Upload and share an SSL certificate

This topic describes how to upload SSL certificates that use internationally accepted algorithms or the SM2 algorithm from on-premises computers to the Certificate Management Service console for centralized management. This topic also describes how to share certificates across different Alibaba Cloud accounts free of charge.

Upload a certificate

If you use a certificate that is issued from a third-party service provider, you can upload the certificate to the Certificate Management Service console for centralized management. The certificate can use an internationally accepted algorithm or the SM2 algorithm.

Before you upload a certificate, prepare the following files:

A PEM-encoded certificate file in the PEM or CRT format and a PEM-encoded private key file in the KEY format. If your certificate is in another format, you can use a tool to convert the certificate to the required format. For more information, see Convert the format of a certificate.
A certificate file and a private key file for your signing certificate, and a certificate file and a private key file for your encryption certificate. The preceding files are required when you upload an SM2 certificate. If you do not know the algorithm of your certificate, you can view the algorithm in the certificate details. For more information, see View information about a certificate.

Note

After you upload a certificate to the Certificate Management Service console, you cannot download the certificate. This helps ensure the data security of your certificate.

Log on to the Certificate Management Service console.
In the left-side navigation pane, choose Manage Certificates > SSL Certificate Management.
On the Manage Uploaded Certificates tab, click Manage Uploaded Certificates.

In the Manage Uploaded Certificates panel, configure the parameters and click OK.

The parameters that you must configure when you set Certificate Algorithm to Internationally Accepted Algorithm are different from the parameters that you must configure when you set Certificate Algorithm to SM2 Algorithm. The following tables describe the parameters.

Internationally Accepted Algorithm

Parameter	Description

Parameter	Description
Certificate Algorithm	Select Internationally Accepted Algorithm. Internationally accepted algorithms refer to encryption algorithms that are extensively reviewed, tested, and approved by international organizations such as the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC). The algorithms include Rivest-Shamir-Adleman (RSA) and elliptic curve cryptography (ECC).
Certificate Name	Enter a name for the certificate that you want to upload. The name can contain letters, digits, periods (.), underscores (_), and hyphens (-).
Certificate File	Enter the content of the PEM-encoded certificate file. Required content of the certificate file: If you need to only ensure that the server certificate is trusted, the certificate file must contain the server certificate (marked 1 in the following figure) and the intermediate certificate (marked 2 in the following figure). If your intermediate certificate and server certificate are separate files, you can enter the content of the intermediate certificate in the Certificate Chain field. If you need to ensure that the client certificate and the server certificate are trusted, the certificate file must contain the server certificate (marked 1 in the following figure), intermediate certificate (marked 2 in the following figure), and root certificate (marked 3 in the following figure). If your intermediate certificate, root certificate, and server certificate are separate files, you must concatenate the intermediate certificate and the root certificate in the order shown in the following figure. Then, enter the content of the concatenated file in the Certificate Chain field. Methods to enter the content: Use a text editor to open the certificate file in the PEM or CRT format. Then, copy the content to the Certificate File field. Click Upload below the Certificate File field. Then, select the certificate file from your computer to upload the content of the file.
Certificate Key	Enter the content of the PEM-encoded private key file. Required content of the private key file: RSA ECC Methods to enter the content: Manually specify the content: Use a text editor to open the private key file in the KEY format. Then, copy the content to the Certificate Key field. Upload the private key file: Click Upload below the Certificate Key field. Then, select the private key file from your computer to upload the content of the file to the field. Select an existing CSR: You can select a certificate signing request (CSR) that is created in or uploaded to the Certificate Management Service console. The system automatically matches the CSR of the specified certificate file. For more information about how to manage CSRs, see Manage CSRs. Note If the system reports an error indicating that the certificate and private key do not match after you upload the private key file, the private key file may contain RSA characters. You can run the `openssl rsa -in <Original name of the private key file> -out <New custom name of the private key file>` command to convert the characters and re-upload the file.
Certificate Chain	Optional. Enter the content of the PEM-encoded intermediate certificate or root certificate. If the certificate file that you specify contains the complete certificate chain, you do not need to configure this parameter. Required content of the certificate chain file: Intermediate certificate or root certificate Intermediate certificate (marked 1 in the following figure) and root certificate (marked 2 in the following figure) Methods to enter the content: Use a text editor to open the certificate chain file in the PEM or CRT format. Then, copy the content to the Certificate Chain field. Click Upload below the Certificate Chain field. Then, select the certificate chain file from your computer to upload the content of the file.

SM2 Algorithm

Parameter	Description

Parameter	Description
Certificate Algorithm	Select SM2 Algorithm. This type of algorithm is released by the State Cryptography Administration (SCA) of China. Certificate Management Service supports the SM2 algorithm, which is an asymmetric cryptography algorithm.
Certificate Name	Enter a name for the certificate that you want to upload. The name can contain letters, digits, underscores (_), and hyphens (-).
Certificate File	Enter the content of the PEM-encoded certificate file of the signing certificate that you want to upload. You can use one of the following methods to enter the content. Method 1: Use a text editor to open the certificate file in the PEM or CRT format. Then, copy the content to the Certificate File field. Method 2: Click Upload below the Certificate File field. Then, select the certificate file from your computer to upload the content of the file.
Certificate Key	Enter the content of the PEM-encoded private key file of the signing certificate that you want to upload. You can use one of the following methods to enter the content. Method 1: Use a text editor to open the private key file in the KEY format. Then, copy the content to the Certificate Key field. Method 2: Click Upload below the Certificate Key field. Then, select the private key file from your computer to upload the content of the file.
Encryption Certificate	Enter the content of the PEM-encoded certificate file of the encryption certificate that you want to upload. You can use one of the following methods to enter the content. Method 1: Use a text editor to open the certificate file in the PEM or CRT format. Then, copy the content to the Certificate File field. Method 2: Click Upload below the Certificate File field. Then, select the certificate file from your computer to upload the content of the file.
Encryption Private Key	Enter the content of the PEM-encoded private key file of the encryption certificate that you want to upload. You can use one of the following methods to enter the content. Method 1: Use a text editor to open the private key file in the KEY format. Then, copy the content to the Encryption Private Key field. Method 2: Click Upload below the Encryption Private Key field. Then, select the private key file from your computer to upload the content of the file.

After the certificate is uploaded, you can view the certificate in the certificate list. If you do not want to manage an uploaded certificate in the Certificate Management Service console, you can find the certificate and click Delete in the Actions column to delete the certificate.

Important

After a certificate is deleted, the certificate is removed from the list of uploaded certificates. The validity period of the certificate is not affected. A deleted certificate cannot be restored. Proceed with caution.

Share a certificate

If you have multiple Alibaba Cloud accounts and the accounts belong to the same individual or enterprise that passed real-name verification, you can share a certificate across the accounts. Then, you can deploy the shared certificate to Alibaba Cloud services free of charge.

Limits

You cannot share a certificate in the following scenarios:

You cannot share a certificate that is applied for by using an Alibaba Cloud account on the China site (aliyun.com) with an Alibaba Cloud account on the international site (alibabacloud.com). You cannot share a certificate that is applied for by using an Alibaba Cloud account on the international site (alibabacloud.com) with an Alibaba Cloud account on the China site (aliyun.com).
You cannot share a certificate that is shared to the current Alibaba Cloud account with another Alibaba Cloud account. For example, you have Alibaba Cloud accounts A, B, and C. After you use Account A to share a certificate with Account B, you cannot use Account B to share the certificate with Account C.
You cannot share an uploaded certificate.

Note

If you do not meet the conditions for sharing a certificate, you can download the certificate by using the current account and upload the certificate by using another account. For more information, see Download an SSL certificate and Upload a certificate.

Procedure

Log on to the Certificate Management Service console.
In the left-side navigation pane, choose Manage Certificates > SSL Certificate Management.
On the Official Certificate tab, find the issued certificate that you want to share and click More in the Actions column.
On the Share Certificate tab, set the Account ID parameter to the ID of the Alibaba Cloud account with which you want to share the certificate. Then, click Confirm and Share.
After a certificate is shared, you can log on to the Certificate Management Service console by using the Alibaba Cloud account with which the certificate is shared and go to the Manage Uploaded Certificates tab of the SSL Certificate Management page to view the certificate. The icon is displayed in the Status column of the shared certificate.

References

For more information about how to enable hosting for an uploaded certificate, see Enable hosting for a certificate.

Upload a certificate

Share a certificate

Limits

Procedure

References

Sales Support

Technical Support

Connect & Report Abuse

About Alibaba Cloud

Our Global Network

Quick Start

Global Offices

Olympic Games Paris 2024 New

Stade Roland Garros – Glitz from the Past New

Place de la Concorde – “Breaking” the Barriers New

Vaires-sur-Marne Nautical Stadium – Sports with Sustainability New

International Broadcast Center – Images, Sounds, and Data that Captivate Billions New

Customer Success Stories New

Trust Center

Security & Compliance Center

Cloud Compliance Resources

Security Compliance FAQs

Product & Feature Update New

Cloud Forward

Press Room

Alibaba Cloud e-Magazine New

Alibaba Cloud in Analyst Research

Notice

Go Global Service New

Go Global Alliance with Alibaba Cloud

China Gateway Hot

Information Compliance

China Gateway - MLPS 2.0 Compliance New

China Gateway - Networking

China Gateway - Global Application Acceleration New

China Gateway - Security

China Gateway - Data Security New

ICP Support Hot

China Gateway - Omnichannel Data Mid-End New

China Gateway - Organizational Data Mid-End New

China Gateway - Business Mid-End New

China Gateway - AI Service for Conversational Chatbots New

China Gateway - Online Education

China Gateway - Domain Registration

Work at Alibaba Cloud

Experienced Professionals

Students and Graduates

Free Trial

Pricing

Promo Center

Price Reduction

Pay Less and Deploy More

FinOps

Elastic Compute Service (ECS)

Simple Application Server (SAS)

Elastic GPU Service

Elastic Desktop Service (EDS)

Object Storage Service (OSS)

Cloud Enterprise Network (CEN)

Web Application Firewall (WAF)

Domain Names

Container Compute Service (ACS)

Secure Access Service Edge (SASE)

Intelligent Media Services(IMS)

Edge Security Acceleration (ESA)(Original DCDN)

Intelligent Media Management

DingTalk Enterprise

YiDA

Alibaba Cloud Model Studio

Apsara Prime - For Easy Cloud Product Selection

Alibaba Cloud ECS - Cater All Your Cloud Hosting Needs

1TB CDN—Get Free 1 TB Outbound Traffic Plan Now

Security—Under Attack? Get Free Security Support

Short Message Service - Free Testing is Available

Elastic Compute Service (ECS) Hot

CloudBox

Compute Nest

Dedicated Host Hot

ECS Bare Metal Instance

Elastic Desktop Service (EDS) Featured

Elastic GPU Service Featured

Simple Application Server (SAS) Hot

Auto Scaling

Cloud Phone Beta

Elastic Desktop Service (EDS) Featured

Batch Compute

Elastic High Performance Computing (E-HPC)

Super Computing Cluster (SCC)