificate file. jks-password.txt: a password file.
	Other	PEM, which is a Base64-encoded format. You can directly view the content of a PEM certificate. If the certificate format that you require is not displayed, you can select this server type.	A PEM certificate is installed on a server of other types. A PEM certificate package contains the following files: domain name.pem: a certificate file in the PEM format. domain name.key: a private key file.
	Download Root Certificate	CRT or CER. You must download and install root certificates on clients such as apps and IoT terminals because root certificates are not preconfigured in the clients. You can obtain the root certificate for a certificate brand based on the product documentation. For more information, see Download a root certificate.	N/A.
SM2 certificates	All servers	PEM.	In most cases, SM2 certificates are in the PEM format. Therefore, the files extracted from the certificate packages for different server types are the same. A certificate package contains the following files: domain name_sm2_sign.pem and domain name_sm2_sign.key: a signature certificate and a private key. domain name_sm2_enc.pem and domain name_sm2_enc.key: an encryption certificate and a private key.

What to do next

After you download a certificate to your computer, you can install the certificate on your web application server to implement HTTPS-encrypted communication. For more information about how to install a certificate on a web application server, see Install an SSL certificate on a web application server.