Certificate Management Service:Manage certificates in a certificate application repository

Prerequisites

A certificate application repository is created. For more information, see Create and manage a certificate application repository.

Manage certificates in a certificate application repository by using the Certificate Management Service console

In the Certificate Management Service console, you can manage the certificates in a certificate application repository. For example, you can apply for, upload, revoke, download, and delete a certificate. You can also view the details of a certificate.

Entry point

1. Log on to the Certificate Management Service console.

2. In the left-side navigation pane, choose Certificate and Domain Application Services > Certificate Application Repository.

3. On the Certificate Application Repository page, find and click a certificate application repository.

4. On the Manage Certificates page, manage certificates in the certificate application repository.

Apply for a certificate in a private certificate application repository

1. On the Manage Certificates page, click Apply for Certificate.

2. In the Apply for Certificate panel, configure the following parameters and click Confirm.

   Parameter	Description
   Certificate Type	Server Certificate: A server certificate must be installed on an application server. Client Certificate: A client certificate must be installed on a client that accesses an application.
   Common Name (CN)	The common name of the private certificate holder.
   Validity Period	The validity period of the private certificate. The validity period of a private certificate varies based on the service duration of Private Certificate Authority (PCA). If the service duration of PCA is less than one year, the validity period of the private certificate must be less than or equal to the service duration of PCA. For example, if the service duration of PCA that you purchase is one month, the validity period of a private certificate issued from your private intermediate CA cannot exceed 31 days. If you require a longer validity period for your private certificate, we recommend that you renew PCA to extend its service duration. For more information about renewal, see Renewal policy. If the service duration of PCA is greater than or equal to one year, the validity period of the private certificate can range from 1 to 100 years.
   SAN	The subject alternative name (SAN) attribute of the private certificate. If you need to apply the certificate to multiple entities, you can add the information about other entities by using SAN attributes. You can enter a domain name or an IP address for a server certificate. You can enter an email address or a Uniform Resource Identifier (URI) for a client certificate. You can add up to 10 SAN attributes. Note SAN is an extension defined in the SSL X.509 standard. An SSL certificate that uses SAN attributes can be associated with multiple domain names. A URI can uniquely identify an Alibaba Cloud resource to which a certificate belongs. For example, a URI can identify an Elastic Compute Service (ECS) instance to which a private certificate is deployed.
   More	If you want to specify the name of the private certificate and add company and department information for the private certificate, click More and configure the parameters.
   CRL Status	Specifies whether the certificate revocation list (CRL) feature is enabled when the private intermediate CA is created. For more information, see Use the CRL feature.

Apply for a certificate in a compliant certificate application repository

1. On the Manage Certificates page, click Apply for Certificate.

2. In the Apply for Certificate panel, configure the following parameters and click Confirm.

   Parameter	Description
   Common Name	Enter the name of the certificate owner.
   More Settings	If you want to specify the name of the certificate and add company and department information for the certificate, click More and configure the parameters.

Upload a certificate to an uploaded certificate application repository

1. On the Manage Certificates page, click Uploaded Certificates.

2. In the CA Information panel, configure the following parameters and click Confirm and Enable.

   Parameter	Description
   Package Name	Enter a name for the certificate that you want to upload. The name can contain letters, digits, periods (.), underscores (_), and hyphens (-).
   Certificate File	Enter the content of the PEM-encoded certificate file of the certificate that you want to upload. You can use one of the following methods to enter the content. Method 1: Use a text editor to open the certificate file in the PEM or CRT format. Then, copy the content to the Certificate File field. Method 2: Click Upload below the Certificate File field. Then, select the certificate file from your computer to upload the content of the file.
   Certificate Key	Enter the content of the PEM-encoded private key file of the certificate that you want to upload. You can use one of the following methods to enter the content. Manually specify the content: Use a text editor to open the private key file in the KEY format. Then, copy the content to the Certificate Key field. Upload the private key file: Click Upload below the Certificate Key field. Then, select the private key file from your computer to upload the file content to the field. Select an existing CSR: You can select a certificate signing request (CSR) that is created in or uploaded to the Certificate Management Service console. The system automatically matches the CSR of the specified certificate file. For more information about how to manage CSRs, see Manage CSRs. Note If the system reports that the certificate and the private key do not match after you upload the private key file, the private key file may contain RSA characters. You can run the openssl rsa -in <Original name of the private key file> -out <Custom name of the private key file> command to convert the characters and upload the file again.

Upload a certificate to an uploaded CA certificate application repository

1. On the Manage Certificates page, click Uploaded Certificates.

2. In the CA Information panel, configure the following parameters and click Confirm and Enable.

   Parameter	Description
   Package Name	Enter a name for the certificate authority (CA) certificate file that you want to upload. The name can contain letters, digits, periods (.), underscores (_), and hyphens (-).
   Certificate File	Enter the content of the PEM-encoded certificate file that contains a complete certificate chain. You can use one of the following methods to enter the content. Method 1: Use a text editor to open the CA certificate file in the PEM or CRT format. Then, copy the content to this field. Method 2: Click Upload below this field. Then, select the CA file from your computer and upload the file. Note If the certificate chain is incomplete and you select this CA certificate when you configure an HTTPS listener for an Alibaba Cloud Server Load Balancer (SLB) instance, the SLB instance fails to establish encrypted connections to clients. For more information about how to configure an HTTPS listener for an SLB instance, see Create an HTTPS listener for an ALB instance, Create a listener that uses SSL over TCP, and Create an HTTPS listener for a CLB instance.

View, download, revoke, and delete a certificate and add a private key