You can use the certificate signing request (CSR) generator that is provided by Certificate Management Service to generate CSRs and private key files based on the Rivest-Shamir-Adleman (RSA), elliptic-curve cryptography (ECC), or SM2 algorithm. You can also upload existing CSRs to Certificate Management Service for centralized management. The SM2 algorithm is developed and approved by the State Cryptography Administration of China. When you apply for a certificate, you can use an existing CSR.
Create a CSR
Log on to the Certificate Management Service console.
On the Manage CSRs tab, click Create CSR.
In the CSR Generator panel, configure the following parameters and click OK.
Parameter
Description
CSR Name
Enter a name for the CSR.
You can enter letters, digits, underscores (_), hyphens (-), and periods (.). The name can be up to 50 characters in length.
Domains
Enter the domain name for which you want to apply for a certificate.
ImportantWe recommend that you enter only one domain name. If you want to apply for the same certificate for multiple domain names, you can enter one domain name in this field and enter other domain names in the SANs field.
If you want to use the CSR to apply for a certificate, the value of Domains to Bind that you specify when you apply for the certificate must contain the domain name that you specify for this parameter.
For example, if you set Domains to
aliyundoc.com
, the value of Domains to Bind that you specify when you apply for a certificate must containaliyundoc.com
.SANs
Enter other domain names that share the same certificate with the domain name specified by Domains. If you enter multiple domain names, separate them with commas (,).
For example, if you want to apply for a certificate for the domain names
www.aliyundoc.com
,example.aliyundoc.com
, andtest.aliyundoc.com
, you can set Domains towww.aliyundoc.com
, and set SANs toexample.aliyundoc.com,test.aliyundoc.com
.Contact
Specify the contact for the certificate that you want to apply for. The information includes the name and phone number of a contact.
If you have not created a contact, you can click Create Contact to create one. Certificate Management Service saves the created contact for you to use next time. For more information about how to create a contact, see Manage contacts.
Company
Specify the company profile for the certificate that you want to apply for. The information includes the name and phone number of a company.
If you have not created a company profile, you can click Create Company Profile to create one. Certificate Management Service saves the created company profile for you to use next time. For more information about how to create a company profile, see Create a company profile.
Encryption Algorithm
Select the type of the key algorithm that you want to use. Valid values:
RSA: The RSA algorithm is an asymmetric algorithm that is widely used and provides high compatibility.
ECC: The ECC algorithm is a public key encryption algorithm based on elliptic curves. Compared with the RSA algorithm, the ECC algorithm is more advanced and secure. The ECC algorithm provides faster encryption and higher efficiency at lower server resource consumption. The ECC algorithm is promoted among mainstream browsers.
SM2: The SM2 algorithm is developed and approved by the State Cryptography Administration of China based on the ECC algorithm. The SM2 algorithm is used to replace the RSA algorithm in Chinese commercial cryptography systems.
Encryption Strength
Select the encryption strength that you want to use.
If you set Encryption Algorithm to RSA, you can select 2048, 3072, or 4096.
If you set Encryption Algorithm to ECC, you can select p256, p384, or p512.
If you set Encryption Algorithm to SM2, the value is fixed as 256.
After you complete the preceding operations, you can view the created CSR in the CSR list.
When you apply for a certificate, you can set CSR Generation to Select Existing CSR and select a CSR from the drop-down list. For more information, see Required information for certificate application.
Upload a CSR
If you want to use a CSR that is not created in the Certificate Management Service console when you apply for a certificate, you can upload existing CSRs in advance. This also helps you manage your CSRs in a centralized manner.
Log on to the Certificate Management Service console.
On the Manage CSRs tab, click Upload CSR.
In the Upload CSR panel, configure the following parameters and click OK.
Parameter
Description
CSR Name
Enter a name for the CSR.
You can enter letters, digits, underscores (_), and hyphens (-). The name can be up to 50 characters in length.
CSR File
Enter the content of the CSR file.
You can use one of the following methods to enter the content. Method 1: Use a text editor to open the CSR file. Then, copy the content to the CSR File field. Method 2: Click Upload below the CSR File field. Then, select the CSR file from your computer to upload the content of the file.
Private Key Content
Enter the content of the PEM-encoded private key file.
You can use one of the following methods to enter the content. Method 1: Use a text editor to open the private key file in the KEY format. Then, copy the content to the Private Key Content field. Method 2: Click Upload below the Private Key Content field. Then, select the private key file from your computer to upload the content of the file.
After you complete the preceding operations, you can view the uploaded CSR in the CSR list.
When you apply for a certificate, you can set CSR Generation to Select Existing CSR and select a CSR from the drop-down list.
Obtain the content and private key of a CSR
You can view the details about a CSR to obtain the content and private key of a created or uploaded CSR.
Log on to the Certificate Management Service console.
On the Manage CSRs tab, find the CSR whose details you want to view and click Details in the Actions column.
In the Details panel, click View CSR Content and Private Key.
In the Note message, click OK.
You can view the content and private key of the CSR in the lower part of the Details panel. You can also click Copy to copy the content or private key.
Delete a CSR
If you no longer require a CSR, you can delete it.
If you use a CSR when you apply for a certificate and the certificate is not issued, do not delete the CSR. Otherwise, the certificate may fail to be issued. The CSR cannot be restored after it is deleted. Proceed with caution.
Log on to the Certificate Management Service console.
On the Manage CSRs tab, find the CSR that you want to delete and click Delete in the Actions column.
In the Confirmation message, click Confirm.