Certificate Management Service supports Private Certificate Authority (PCA). PCA allows you to create a private certificate authority (CA) for your enterprise at low costs. This way, you do not need to create or maintain public key infrastructure (PKI). This topic describes how to purchase and enable a private CA.
Background information
In a private CA, a private root CA can include one or more private intermediate CAs. Only private intermediate CAs can issue private certificates, including server certificates and client certificates.
If this is your first time to create a private CA, you must first purchase a private root CA. After you purchase a private root CA, you can obtain a private root CA and a private intermediate CA. By default, the private root CA provides a quota that allows the private intermediate CA to issue 10 private certificates. You can create more private intermediate CAs for an existing private root CA based on the organizational structure of your enterprise. For example, you can create private intermediate CAs for different departments of your enterprise. You can also purchase the quota for private certificates and assign the quota to private intermediate CAs. This way, the private intermediate CAs can issue more private certificates.
Step 1: Purchase a private root CA
Log on to the Certificate Management Service console.
In the left-side navigation pane, choose .
On the Private CAs tab, click Purchase Private Root CA.
On the buy page, configure Certificate Algorithm and Subscription Duration, click Buy Now, and then complete the payment.
Certificate Algorithm: the type of the algorithm that is used when you use the private CA to issue certificates. Valid values: RSA, Chinese Cryptographic Algorithm (SM), and ECC.
Subscription Duration: the subscription duration of the private CA. You can use a private CA to issue private certificates within the subscription duration of the private CA.
ImportantAfter the private CA expires, you can no longer use the private CA to issue private certificates even if the quota for private certificates is not exhausted.
The validity period of private certificates that are issued by using a private CA cannot exceed the subscription duration of the private CA. For example, if you set Subscription Duration to 1 Month, the validity period of private certificates that are issued by using the private CA cannot exceed 30 days.
Step 2: Enable the private CA
After you purchase a private root CA, you need to enable the private root CA and private intermediate CAs in sequence. You can enable a private intermediate CA that is subordinate to a private root CA only after the private root CA is enabled.
Enable the private root CA
On the Private CAs tab, find the private root CA that you want to enable and click Enabled in the Actions column.
In the CA Information panel, configure the parameters and click Confirm and Enable.
Certificate Management Service allows you to enable a CA by using the following methods: Create CA Certificate and Upload CA Certificate and Private Key. The parameters that you need to configure vary based on the selected method. The following tables describe the parameters.
If you set Enable Mode to Create CA Certificate, configure the following parameters.
Parameter
Description
Enable Mode
Select Create CA Certificate.
Common Name (CN)
Enter the common name or abbreviation of the organization that you want to associate with the private root CA. Both Chinese and English are supported.
Example: Alibaba Cloud
Organizational Unit (OU)
Enter the name of the organizational unit that you want to associate with the private root CA. Both Chinese and English are supported.
Example: IT department
Organization (O)
Enter the name of the organization that you want to associate with the private root CA. Both Chinese and English are supported.
Example: Alibaba Cloud Computing Co., Ltd.
City (L)
Enter the city where the organization is located. Both Chinese and English are supported.
Example: Hangzhou
Province (S)
Enter the province where the organization is located. Both Chinese and English are supported.
Example: Zhejiang
Country/Region (C)
Select the country or region where the organization is located. Both Chinese and English are supported.
Private Key Algorithm
Select the private key algorithm that can be used by the private root CA for encryption.
Supported private key algorithms vary based on the value of Certificate Algorithm that you select when you purchase the private root CA.
If you set Certificate Algorithm to RSA, the following private key algorithms are supported: RSA_1024, RSA_2048, and RSA_4096.
If you set Certificate Algorithm to Chinese Cryptographic Algorithm (SM), the private key algorithm SM2_256 is supported.
If you set Certificate Algorithm to ECC, the following private key algorithms are supported: ECC_256, ECC_384, and ECC_512.
Validity Period
Select the validity period of the private root CA. The private CA can be used to issue private certificates within the selected period. For example, the validity period can be five years.
The validity period of a private root CA varies based on the value of Subscription Duration that you specify when you purchase the private CA.
If the specified subscription duration is less than one year, the supported validity period of the private root CA ranges from 1 to 20 years.
If the specified subscription duration is greater than or equal to one year, the supported validity period of the private root CA ranges from 1 to 100 years.
NoteIf your private CA expires, the private intermediate CAs of the private root CA can no longer issue private certificates even if the private root CA is valid. To continue using the private CA to issue private certificates, you must renew the private CA.
Enable CRL Service
Specify whether to enable the certificate revocation list (CRL) feature. If you enable the CRL feature for the private root CA, you can view information about the revoked certificates that are issued from a private intermediate CA of the private root CA. For more information, see Use the CRL feature.
If you set Enable Mode to Upload CA Certificate and Private Key, configure the following parameters.
Parameter
Description
Enable Mode
Select Upload CA Certificate and Private Key.
Certificate File
Enter the content of the PEM-encoded CA certificate file.
You can use one of the following methods to enter the content. Method 1: Use a text editor to open the CA certificate file in the PEM or CRT format. Then, copy the content to the Certificate File field. Method 2: Click Upload below the Certificate File field. Then, select the CA certificate file from your computer to upload the content of the file.
Certificate Key
Enter the content of the PEM-encoded private key file.
You can use one of the following methods to enter the content. Method 1: Use a text editor to open the private key file in the KEY format. Then, copy the content to the Private Key Content field. Method 2: Click Upload below the Private Key Content field. Then, select the private key file from your computer to upload the content of the file.
In the Tip message, confirm the information and click OK.
After you enable the private root CA, the value in the Status column for the private root CA changes to Enabled. If you want to modify the information about the private root CA, you can reset the private root CA. For more information, see Reset a private CA.
Enable a private intermediate CA
On the Private CAs tab, find the private root CA to which the private intermediate CA is subordinate, and click the icon next to the name of the private root CA.
Find the private intermediate CA and click Enable in the Actions column.
In the CA Information panel, configure the parameters and click Confirm and Enable.
Certificate Management Service allows you to enable a CA by using the following methods: Create CA Certificate and Upload CA Certificate and Private Key. The parameters that you need to configure vary based on the selected method.
If you set Enable Mode to Create CA Certificate, configure the following parameters.
Parameter
Description
Enable Mode
Select Create CA Certificate.
CA Usage
Select the usage of the private intermediate CA. Valid values: Intermediate CA and User CA.
Intermediate CA: The private intermediate CA can be used to issue subordinate CAs.
User CA: The private intermediate CA can be used to issue user certificates, including server certificates and client certificates.
Length Limit
Specify the maximum length of a subordinate CA that the private intermediate CA can issue. This parameter is required only if you set CA Usage to Intermediate CA.
Valid values: 1 to 5.
ImportantIf you set Length Limit to 1, the private intermediate CA can issue only user CAs.
Common Name (CN)
Enter the common name or abbreviation of the organization that you want to associate with the private intermediate CA. Both Chinese and English are supported.
Example: Alibaba Cloud
Organizational Unit (OU)
Enter the name of the organizational unit that you want to associate with the private intermediate CA. Both Chinese and English are supported.
Example: IT department
Organization (O)
Enter the name of the organization that you want to associate with the private intermediate CA. Both Chinese and English are supported.
Example: Alibaba Cloud Computing Co., Ltd.
City (L)
Enter the city where the organization is located. Both Chinese and English are supported.
Example: Hangzhou
Province (S)
Enter the province where the organization is located. Both Chinese and English are supported.
Example: Zhejiang
Country/Region (C)
Select the country or region where the organization is located. Both Chinese and English are supported.
Example: China
Private Key Algorithm
Select the private key algorithm that can be used by the private intermediate CA for encryption.
Supported private key algorithms vary based on the value of Certificate Algorithm that you select when you purchase the private intermediate CA.
If you set Certificate Algorithm to RSA, the following private key algorithms are supported: RSA_1024, RSA_2048, and RSA_4096.
If you set Certificate Algorithm to Chinese Cryptographic Algorithm (SM), the private key algorithm SM2_256 is supported.
If you set Certificate Algorithm to ECC, the following private key algorithms are supported: ECC_256, ECC_384, and ECC_512.
Validity Period
Select the validity period of the private intermediate CA.
The validity period of a private intermediate CA varies based on the value of Subscription Duration that you specify when you purchase the private CA.
If the specified subscription duration is less than one year, the supported validity period of the private intermediate CA ranges from 1 to 20 years.
If the specified subscription duration is greater than or equal to one year, the supported validity period of the private intermediate CA ranges from 1 to 100 years.
Enable CRL Service
Specify whether to enable the CRL feature. If you enable the CRL feature for the private root CA, you can view information about the revoked certificates that are issued from the private intermediate CA. For more information, see Use the CRL feature.
Extended Key Usage
Select an extended key usage, which helps identify certificates.
If you set Enable Mode to Upload CA Certificate and Private Key, configure the following parameters.
Parameter
Description
Enable Mode
Select Upload CA Certificate and Private Key.
Certificate File
Enter the content of the PEM-encoded CA certificate file.
You can use one of the following methods to enter the content. Method 1: Use a text editor to open the CA certificate file in the PEM or CRT format. Then, copy the content to the Certificate File field. Method 2: Click Upload below the Certificate File field. Then, select the CA certificate file from your computer to upload the content of the file.
Certificate Key
Enter the content of the PEM-encoded private key file.
You can use one of the following methods to enter the content. Method 1: Use a text editor to open the private key file in the KEY format. Then, copy the content to the Private Key Content field. Method 2: Click Upload below the Private Key Content field. Then, select the private key file from your computer to upload the content of the file.
In the Tip message, confirm the information and click OK.
After you enable the private intermediate CA, the value in the Status column for the private intermediate CA changes to Enabled. If you want to modify the information about the private intermediate CA, you can reset the private intermediate CA. For more information, see Reset a private CA.
Step 3: (Optional) Purchase a private intermediate CA
If you want to use multiple private intermediate CAs, you can purchase multiple private intermediate CAs for an existing private root CA. By default, a newly purchased private intermediate CA does not provide a quota for private certificates.
On the Private CAs tab, find the private root CA for which you want to purchase a private intermediate CA and click Create Private Intermediate CA in the Actions column.
On the page that appears, configure the parameters.
ImportantThe private key algorithm of the private intermediate CA is consistent with the private key algorithm of the private root CA and cannot be changed.
Click Buy Now. On the page that appears, read and select Terms of Service, click Pay, and then complete the payment.
After you complete the payment, you can view the newly purchased private intermediate CA on the Private Certificates page in the Certificate Management Service console. By default, a newly purchased private intermediate CA is in the Disabled state. Before you use the private intermediate CA to issue certificates, you must enable the private intermediate CA.
What to do next
After you purchase and enable a private CA, you can configure private certificates. For more information, see Manage private certificates.