Deploy a certificate to an Alibaba Cloud service in the Certificate Management Service console - Certificate Management Service

You can create a deployment task in the Certificate Management Service console to deploy a single SSL certificate to a cloud service or deploy multiple SSL certificates to multiple cloud services at a time. You can specify the point in time at which you want a deployment task to run. The system starts the deployment task at the specified point in time. This topic describes the supported Alibaba Cloud services, applicable scenarios, and deployment process.

Note

The first time you use the deployment feature, you must complete authorization based on the on-screen instructions. After you complete authorization, you can create a deployment task. For more information, see Authorize Certificate Management Service to access Alibaba Cloud resources.
For more information about how to deploy a certificate to a cloud server such as an Elastic Compute Service (ECS) instance or a simple application server, see Deploy a certificate to an Alibaba Cloud simple application server or ECS instance in the Certificate Management Service console.

If you encounter issues when you deploy a certificate, contact your account manager.

Supported cloud services and application scenarios

Important

The following list describes the scenarios of deployment tasks:

Deploy a certificate for the first time: You can perform the related operations in the Certificate Management Service console when you deploy a certificate for the first time.
Update an existing certificate: You can update a certificate that is already deployed in the Certificate Management Service console.

Category	Service	Deployment task scenario	Certificate configuration scenario	References
Serverless	Serverless App Engine - Gateway Routing	Update an existing certificate	Configure HTTPS for gateway routing in Application Load Balancer (ALB) and Classic Load Balancer (CLB)	For more information, see the following topics: Configure gateway routing for an application by using an ALB instance Configure gateway routing for an application by using a CLB instance
Serverless	Function Compute	Update an existing certificate	Configure HTTP functions	For more information about how to deploy a certificate for the first time, see Configure a custom domain name.
Middleware	Microservices Engine (MSE) - Cloud-native Gateway	Update an existing certificate	Configure cloud-native gateway routing	For more information about how to deploy a certificate for the first time, see Create a domain name.
Middleware	API Gateway	Update an existing certificate	Configure API access over HTTPS domain names	For more information about how to deploy a certificate for the first time, see Call APIs through an HTTPS domain name.
Networking and CDN	Global Accelerator (GA)	Update an existing certificate	Configure access acceleration by using HTTPS domain names	For more information, see the following topics: Accelerate access to HTTP websites over HTTPS Use a GA instance to accelerate multiple domain names over HTTPS
	ALB NLB	Update an existing certificate	Configure an HTTPS listener to forward HTTPS requests by using a server certificate Note You must deploy a client certificate in the Server Load Balancer (SLB) console. For more information about how to deploy a client certificate, see Configure end-to-end HTTPS encryption for data transfers.	For more information, see the following topics: ALB: Add an HTTPS listener NLB: Add a TCP/SSL listener
	ALB NLB	Update an existing certificate
	Alibaba Cloud CDN (CDN)	Deploy a certificate for the first time Update an existing certificate	Configure HTTPS secure acceleration	For more information about how to deploy a certificate in the CDN console, see Configure an SSL certificate.
	Dynamic Content Delivery Network (DCDN)	Deploy a certificate for the first time Update an existing certificate	Configure HTTPS secure acceleration	For more information about how to deploy a certificate in the DCDN console, see Configure an SSL certificate.
Storage	Object Storage Service (OSS)	Update an existing certificate	Configure OSS access over HTTPS Note If you want to map a CDN-accelerated domain name to your OSS bucket, you must replace the existing certificate in the Alibaba Cloud CDN console.	For more information about how to deploy a certificate for the first time, see Host a certificate for a custom domain name.
Security	Web Application Firewall (WAF)	Update an existing certificate	Add web services to WAF in CNAME record mode	For more information, see the following topics: WAF 3.0: Add a domain name to WAF 3.0 WAF 2.0: Add a domain name to WAF 2.0
Security	Anti-DDoS	Update an existing certificate	Add domain names to Anti-DDoS	For more information about how to deploy a certificate for the first time, see Upload an SSL certificate.
AI & Machine Learning	Platform for AI (PAI)	Update an existing certificate	Elastic Algorithm Service (EAS): Use a custom domain name for the dedicated gateway	For more information about how to deploy a certificate for the first time, see Use a custom domain name for the dedicated gateway.

Note

If you want to deploy a certificate to other Alibaba Cloud services or if you want to deploy an SM certificate, contact your account manager or refer to the related service documentation. You can deploy SM certificates only to CDN, DCDN, and Anti-DDoS. The following list provides references for deploying certificates to specific cloud services:

Prerequisites

A certificate is purchased and issued. For more information, see Purchase SSL certificates and Step 1: Create an SSL certificate.
Important
- For more information about how to use third-party service providers or other Alibaba Cloud accounts to obtain issued certificates, see Upload and share an SSL certificate.
  - If you deploy an uploaded certificate, the deployment quota is consumed. You can purchase the deployment quota on the buy page.
  - The amount of deployment quota to be consumed is determined based on the number of resources that match your uploaded certificate. If the deployment task fails, the amount of deployment quota that is consumed by the deployment task is recovered.
- Certificates that are shared among different Alibaba Cloud accounts can be deployed free of charge. The deployment quota is not consumed. The accounts must belong to the same individual or enterprise user who has passed real-name verification.
The name of an issued certificate does not contain Chinese characters. The following figure shows a certificate whose name contains Chinese characters.
You can update an existing certificate for SLB or GA by using a deployment task only if the domain name bound to the new certificate is the same as or includes the domain name bound to the existing certificate.
For example, if you deployed Certificate 1 to which the single domain name example.com is bound to a GA instance, you can deploy Certificate 2 to the instance to replace Certificate 1 by using a deployment task only if the domain name bound to Certificate 2 is or includes example.com. Otherwise, the deployment task fails. The domain name bound to Certificate 2 can be example.com, www.example.com, or *.example.com.

Procedure

Deploy a single certificate to an Alibaba Cloud service

Log on to the Certificate Management Service console.
In the left-side navigation pane, choose Certificate Management > SSL Certificate Management.
On the SSL Certificate Management page, click the required tab, find your certificate, and then click Deploy in the Actions column.
On the Create Task page, select one or more cloud services and resources in the Select Resource step and click Preview and Submit.
- The system intelligently matches cloud service resources for which certificates are already configured based on your certificate. You can click OK in the Prompt message to add the matched cloud service resources to the Selected Resources section. You can also adjust the added cloud service resources based on your business requirements.
- The system automatically identifies and synchronizes the resources of all cloud services. If you cannot find the required resources, perform the following operations:
  - In the Total Resources section, check whether the resources are synchronized. If the resources are being synchronized, the Synchronize Cloud Resources button is displayed in gray. Wait until the resources are synchronized. The time required for resource synchronization varies based on the number of resources within your cloud services.
  - If you cannot find the required resources after the synchronization is complete, check whether the prerequisites for first deployment are met. For more information, see First-time deployment.
In the Task Preview panel, confirm the information about the certificate and cloud service resources and click Submit.
The preview panel displays the number of certificates that match the cloud service resources and the amount of deployment quota to be consumed. If the number of certificates is 0, no cloud service resources match your certificate. In this case, the deployment task fails. Check the certificate that you selected.

Deploy multiple certificates to multiple Alibaba Cloud services at a time

Log on to the Certificate Management Service console.
In the left-side navigation pane, choose Deployment and Resource Management > Deployment to Cloud Services.

On the Deployment to Cloud Services page, click Create Task. Then, perform the following steps to deploy multiple certificates:

In the Configure Basic Information step, configure the following parameters and click Next.

Parameter	Description
Task Name	Specify a name for the deployment task.
Contact	Select a contact to receive notifications for the deployment task. You can select up to 10 contacts.
Deployed At	Deploy: If you select this option, your certificates are immediately deployed to the Alibaba Cloud services. Custom Time: If you select this option, you must specify the point in time at which you want the deployment task to run. The system starts the deployment task at the specified point in time.

In the Select Certificate step, select the required certificates for your cloud service resources and click Next.
You can select official certificates or uploaded certificates. You can select certificates of only one certificate type for a single deployment task.
In the Select Resource step, select cloud services and resources and click Preview and Submit.
Note
You cannot create a deployment task to associate multiple server certificates with a single SLB listener.
- The system intelligently matches cloud service resources for which certificates are already configured based on your certificates. You can click OK in the Prompt message to add the matched cloud service resources to the Selected Resources section. You can also adjust the added cloud service resources based on your business requirements.
- The system automatically identifies and synchronizes the resources of all cloud services. If you cannot find the required resources, perform the following operations:
  - In the Total Resources section, check whether the resources are synchronized. If the resources are being synchronized, the Synchronize Cloud Resources button is displayed in gray, as shown in the following figure. Wait until the resources are synchronized. The time required for resource synchronization varies based on the number of resources within your cloud services.
  - If you cannot find the required resources after the synchronization, check whether the prerequisites for first deployment are met. For more information, see First-time deployment.
In the Task Preview panel, confirm the information about the certificates and cloud services and click Submit.
The preview panel displays the number of certificates that match the cloud service resources and the amount of deployment quota to be consumed. If the number of certificates is 0, no cloud service resources match your certificates. In this case, the deployment task fails. Check the certificates that you selected.

What to do next

View the details of the deployment task

On the Deployment to Cloud Services page, find the deployment task and click Details in the Actions column.
On the task details page, view the certificate deployment status of resources on each cloud service tab. If a certificate fails to be deployed to a resource, you can view the cause in the Actions column.
If no cause is provided, contact your account manager.

Roll back the deployment task

After the deployment task is complete, you can perform the following steps to roll back the deployment task if the deployed certificates do not meet your requirements or if you want to undo the deployment for other reasons:

On the Deployment to Cloud Services page, find the deployment task and click Details in the Actions column.
On the task details page, click the related cloud service tab, find the required resource, and then click Roll Back in the Actions column.
After the rollback is complete, the status of the deployment task changes to Rolled Back.

Delete the deployment task

Warning

After you delete a deployment task, it cannot be restored. Proceed with caution.

On the Deployment to Cloud Services page, find the deployment task and click Delete in the Actions column. You can also select multiple deployment tasks and click Delete below the task list.