All Products
Search
Document Center

Certificate Management Service:Deploy a certificate to a cloud service of Alibaba Cloud

Last Updated:Oct 14, 2024

After an SSL certificate is issued, you can create a certificate deployment task to immediately deploy the certificate to an Alibaba Cloud service or deploy the certificate to the service at a specific point in time. Then, the certificate can implement trusted identity authentication and ensure the security of data transmission for your business website. This topic describes how to deploy a certificate to an Alibaba Cloud service in the Certificate Management Service console.

Limits

You can deploy a certificate only to the following Alibaba Cloud services in the Certificate Management Service console: Serverless App Engine (SAE) - Gateway Routing, Microservices Engine (MSE) - Cloud-native Gateway, API Gateway, Global Accelerator (GA), Function Compute, Object Storage Service (OSS), Web Application Firewall (WAF), Application Load Balancer (ALB), Network Load Balancer (NLB), Alibaba Cloud CDN (CDN), Dynamic Content Delivery Network (DCDN), and Anti-DDoS Proxy.

If you want to deploy a certificate to other Alibaba Cloud services or if you want to deploy an SM certificate, contact your account manager or refer to the related service documentation. You can deploy SM certificates only to CDN, DCDN, and Anti-DDoS. The following table provides the references for deploying certificates on specific cloud services.

Cloud service

References

CDN

SetCdnDomainSMCertificate

DCDN

Enable SM for HTTPS

Anti-DDoS

Upload an SSL certificate

Note

If issues occur when you deploy certificates, contact your account manager.

Prerequisites

  • A certificate is issued. For more information, see Purchase an SSL certificate and Apply for an SSL certificate.

  • The first time you deploy a certificate to a cloud service, you must enable HTTPS for the cloud service and configure the related settings in the console of the cloud service. If issues occur, contact your account manager.

    References

    Cloud service

    References

    WAF

    Server Load Balancer (SLB)

    Note
    • If an HTTPS listener for which mutual authentication is enabled is configured for your SLB instance, you must deploy a server certificate to the SLB instance in the Certificate Management Service console and deploy a client certificate in the SLB console. For more information about how to deploy a client certificate, see Configure end-to-end HTTPS encryption for data transfers.

    • If Certificate 1 is deployed to an SLB instance, you can deploy Certificate 2 to the SLB instance to replace Certificate 1 by using Certificate Management Service only if the domain name bound to Certificate 2 is or contains the domain name bound to Certificate 1.

      For example, if you deployed Certificate 1 to which the single domain name example.com is bound to an SLB instance, you can deploy Certificate 2 to the SLB instance in the Certificate Management Service console to replace Certificate 1 only if the domain name bound to Certificate 2 is or contains example.com. The domain name bound to Certificate 2 can be example.com, www.example.com, or *.example.com.

    CDN

    Add a domain name

    OSS

    Host SSL certificates

    Anti-DDoS Proxy

    Add one or more websites

    Function Compute

    Configure a custom domain name

    GA

    Accelerate HTTP websites over HTTPS

    Note

    If Certificate 1 is deployed to GA, you can deploy Certificate 2 to GA to replace Certificate 1 by using Certificate Management Service only if the domain name bound to Certificate 2 is or contains the domain name bound to Certificate 1. For example, if you deployed Certificate 1 to which the single domain name example.com is bound to GA, you can deploy Certificate 2 to GA in the Certificate Management Service console to replace Certificate 1 only if the domain name bound to Certificate 2 is or contains example.com. The domain name bound to Certificate 2 can be example.com, www.example.com, or *.example.com.

    Microservices Engine - Cloud-native Gateway

    Create a domain name for a cloud-native gateway

    Serverless App Engine - Gateway Routing

  • If you want to deploy uploaded certificates, you must purchase a deployment quota. For more information, visit the deployment quota buy page.

    If you deploy official certificates, the deployment quota is not consumed.

Procedure

  1. Log on to the Certificate Management Service console.

  2. In the left-side navigation pane, choose Deployment and Resource Management > Deployment to Cloud Services.

  3. On the Deployment to Cloud Services page, click Create Task and perform the following steps to deploy a certificate:

    The first time you use the deployment feature, you must complete authorization based on the instructions. After you complete authorization, you can create a deployment task.

    1. In the Configure Basic Information step, configure the following parameters and click Next.

      Parameter

      Description

      Task Name

      Specify a name for the deployment task.

      Contact

      Select a contact to receive notifications for the deployment task. You can select up to 10 contacts.

      Deployed At

      • Deploy: If you select this option, the certificate is immediately deployed to the Alibaba Cloud service.

      • Custom Time: If you select this option, you must specify the point in time at which you want the deployment task to run. The system starts the deployment task at the specified point in time.

    2. In the Select Certificate step, select one or more certificates for the cloud service and click Next.

      Parameter

      Description

      Certificate Type

      The type of the certificates that you want to deploy. You can deploy an official certificate or an uploaded certificate.

      • You can select only one certificate type for a deployment task.

      • If you deploy an uploaded certificate, the deployment quota is consumed.

    3. In the Select Resource step, select one or more cloud services and resources and click Preview and Submit.

      The system intelligently matches cloud service resources based on the selected certificates. The system does not match cloud service resources for which HTTPS is disabled. You can click OK in the Prompt message to add the matched cloud service resources to the Selected Resources section. You can change the selected cloud service resources based on your business requirements.

      image

      Note

      The system automatically identifies and synchronizes the resources of all cloud services. If the required resources are not found, click Intelligently Match Cloud Service Resources above the resource list.

    4. In the Task Preview panel, confirm the information about the certificates and cloud services and click Submit.

      The panel displays the number of certificates that match the cloud services and the amount of deployment quota to be consumed.

      • If the number of certificates is 0, the certificate does not match the cloud service resources. In this case, the deployment task fails. Check the certificates that you selected.

      • The amount of deployment quota to be consumed is determined based on the number of resources that match the certificates. If the deployment task fails, the amount of deployment quota that is consumed by the deployment task is reverted.

What to do next

View the details of the deployment task

  1. On the Deployment to Cloud Services page, find the deployment task and click Details in the Actions column.

  2. On the task details page, view the certificate deployment status of resources on each cloud service tab. If a certificate fails to be deployed to a resource, you can view the cause in the Actions column.

    If no cause is provided, contact your account manager.

Roll back the deployment task

After the deployment task is complete, you can perform the following steps to roll back the deployment task if the deployed certificates do not meet your requirements or if you want to undo the deployment for specific reasons:

  1. On the Deployment to Cloud Services page, find the deployment task and click Details in the Actions column.

  2. On the task details page, click the related cloud service tab, find the required resource, and then click Roll Back in the Actions column.

    After the rollback is complete, the status of the deployment task changes to Rolled Back.

Delete the deployment task

Warning

After you delete a deployment task, it cannot be restored. Proceed with caution.

On the Deployment to Cloud Services page, find the deployment task and click Delete in the Actions column. You can also select multiple deployment tasks and click Delete below the task list.

References

For more information about how to deploy a certificate to a cloud server such as an Elastic Compute Service (ECS) instance or a simple application server, see Deploy a certificate to an ECS instance or a simple application server.