All Products
Search
Document Center

Certificate Management Service:Manage CSRs

Last Updated:Aug 02, 2024

You can use the certificate signing request (CSR) generator that is provided by Certificate Management Service to generate CSRs and private key files based on the Rivest-Shamir-Adleman (RSA), elliptic-curve cryptography (ECC), or SM2 algorithm. You can also upload existing CSRs to Certificate Management Service for centralized management. The SM2 algorithm is developed and approved by the State Cryptography Administration of China. When you apply for a certificate, you can use an existing CSR.

Create a CSR

  1. Log on to the Certificate Management Service console.

  2. On the Manage CSRs tab, click Create CSR.

  3. In the CSR Generator panel, configure the following parameters and click OK.

    Parameter

    Description

    CSR Name

    Enter a name for the CSR.

    You can enter letters, digits, underscores (_), hyphens (-), and periods (.). The name can be up to 50 characters in length.

    Domains

    Enter the domain name for which you want to apply for a certificate.

    Important

    We recommend that you enter only one domain name. If you want to apply for the same certificate for multiple domain names, you can enter one domain name in this field and enter other domain names in the SANs field.

    If you want to use the CSR to apply for a certificate, the value of Domains to Bind that you specify when you apply for the certificate must contain the domain name that you specify for this parameter.

    For example, if you set Domains to aliyundoc.com, the value of Domains to Bind that you specify when you apply for a certificate must contain aliyundoc.com.

    SANs

    Enter other domain names that share the same certificate with the domain name specified by Domains. If you enter multiple domain names, separate them with commas (,).

    For example, if you want to apply for a certificate for the domain names www.aliyundoc.com, example.aliyundoc.com, and test.aliyundoc.com, you can set Domains to www.aliyundoc.com, and set SANs to example.aliyundoc.com,test.aliyundoc.com.

    Contact

    Specify the contact for the certificate that you want to apply for. The information includes the name and phone number of a contact.

    If you have not created a contact, you can click Create Contact to create one. Certificate Management Service saves the created contact for you to use next time. For more information about how to create a contact, see Manage contacts.

    Company

    Specify the company profile for the certificate that you want to apply for. The information includes the name and phone number of a company.

    If you have not created a company profile, you can click Create Company Profile to create one. Certificate Management Service saves the created company profile for you to use next time. For more information about how to create a company profile, see Create a company profile.

    Encryption Algorithm

    Select the type of the key algorithm that you want to use. Valid values:

    • RSA: The RSA algorithm is an asymmetric algorithm that is widely used and provides high compatibility.

    • ECC: The ECC algorithm is a public key encryption algorithm based on elliptic curves. Compared with the RSA algorithm, the ECC algorithm is more advanced and secure. The ECC algorithm provides faster encryption and higher efficiency at lower server resource consumption. The ECC algorithm is promoted among mainstream browsers.

    • SM2: The SM2 algorithm is developed and approved by the State Cryptography Administration of China based on the ECC algorithm. The SM2 algorithm is used to replace the RSA algorithm in Chinese commercial cryptography systems.

    Encryption Strength

    Select the encryption strength that you want to use.

    If you set Encryption Algorithm to RSA, you can select 2048, 3072, or 4096.

    If you set Encryption Algorithm to ECC, you can select p256, p384, or p512.

    If you set Encryption Algorithm to SM2, the value is fixed as 256.

    After you complete the preceding operations, you can view the created CSR in the CSR list.

    When you apply for a certificate, you can set CSR Generation to Select Existing CSR and select a CSR from the drop-down list. For more information, see Required information for certificate application.

Upload a CSR

If you want to use a CSR that is not created in the Certificate Management Service console when you apply for a certificate, you can upload existing CSRs in advance. This also helps you manage your CSRs in a centralized manner.

  1. Log on to the Certificate Management Service console.

  2. On the Manage CSRs tab, click Upload CSR.

  3. In the Upload CSR panel, configure the following parameters and click OK.

    Parameter

    Description

    CSR Name

    Enter a name for the CSR.

    You can enter letters, digits, underscores (_), and hyphens (-). The name can be up to 50 characters in length.

    CSR File

    Enter the content of the CSR file.

    You can use one of the following methods to enter the content. Method 1: Use a text editor to open the CSR file. Then, copy the content to the CSR File field. Method 2: Click Upload below the CSR File field. Then, select the CSR file from your computer to upload the content of the file.

    Private Key Content

    Enter the content of the PEM-encoded private key file.

    You can use one of the following methods to enter the content. Method 1: Use a text editor to open the private key file in the KEY format. Then, copy the content to the Private Key Content field. Method 2: Click Upload below the Private Key Content field. Then, select the private key file from your computer to upload the content of the file.

    After you complete the preceding operations, you can view the uploaded CSR in the CSR list.

    When you apply for a certificate, you can set CSR Generation to Select Existing CSR and select a CSR from the drop-down list.

Obtain the content and private key of a CSR

You can view the details about a CSR to obtain the content and private key of a created or uploaded CSR.

  1. Log on to the Certificate Management Service console.

  2. On the Manage CSRs tab, find the CSR whose details you want to view and click Details in the Actions column.

  3. In the Details panel, click View CSR Content and Private Key.

  4. In the Note message, click OK.

    You can view the content and private key of the CSR in the lower part of the Details panel. You can also click Copy to copy the content or private key.

Delete a CSR

If you no longer require a CSR, you can delete it.

Important

If you use a CSR when you apply for a certificate and the certificate is not issued, do not delete the CSR. Otherwise, the certificate may fail to be issued. The CSR cannot be restored after it is deleted. Proceed with caution.

  1. Log on to the Certificate Management Service console.

  2. On the Manage CSRs tab, find the CSR that you want to delete and click Delete in the Actions column.

  3. In the Confirmation message, click Confirm.