Configure an HTTPS certificate for your accelerated domain name to encrypt the connection between clients and CDN nodes. This prevents data interception and tampering over the public network and improves your business security.
Certificates purchased from Alibaba Cloud Certificate Management Service can be deployed to the CDN platform in batches. For more information, see Deploy HTTPS certificates in batches.
Before you begin
Review the following limitations and requirements:
Purchase a certificate: If you do not have a certificate, you can purchase a commercial certificate from the Certificate Management Service console or apply for a test certificate (formerly Free Edition).
Private key requirements: If you choose to upload a custom certificate, the private key must not be password-protected. For more information, see Verify that password protection is removed from the private key file.
SM certificate (SM2): The CDN console does not support direct configuration of SM2 dual-certificate setups. To use an SM certificate, you must configure it using the SetCdnDomainSMCertificate API operation.
Procedure
-
Log on to the CDN console.
-
In the left navigation pane, click Domain Names.
-
On the Domain Names page, find the target domain name and click Manage in the Actions column.
-
In the domain's navigation pane, click HTTPS.
In the HTTPS Certificate section, click Modify.
On the Modify HTTPS Settings page, turn on the HTTPS Secure Acceleration switch, and configure certificate parameters. In the pop-up window, turn on the HTTPS Secure Acceleration switch (Enabling this feature incurs charges based on the number of HTTPS requests).
If you have a certificate from Certificate Management Service, select SSL Certificates Service and choose your certificate from the Certificate Name drop-down list.
NoteIf you cannot find your certificate, make sure the domain name bound to the certificate is identical to the accelerated domain name.
If you are using a certificate from a third-party provider, select Custom Certificate (Certificate+Private Key). You must then specify a Certificate Name and paste the content of your Certificate (Public Key) and Private Key. The certificate is saved to Alibaba Cloud Certificate Management Service and can be viewed on the My Certificates page.
The Custom Upload feature has strict format requirements for the Certificate (Public Key) and Private Key. If you encounter configuration errors or do not understand the configuration examples, you can refer to Upload a custom certificate to process the Certificate (Public Key) and Private Key, and then upload them.
Parameter
Description
Certificate Name
Enter a name for the certificate to be uploaded.
The name can contain only letters, periods (.), digits, underscores (
_), and hyphens (-). The name must be unique.Certificate (Public Key)
Enter the PEM-encoded content of the certificate file.
Private Key
Enter the PEM-encoded content of the private key. For security, the private key cannot be viewed or exported from the console after it is uploaded. Keep a secure copy of your private key.
Click OK.
Verify the HTTPS configuration
Browser verification: Access
https://your-accelerated-domain-namein a browser. A lock icon in the address bar with valid certificate details indicates that the configuration is successful.Command-line verification: Run
curl -I https://your-accelerated-domain-name. A200status code confirms the HTTPS service is active.
HTTPS configuration and origin port
The HTTPS certificate configuration for an accelerated domain name affects the protocols that clients can use, which in turn affects the origin protocol and port.
If no HTTPS certificate is configured, CDN supports only HTTP requests, and the origin port is 80.
After you configure an HTTPS certificate and enable HTTPS Secure Acceleration, CDN supports both HTTP and HTTPS requests.
If the back-to-origin protocol is set to Follow Client, CDN automatically selects the origin port based on the client's protocol: port 80 for HTTP and port 443 for HTTPS.
For more information about how to configure the back-to-origin protocol, see Configure a back-to-origin protocol.
Disable HTTPS secure acceleration
You can disable it at any time in the CDN console. The change takes effect immediately. After the feature is disabled, clients can no longer access resources over HTTPS, and the certificate and private key information is removed.
To re-enable HTTPS secure acceleration, select and configure a certificate again.
Upload a custom certificate
If you have a certificate issued by a third-party provider or a self-signed certificate, you must prepare the certificate and private key in a supported format before you upload them.
Certificate (public key)
CDN supports only PEM-format certificates. To convert other formats, see Convert the format of a certificate. Upload requirements vary by certificate authority (CA):
Certificates issued by a root CA (one certificate file)
Open the PEM certificate file in a text editor. Upload the entire content, including the lines that start with
-----BEGIN CERTIFICATE-----and end with-----END CERTIFICATE-----.-----BEGIN CERTIFICATE----- [Certificate content] -----END CERTIFICATE-----Certificates issued by an intermediate CA (multiple certificate files)
Concatenate the server certificate and all intermediate CA certificates in order into a single certificate chain file. The file content must follow this format:-----BEGIN CERTIFICATE----- [Server certificate content] -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- [Intermediate CA certificate content] -----END CERTIFICATE-----
Private key
The file extension for a private key is typically.keyor.pem. Open the private key file in a text editor. The upload requirements differ for various private key formats:Upload an RSA private key directly
If the private key starts with
-----BEGIN RSA PRIVATE KEY-----and ends with-----END RSA PRIVATE KEY-----, upload the private key content directly.-----BEGIN RSA PRIVATE KEY----- [Private key content] -----END RSA PRIVATE KEY-----Convert other private key formats before uploading
If your private key starts with
-----BEGIN PRIVATE KEY-----and ends with-----END PRIVATE KEY-----, first convert the key using an OpenSSL command. Then, upload the content of the converted private key as described in the Upload an RSA private key directly section. In the command,old_server_key.pemis the original private key andnew_server_key.pemis the converted private key.# Private key to be converted -----BEGIN PRIVATE KEY----- [Private key content] -----END PRIVATE KEY-----# Conversion command openssl rsa -in old_server_key.pem -out new_server_key.pemWhen you download or apply for a certificate from a third-party provider, pay attention to the following file distinctions:
Typically, the
.pemor.crtfile contains the public key (certificate content), and the.keyor.privatefile contains the private key.When uploading, paste the content of the public key file (
.pemor.crt) into the "certificate (public key)" field, and the content of the private key file (.keyor.private) into the "private key" field.Do not upload a CSR file. A Certificate Signing Request (CSR) is used only to apply for a certificate from a certificate authority and cannot be used as a certificate or a private key.
If you are using a certificate in Nginx format, ensure the following:
The certificate file content is in PEM format and starts with
-----BEGIN CERTIFICATE-----.The private key file content is in PEM format and starts with
-----BEGIN RSA PRIVATE KEY-----or-----BEGIN PRIVATE KEY-----.The certificate and private key match.
Remove any extra spaces, line breaks, or non-standard characters from the files.
If the certificate chain is incomplete, you must combine the intermediate certificate with the primary certificate in a single file before uploading. For more information, see Certificate format.
Billing
Enabling HTTPS Secure Acceleration incurs additional fees.
Billable item: Static HTTPS requests. This fee is separate from CDN data transfer fees and is based on the total number of static HTTPS requests across all accelerated domain names under your account.
Billing methods: Both pay-as-you-go and subscription by purchasing a resource plan for static HTTPS requests are supported.
Cost notice:
CDN data transfer plans cannot be used to offset charges for HTTPS requests.
Purchased resource plans for static HTTPS requests can be shared between CDN and DCDN.
References
Document | Description |
You can configure the force redirect to HTTPS feature to redirect requests from clients to CDN nodes to more secure HTTPS requests. | |
Enable HTTP Strict Transport Security (HSTS) to force clients, such as browsers, to use HTTPS when connecting to CDN nodes, which enhances security. | |
CDN nodes pre-cache online certificate validation results and deliver them to clients. This eliminates the need for browsers to directly query the CA site for certificate status and reduces user validation time. |
FAQ
How do I remove password protection from a private key file?
My origin server is configured with HTTPS. Do I still need to configure HTTPS for CDN?
If the HTTPS certificate on my origin server is updated, do I need to update it on CDN as well?
Q: After I update or replace the SSL certificate for a CDN domain name, HTTPS access still fails or shows the old certificate. What should I do?
Ensure the certificate is deployed correctly: Log on to the CDN console and confirm that the new certificate has been selected or uploaded in the HTTPS configuration.
Check for domain name mismatch: Ensure the domain name bound to the certificate exactly matches the CDN accelerated domain name, including prefixes like www.
Clear caches: After the configuration takes effect (typically 1 to 10 minutes), clear both the CDN node cache and your local browser cache before testing again. Use an incognito browser window to verify.
If the origin server's certificate is updated, CDN does not automatically synchronize it. You must manually update the certificate in the CDN console.
Q: After I configure an HTTPS certificate for CDN, my browser still shows an "insecure" warning or a mixed content warning. How do I troubleshoot this?
Check the webpage source code for any resources (images, JS, CSS) loaded over HTTP. Replace their URLs with HTTPS to resolve mixed content issues.
Clear your local browser cache or use an incognito window to rule out outdated cached certificates.
Confirm that your client's system time is correct. An incorrect system time can cause certificate validation to fail.
If you see an error when accessing from an iOS device, the certificate chain may be incomplete. Use an online tool, such as myssl.com, to check the chain and upload the complete chain if necessary.
Q: In the CDN console, why can't I find my purchased certificate under "SSL Certificates Service", or why do I get a domain mismatch error?
Check that the domain name bound to the certificate exactly matches the current CDN accelerated domain name. For example, a certificate for the root domain
example.comcannot be used for the subdomainimage.example.com. You must apply for a separate certificate for the subdomain.Ensure that the certificate and the CDN domain name are under the same Alibaba Cloud account.
When you apply for a free SSL certificate, the www prefix is not automatically included. You must enter the full domain name during the application.
If the certificate cannot be automatically matched due to domain format differences (such as root domain vs. subdomain), deploy the certificate to CDN by creating a deployment task in the Certificate Management Service console, or download the certificate files and configure the certificate using the Custom Upload method.
Q: After configuring HTTPS on CDN, why do I receive an ERR_SSL_PROTOCOL_ERROR or SSL_ERROR_NO_CIPHER_OVERLAP error?
This error usually indicates that the CDN node does not have a valid SSL certificate configured. Follow these steps to troubleshoot:
Check the HTTPS configuration in the CDN console. Ensure a certificate is uploaded, enabled, and has not expired.
If you are using a custom certificate, ensure it is in the correct PEM format and its private key is not password-protected.
Ensure the certificate and private key match, and that the domain name bound to the certificate matches the accelerated domain name.
If you have not configured an HTTPS certificate before, complete the configuration in the CDN console. Before the configuration is complete, you can temporarily access the content over HTTP by removing the "s" from the URL.
Q: How can I configure an SSL certificate for a CDN domain name by using an API or the CLI?
You can call the SetCdnDomainSSLCertificate operation.
The following is an example of the command if you use Alibaba Cloud CLI:
aliyun cdn set-cdn-domain-ssl-certificate \ --domain-name <your_accelerated_domain_name> \ --cert-name <certificate_name> \ --cert-id <certificate_ID> \ --cert-type cas \ --ssl-protocol on \ --region cn-hangzhouTo upload a custom certificate, you must specify the
ssl-pub(public key) andssl-pri(private key) parameters, and set thecert-typeparameter toupload. The following is an example of the command:aliyun cdn set-cdn-domain-ssl-certificate \ --domain-name example.com \ --cert-name yourCertName \ --cert-type upload \ --ssl-protocol on \ --ssl-pub "<PEM-encoded_public_key_content>" \ --ssl-pri "<PEM-encoded_private_key_content>" \ --region cn-hangzhouImportantDo not pass the content of a CSR file to the API operation. A CSR file is used only to apply for a certificate and cannot be used as a certificate or a private key.
Related APIs
API | Description |
Configures a certificate for a domain by using a CSR. | |
Queries the certificate information for a specified accelerated domain name. | |
Enables or disables the certificate feature for a domain name and updates the certificate information. | |
Configures an HTTPS certificate for a specified domain name. | |
Queries accelerated domain names based on certificate information. | |
Queries the details of a CDN certificate. | |
Queries a list of certificates. | |
Queries the information about a specified certificate. | |
Queries all certificate information for a user account. | |
Queries the number of domain names whose certificates have expired. | |
Configures an SM certificate. | |
Queries the list of SM certificates. | |
Queries the details of an SM certificate. |