You can create a deployment task in the Certificate Management Service console to deploy a single SSL certificate to a cloud service or deploy multiple SSL certificates to multiple cloud services at a time. You can specify the point in time at which you want a deployment task to run. The system starts the deployment task at the specified point in time. This topic describes the supported Alibaba Cloud services, applicable scenarios, and deployment process.
The first time you use the deployment feature, you must complete authorization based on the on-screen instructions. After you complete authorization, you can create a deployment task. For more information, see Authorize Certificate Management Service to access Alibaba Cloud resources.
For more information about how to deploy a certificate to a cloud server such as an Elastic Compute Service (ECS) instance or a simple application server, see Deploy a certificate to an Alibaba Cloud simple application server or ECS instance in the Certificate Management Service console.
If you encounter issues when you deploy a certificate, contact your account manager.
Supported cloud services and application scenarios
The following list describes the scenarios of deployment tasks:
Deploy a certificate for the first time: You can perform the related operations in the Certificate Management Service console when you deploy a certificate for the first time.
Update an existing certificate: You can update a certificate that is already deployed in the Certificate Management Service console.
Category | Service | Deployment task scenario | Certificate configuration scenario | References |
Serverless | Update an existing certificate | Configure HTTPS for gateway routing in Application Load Balancer (ALB) and Classic Load Balancer (CLB) | For more information, see the following topics: | |
Function Compute | Update an existing certificate | Configure HTTP functions | For more information about how to deploy a certificate for the first time, see Configure a custom domain name. | |
Middleware | Update an existing certificate | Configure cloud-native gateway routing | For more information about how to deploy a certificate for the first time, see Create a domain name. | |
Update an existing certificate | Configure API access over HTTPS domain names | For more information about how to deploy a certificate for the first time, see Call APIs through an HTTPS domain name. | ||
Networking and CDN | Update an existing certificate | Configure access acceleration by using HTTPS domain names | For more information, see the following topics: | |
Update an existing certificate | Configure an HTTPS listener to forward HTTPS requests by using a server certificate Note You must deploy a client certificate in the Server Load Balancer (SLB) console. For more information about how to deploy a client certificate, see Configure end-to-end HTTPS encryption for data transfers. | For more information, see the following topics: | ||
| Configure HTTPS secure acceleration | For more information about how to deploy a certificate in the CDN console, see Configure an SSL certificate. | ||
| Configure HTTPS secure acceleration | For more information about how to deploy a certificate in the DCDN console, see Configure an SSL certificate. | ||
Storage | Update an existing certificate | Configure OSS access over HTTPS Note If you want to map a CDN-accelerated domain name to your OSS bucket, you must replace the existing certificate in the Alibaba Cloud CDN console. | For more information about how to deploy a certificate for the first time, see Host a certificate for a custom domain name. | |
Security | Update an existing certificate | Add web services to WAF in CNAME record mode | For more information, see the following topics:
| |
Update an existing certificate | Add domain names to Anti-DDoS | For more information about how to deploy a certificate for the first time, see Upload an SSL certificate. | ||
AI & Machine Learning | Update an existing certificate | Elastic Algorithm Service (EAS): Use a custom domain name for the dedicated gateway | For more information about how to deploy a certificate for the first time, see Use a custom domain name for the dedicated gateway. |
If you want to deploy a certificate to other Alibaba Cloud services or if you want to deploy an SM certificate, contact your account manager or refer to the related service documentation. You can deploy SM certificates only to CDN, DCDN, and Anti-DDoS. The following list provides references for deploying certificates to specific cloud services:
DCDN: Enable SM for HTTPS
Anti-DDoS: Upload an SSL certificate
Prerequisites
A certificate is purchased and issued. For more information, see Purchase a quota for SSL certificates and Step 1: Create an SSL certificate.
ImportantFor more information about how to use third-party service providers or other Alibaba Cloud accounts to obtain issued certificates, see Upload and share an SSL certificate.
If you deploy an uploaded certificate, the deployment quota is consumed. You can purchase the deployment quota on the buy page.
The amount of deployment quota to be consumed is determined based on the number of resources that match your uploaded certificate. If the deployment task fails, the amount of deployment quota that is consumed by the deployment task is recovered.
Certificates that are shared among different Alibaba Cloud accounts can be deployed free of charge. The deployment quota is not consumed. The accounts must belong to the same individual or enterprise user who has passed real-name verification.
The name of an issued certificate does not contain Chinese characters. The following figure shows a certificate whose name contains Chinese characters.
You can update an existing certificate for SLB or GA by using a deployment task only if the domain name bound to the new certificate is the same as or includes the domain name bound to the existing certificate.
For example, if you deployed Certificate 1 to which the single domain name
example.com
is bound to a GA instance, you can deploy Certificate 2 to the instance to replace Certificate 1 by using a deployment task only if the domain name bound to Certificate 2 is or includesexample.com
. Otherwise, the deployment task fails. The domain name bound to Certificate 2 can beexample.com
,www.example.com
, or*.example.com
.
Procedure
Deploy a single certificate to an Alibaba Cloud service
Log on to the Certificate Management Service console.
In the left-side navigation pane, choose .
On the SSL Certificate Management page, click the required tab, find your certificate, and then click Deploy in the Actions column.
On the Create Task page, select one or more cloud services and resources in the Select Resource step and click Preview and Submit.
The system intelligently matches cloud service resources for which certificates are already configured based on your certificate. You can click OK in the Prompt message to add the matched cloud service resources to the Selected Resources section. You can also adjust the added cloud service resources based on your business requirements.
The system automatically identifies and synchronizes the resources of all cloud services. If you cannot find the required resources, perform the following operations:
In the Total Resources section, check whether the resources are synchronized. If the resources are being synchronized, the Synchronize Cloud Resources button is displayed in gray. Wait until the resources are synchronized. The time required for resource synchronization varies based on the number of resources within your cloud services.
If you cannot find the required resources after the synchronization is complete, check whether the prerequisites for first deployment are met. For more information, see First-time deployment.
In the Task Preview panel, confirm the information about the certificate and cloud service resources and click Submit.
The preview panel displays the number of certificates that match the cloud service resources and the amount of deployment quota to be consumed. If the number of certificates is 0, no cloud service resources match your certificate. In this case, the deployment task fails. Check the certificate that you selected.
Deploy multiple certificates to multiple Alibaba Cloud services at a time
Log on to the Certificate Management Service console.
In the left-side navigation pane, choose .
On the Deployment to Cloud Services page, click Create Task. Then, perform the following steps to deploy multiple certificates:
In the Configure Basic Information step, configure the following parameters and click Next.
Parameter
Description
Task Name
Specify a name for the deployment task.
Contact
Select a contact to receive notifications for the deployment task. You can select up to 10 contacts.
Deployed At
Deploy: If you select this option, your certificates are immediately deployed to the Alibaba Cloud services.
Custom Time: If you select this option, you must specify the point in time at which you want the deployment task to run. The system starts the deployment task at the specified point in time.
In the Select Certificate step, select the required certificates for your cloud service resources and click Next.
You can select official certificates or uploaded certificates. You can select certificates of only one certificate type for a single deployment task.
In the Select Resource step, select cloud services and resources and click Preview and Submit.
NoteYou cannot create a deployment task to associate multiple server certificates with a single SLB listener.
The system intelligently matches cloud service resources for which certificates are already configured based on your certificates. You can click OK in the Prompt message to add the matched cloud service resources to the Selected Resources section. You can also adjust the added cloud service resources based on your business requirements.
The system automatically identifies and synchronizes the resources of all cloud services. If you cannot find the required resources, perform the following operations:
In the Total Resources section, check whether the resources are synchronized. If the resources are being synchronized, the Synchronize Cloud Resources button is displayed in gray, as shown in the following figure. Wait until the resources are synchronized. The time required for resource synchronization varies based on the number of resources within your cloud services.
If you cannot find the required resources after the synchronization, check whether the prerequisites for first deployment are met. For more information, see First-time deployment.
In the Task Preview panel, confirm the information about the certificates and cloud services and click Submit.
The preview panel displays the number of certificates that match the cloud service resources and the amount of deployment quota to be consumed. If the number of certificates is 0, no cloud service resources match your certificates. In this case, the deployment task fails. Check the certificates that you selected.
What to do next
View the details of the deployment task
On the Deployment to Cloud Services page, find the deployment task and click Details in the Actions column.
On the task details page, view the certificate deployment status of resources on each cloud service tab. If a certificate fails to be deployed to a resource, you can view the cause in the Actions column.
If no cause is provided, contact your account manager.
Roll back the deployment task
After the deployment task is complete, you can perform the following steps to roll back the deployment task if the deployed certificates do not meet your requirements or if you want to undo the deployment for other reasons:
On the Deployment to Cloud Services page, find the deployment task and click Details in the Actions column.
On the task details page, click the related cloud service tab, find the required resource, and then click Roll Back in the Actions column.
After the rollback is complete, the status of the deployment task changes to Rolled Back.
Delete the deployment task
After you delete a deployment task, it cannot be restored. Proceed with caution.
On the Deployment to Cloud Services page, find the deployment task and click Delete in the Actions column. You can also select multiple deployment tasks and click Delete below the task list.