All Products
Search
Document Center

Certificate Management Service:Deploy a certificate to a cloud service of Alibaba Cloud in the Certificate Management Service console

Last Updated:Jan 23, 2025

You can create a deployment task in the Certificate Management Service console to deploy a single SSL certificate to a cloud service or deploy multiple SSL certificates to multiple cloud services at a time. You can specify the point in time at which you want a deployment task to run. The system starts the deployment task at the specified point in time. This topic describes the supported Alibaba Cloud services, applicable scenarios, and deployment process.

Note

If you encounter issues when you deploy a certificate, contact your account manager.

Supported cloud services and application scenarios

Important

The following list describes the scenarios of deployment tasks:

  • Deploy a certificate for the first time: You can perform the related operations in the Certificate Management Service console when you deploy a certificate for the first time.

  • Update an existing certificate: You can update a certificate that is already deployed in the Certificate Management Service console.

Category

Service

Deployment task scenario

Certificate configuration scenario

References

Serverless

Serverless App Engine - Gateway Routing

Update an existing certificate

Configure HTTPS for gateway routing in Application Load Balancer (ALB) and Classic Load Balancer (CLB)

For more information, see the following topics:

Function Compute

Update an existing certificate

Configure HTTP functions

For more information about how to deploy a certificate for the first time, see Configure a custom domain name.

Middleware

Microservices Engine (MSE) - Cloud-native Gateway

Update an existing certificate

Configure cloud-native gateway routing

For more information about how to deploy a certificate for the first time, see Create a domain name.

API Gateway

Update an existing certificate

Configure API access over HTTPS domain names

For more information about how to deploy a certificate for the first time, see Call APIs through an HTTPS domain name.

Networking and CDN

Global Accelerator (GA)

Update an existing certificate

Configure access acceleration by using HTTPS domain names

For more information, see the following topics:

Update an existing certificate

Configure an HTTPS listener to forward HTTPS requests by using a server certificate

Note

You must deploy a client certificate in the Server Load Balancer (SLB) console. For more information about how to deploy a client certificate, see Configure end-to-end HTTPS encryption for data transfers.

For more information, see the following topics:

Alibaba Cloud CDN (CDN)

  • Deploy a certificate for the first time

  • Update an existing certificate

Configure HTTPS secure acceleration

For more information about how to deploy a certificate in the CDN console, see Configure an SSL certificate.

Dynamic Content Delivery Network (DCDN)

  • Deploy a certificate for the first time

  • Update an existing certificate

Configure HTTPS secure acceleration

For more information about how to deploy a certificate in the DCDN console, see Configure an SSL certificate.

Storage

Object Storage Service (OSS)

Update an existing certificate

Configure OSS access over HTTPS

Note

If you want to map a CDN-accelerated domain name to your OSS bucket, you must replace the existing certificate in the Alibaba Cloud CDN console.

For more information about how to deploy a certificate for the first time, see Host a certificate for a custom domain name.

Security

Web Application Firewall (WAF)

Update an existing certificate

Add web services to WAF in CNAME record mode

For more information, see the following topics:

Anti-DDoS

Update an existing certificate

Add domain names to Anti-DDoS

For more information about how to deploy a certificate for the first time, see Upload an SSL certificate.

AI & Machine Learning

Platform for AI (PAI)

Update an existing certificate

Elastic Algorithm Service (EAS): Use a custom domain name for the dedicated gateway

For more information about how to deploy a certificate for the first time, see Use a custom domain name for the dedicated gateway.

Note

If you want to deploy a certificate to other Alibaba Cloud services or if you want to deploy an SM certificate, contact your account manager or refer to the related service documentation. You can deploy SM certificates only to CDN, DCDN, and Anti-DDoS. The following list provides references for deploying certificates to specific cloud services:

Prerequisites

  • A certificate is purchased and issued. For more information, see Purchase a quota for SSL certificates and Step 1: Create an SSL certificate.

    Important
    • For more information about how to use third-party service providers or other Alibaba Cloud accounts to obtain issued certificates, see Upload and share an SSL certificate.

      • If you deploy an uploaded certificate, the deployment quota is consumed. You can purchase the deployment quota on the buy page.

      • The amount of deployment quota to be consumed is determined based on the number of resources that match your uploaded certificate. If the deployment task fails, the amount of deployment quota that is consumed by the deployment task is recovered.

    • Certificates that are shared among different Alibaba Cloud accounts can be deployed free of charge. The deployment quota is not consumed. The accounts must belong to the same individual or enterprise user who has passed real-name verification.

  • The name of an issued certificate does not contain Chinese characters. The following figure shows a certificate whose name contains Chinese characters.

    image

  • You can update an existing certificate for SLB or GA by using a deployment task only if the domain name bound to the new certificate is the same as or includes the domain name bound to the existing certificate.

    For example, if you deployed Certificate 1 to which the single domain name example.com is bound to a GA instance, you can deploy Certificate 2 to the instance to replace Certificate 1 by using a deployment task only if the domain name bound to Certificate 2 is or includes example.com. Otherwise, the deployment task fails. The domain name bound to Certificate 2 can be example.com, www.example.com, or *.example.com.

Procedure

Deploy a single certificate to an Alibaba Cloud service

  1. Log on to the Certificate Management Service console.

  2. In the left-side navigation pane, choose Certificate Management > SSL Certificate Management.

  3. On the SSL Certificate Management page, click the required tab, find your certificate, and then click Deploy in the Actions column.

  4. On the Create Task page, select one or more cloud services and resources in the Select Resource step and click Preview and Submit.

    • The system intelligently matches cloud service resources for which certificates are already configured based on your certificate. You can click OK in the Prompt message to add the matched cloud service resources to the Selected Resources section. You can also adjust the added cloud service resources based on your business requirements.

      image

    • The system automatically identifies and synchronizes the resources of all cloud services. If you cannot find the required resources, perform the following operations:

      • In the Total Resources section, check whether the resources are synchronized. If the resources are being synchronized, the Synchronize Cloud Resources button is displayed in gray. Wait until the resources are synchronized. The time required for resource synchronization varies based on the number of resources within your cloud services.

        image

      • If you cannot find the required resources after the synchronization is complete, check whether the prerequisites for first deployment are met. For more information, see First-time deployment.

  5. In the Task Preview panel, confirm the information about the certificate and cloud service resources and click Submit.

    The preview panel displays the number of certificates that match the cloud service resources and the amount of deployment quota to be consumed. If the number of certificates is 0, no cloud service resources match your certificate. In this case, the deployment task fails. Check the certificate that you selected.

Deploy multiple certificates to multiple Alibaba Cloud services at a time

  1. Log on to the Certificate Management Service console.

  2. In the left-side navigation pane, choose Deployment and Resource Management > Deployment to Cloud Services.

  3. On the Deployment to Cloud Services page, click Create Task. Then, perform the following steps to deploy multiple certificates:

    1. In the Configure Basic Information step, configure the following parameters and click Next.

      Parameter

      Description

      Task Name

      Specify a name for the deployment task.

      Contact

      Select a contact to receive notifications for the deployment task. You can select up to 10 contacts.

      Deployed At

      • Deploy: If you select this option, your certificates are immediately deployed to the Alibaba Cloud services.

      • Custom Time: If you select this option, you must specify the point in time at which you want the deployment task to run. The system starts the deployment task at the specified point in time.

    2. In the Select Certificate step, select the required certificates for your cloud service resources and click Next.

      You can select official certificates or uploaded certificates. You can select certificates of only one certificate type for a single deployment task.

    3. In the Select Resource step, select cloud services and resources and click Preview and Submit.

      Note

      You cannot create a deployment task to associate multiple server certificates with a single SLB listener.

      • The system intelligently matches cloud service resources for which certificates are already configured based on your certificates. You can click OK in the Prompt message to add the matched cloud service resources to the Selected Resources section. You can also adjust the added cloud service resources based on your business requirements.

        image

      • The system automatically identifies and synchronizes the resources of all cloud services. If you cannot find the required resources, perform the following operations:

        • In the Total Resources section, check whether the resources are synchronized. If the resources are being synchronized, the Synchronize Cloud Resources button is displayed in gray, as shown in the following figure. Wait until the resources are synchronized. The time required for resource synchronization varies based on the number of resources within your cloud services.

          image

        • If you cannot find the required resources after the synchronization, check whether the prerequisites for first deployment are met. For more information, see First-time deployment.

    4. In the Task Preview panel, confirm the information about the certificates and cloud services and click Submit.

      The preview panel displays the number of certificates that match the cloud service resources and the amount of deployment quota to be consumed. If the number of certificates is 0, no cloud service resources match your certificates. In this case, the deployment task fails. Check the certificates that you selected.

What to do next

View the details of the deployment task

  1. On the Deployment to Cloud Services page, find the deployment task and click Details in the Actions column.

  2. On the task details page, view the certificate deployment status of resources on each cloud service tab. If a certificate fails to be deployed to a resource, you can view the cause in the Actions column.

    If no cause is provided, contact your account manager.

Roll back the deployment task

After the deployment task is complete, you can perform the following steps to roll back the deployment task if the deployed certificates do not meet your requirements or if you want to undo the deployment for other reasons:

  1. On the Deployment to Cloud Services page, find the deployment task and click Details in the Actions column.

  2. On the task details page, click the related cloud service tab, find the required resource, and then click Roll Back in the Actions column.

    After the rollback is complete, the status of the deployment task changes to Rolled Back.

Delete the deployment task

Warning

After you delete a deployment task, it cannot be restored. Proceed with caution.

On the Deployment to Cloud Services page, find the deployment task and click Delete in the Actions column. You can also select multiple deployment tasks and click Delete below the task list.