Configure an HTTPS certificate

更新时间:
复制 MD 格式

Configure an HTTPS certificate for your accelerated domain name to encrypt the connection between clients and CDN nodes. This prevents data interception and tampering over the public network and improves your business security.

Certificates purchased from Alibaba Cloud Certificate Management Service can be deployed to the CDN platform in batches. For more information, see Deploy HTTPS certificates in batches.

Before you begin

Review the following limitations and requirements:

Procedure

  1. Log on to the CDN console.

  2. In the left navigation pane, click Domain Names.

  3. On the Domain Names page, find the target domain name and click Manage in the Actions column.

  4. In the domain's navigation pane, click HTTPS.

  5. In the HTTPS Certificate section, click Modify.

  6. On the Modify HTTPS Settings page, turn on the HTTPS Secure Acceleration switch, and configure certificate parameters. In the pop-up window, turn on the HTTPS Secure Acceleration switch (Enabling this feature incurs charges based on the number of HTTPS requests).

    • If you have a certificate from Certificate Management Service, select SSL Certificates Service and choose your certificate from the Certificate Name drop-down list.

      Note

      If you cannot find your certificate, make sure the domain name bound to the certificate is identical to the accelerated domain name.

    • If you are using a certificate from a third-party provider, select Custom Certificate (Certificate+Private Key). You must then specify a Certificate Name and paste the content of your Certificate (Public Key) and Private Key. The certificate is saved to Alibaba Cloud Certificate Management Service and can be viewed on the My Certificates page.

      The Custom Upload feature has strict format requirements for the Certificate (Public Key) and Private Key. If you encounter configuration errors or do not understand the configuration examples, you can refer to Upload a custom certificate to process the Certificate (Public Key) and Private Key, and then upload them.

      Parameter

      Description

      Certificate Name

      Enter a name for the certificate to be uploaded.

      The name can contain only letters, periods (.), digits, underscores (_), and hyphens (-). The name must be unique.

      Certificate (Public Key)

      Enter the PEM-encoded content of the certificate file.

      Private Key

      Enter the PEM-encoded content of the private key. For security, the private key cannot be viewed or exported from the console after it is uploaded. Keep a secure copy of your private key.

  7. Click OK.

Verify the HTTPS configuration

  • Browser verification: Access https://your-accelerated-domain-name in a browser. A lock icon in the address bar with valid certificate details indicates that the configuration is successful.

  • Command-line verification: Run curl -I https://your-accelerated-domain-name. A 200 status code confirms the HTTPS service is active.

HTTPS configuration and origin port

The HTTPS certificate configuration for an accelerated domain name affects the protocols that clients can use, which in turn affects the origin protocol and port.

  • If no HTTPS certificate is configured, CDN supports only HTTP requests, and the origin port is 80.

  • After you configure an HTTPS certificate and enable HTTPS Secure Acceleration, CDN supports both HTTP and HTTPS requests.

  • If the back-to-origin protocol is set to Follow Client, CDN automatically selects the origin port based on the client's protocol: port 80 for HTTP and port 443 for HTTPS.

For more information about how to configure the back-to-origin protocol, see Configure a back-to-origin protocol.

Disable HTTPS secure acceleration

You can disable it at any time in the CDN console. The change takes effect immediately. After the feature is disabled, clients can no longer access resources over HTTPS, and the certificate and private key information is removed.

To re-enable HTTPS secure acceleration, select and configure a certificate again.

Upload a custom certificate

If you have a certificate issued by a third-party provider or a self-signed certificate, you must prepare the certificate and private key in a supported format before you upload them.

  • Certificate (public key)

    CDN supports only PEM-format certificates. To convert other formats, see Convert the format of a certificate. Upload requirements vary by certificate authority (CA):

    • Certificates issued by a root CA (one certificate file)

      Open the PEM certificate file in a text editor. Upload the entire content, including the lines that start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.

      -----BEGIN CERTIFICATE-----
      [Certificate content]
      -----END CERTIFICATE-----
    • Certificates issued by an intermediate CA (multiple certificate files)
      Concatenate the server certificate and all intermediate CA certificates in order into a single certificate chain file. The file content must follow this format:

      -----BEGIN CERTIFICATE-----
      [Server certificate content]
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      [Intermediate CA certificate content]
      -----END CERTIFICATE-----
  • Private key
    The file extension for a private key is typically .key or .pem. Open the private key file in a text editor. The upload requirements differ for various private key formats:

    • Upload an RSA private key directly

      If the private key starts with -----BEGIN RSA PRIVATE KEY----- and ends with -----END RSA PRIVATE KEY-----, upload the private key content directly.

      -----BEGIN RSA PRIVATE KEY-----
      [Private key content]
      -----END RSA PRIVATE KEY-----
    • Convert other private key formats before uploading

      If your private key starts with -----BEGIN PRIVATE KEY----- and ends with -----END PRIVATE KEY-----, first convert the key using an OpenSSL command. Then, upload the content of the converted private key as described in the Upload an RSA private key directly section. In the command, old_server_key.pem is the original private key and new_server_key.pem is the converted private key.

      # Private key to be converted
      -----BEGIN PRIVATE KEY-----
      [Private key content]
      -----END PRIVATE KEY-----
      # Conversion command
      openssl rsa -in old_server_key.pem -out new_server_key.pem
    • When you download or apply for a certificate from a third-party provider, pay attention to the following file distinctions:

      • Typically, the .pem or .crt file contains the public key (certificate content), and the .key or .private file contains the private key.

      • When uploading, paste the content of the public key file (.pem or .crt) into the "certificate (public key)" field, and the content of the private key file (.key or .private) into the "private key" field.

      • Do not upload a CSR file. A Certificate Signing Request (CSR) is used only to apply for a certificate from a certificate authority and cannot be used as a certificate or a private key.

      • If you are using a certificate in Nginx format, ensure the following:

        1. The certificate file content is in PEM format and starts with -----BEGIN CERTIFICATE-----.

        2. The private key file content is in PEM format and starts with -----BEGIN RSA PRIVATE KEY----- or -----BEGIN PRIVATE KEY-----.

        3. The certificate and private key match.

        4. Remove any extra spaces, line breaks, or non-standard characters from the files.

      • If the certificate chain is incomplete, you must combine the intermediate certificate with the primary certificate in a single file before uploading. For more information, see Certificate format.

Billing

Enabling HTTPS Secure Acceleration incurs additional fees.

  • Billable item: Static HTTPS requests. This fee is separate from CDN data transfer fees and is based on the total number of static HTTPS requests across all accelerated domain names under your account.

  • Billing methods: Both pay-as-you-go and subscription by purchasing a resource plan for static HTTPS requests are supported.

  • Cost notice:

    • CDN data transfer plans cannot be used to offset charges for HTTPS requests.

    • Purchased resource plans for static HTTPS requests can be shared between CDN and DCDN.

References

Document

Description

Configure a forced redirect

You can configure the force redirect to HTTPS feature to redirect requests from clients to CDN nodes to more secure HTTPS requests.

Configure HSTS

Enable HTTP Strict Transport Security (HSTS) to force clients, such as browsers, to use HTTPS when connecting to CDN nodes, which enhances security.

Configure OCSP Stapling

CDN nodes pre-cache online certificate validation results and deliver them to clients. This eliminates the need for browsers to directly query the CA site for certificate status and reduces user validation time.

FAQ

  • How do I remove password protection from a private key file?

  • My origin server is configured with HTTPS. Do I still need to configure HTTPS for CDN?

  • If the HTTPS certificate on my origin server is updated, do I need to update it on CDN as well?

  • Why can most devices access a domain name that is accelerated using the HTTPS protocol, but some devices cannot?

  • Q: After I update or replace the SSL certificate for a CDN domain name, HTTPS access still fails or shows the old certificate. What should I do?

    1. Ensure the certificate is deployed correctly: Log on to the CDN console and confirm that the new certificate has been selected or uploaded in the HTTPS configuration.

    2. Check for domain name mismatch: Ensure the domain name bound to the certificate exactly matches the CDN accelerated domain name, including prefixes like www.

    3. Clear caches: After the configuration takes effect (typically 1 to 10 minutes), clear both the CDN node cache and your local browser cache before testing again. Use an incognito browser window to verify.

    4. If the origin server's certificate is updated, CDN does not automatically synchronize it. You must manually update the certificate in the CDN console.

  • Q: After I configure an HTTPS certificate for CDN, my browser still shows an "insecure" warning or a mixed content warning. How do I troubleshoot this?

    1. Check the webpage source code for any resources (images, JS, CSS) loaded over HTTP. Replace their URLs with HTTPS to resolve mixed content issues.

    2. Clear your local browser cache or use an incognito window to rule out outdated cached certificates.

    3. Confirm that your client's system time is correct. An incorrect system time can cause certificate validation to fail.

    4. If you see an error when accessing from an iOS device, the certificate chain may be incomplete. Use an online tool, such as myssl.com, to check the chain and upload the complete chain if necessary.

  • Q: In the CDN console, why can't I find my purchased certificate under "SSL Certificates Service", or why do I get a domain mismatch error?

    1. Check that the domain name bound to the certificate exactly matches the current CDN accelerated domain name. For example, a certificate for the root domain example.com cannot be used for the subdomain image.example.com. You must apply for a separate certificate for the subdomain.

    2. Ensure that the certificate and the CDN domain name are under the same Alibaba Cloud account.

    3. When you apply for a free SSL certificate, the www prefix is not automatically included. You must enter the full domain name during the application.

    4. If the certificate cannot be automatically matched due to domain format differences (such as root domain vs. subdomain), deploy the certificate to CDN by creating a deployment task in the Certificate Management Service console, or download the certificate files and configure the certificate using the Custom Upload method.

  • Q: After configuring HTTPS on CDN, why do I receive an ERR_SSL_PROTOCOL_ERROR or SSL_ERROR_NO_CIPHER_OVERLAP error?

    This error usually indicates that the CDN node does not have a valid SSL certificate configured. Follow these steps to troubleshoot:

    1. Check the HTTPS configuration in the CDN console. Ensure a certificate is uploaded, enabled, and has not expired.

    2. If you are using a custom certificate, ensure it is in the correct PEM format and its private key is not password-protected.

    3. Ensure the certificate and private key match, and that the domain name bound to the certificate matches the accelerated domain name.

    4. If you have not configured an HTTPS certificate before, complete the configuration in the CDN console. Before the configuration is complete, you can temporarily access the content over HTTP by removing the "s" from the URL.

  • Q: How can I configure an SSL certificate for a CDN domain name by using an API or the CLI?

    You can call the SetCdnDomainSSLCertificate operation.

    The following is an example of the command if you use Alibaba Cloud CLI:

    aliyun cdn set-cdn-domain-ssl-certificate \
      --domain-name <your_accelerated_domain_name> \
      --cert-name <certificate_name> \
      --cert-id <certificate_ID> \
      --cert-type cas \
      --ssl-protocol on \
      --region cn-hangzhou

    To upload a custom certificate, you must specify the ssl-pub (public key) and ssl-pri (private key) parameters, and set the cert-type parameter to upload. The following is an example of the command:

    aliyun cdn set-cdn-domain-ssl-certificate \
      --domain-name example.com \
      --cert-name yourCertName \
      --cert-type upload \
      --ssl-protocol on \
      --ssl-pub "<PEM-encoded_public_key_content>" \
      --ssl-pri "<PEM-encoded_private_key_content>" \
      --region cn-hangzhou
    Important

    Do not pass the content of a CSR file to the API operation. A CSR file is used only to apply for a certificate and cannot be used as a certificate or a private key.

Related APIs

API

Description

SetCdnDomainCSRCertificate

Configures a certificate for a domain by using a CSR.

DescribeDomainCertificateInfo

Queries the certificate information for a specified accelerated domain name.

SetCdnDomainSSLCertificate

Enables or disables the certificate feature for a domain name and updates the certificate information.

SetCdnDomainCSRCertificate

Configures an HTTPS certificate for a specified domain name.

DescribeCdnDomainByCertificate

Queries accelerated domain names based on certificate information.

DescribeCdnCertificateDetail

Queries the details of a CDN certificate.

DescribeCdnCertificateList

Queries a list of certificates.

DescribeCertificateInfoByID

Queries the information about a specified certificate.

DescribeCdnHttpsDomainList

Queries all certificate information for a user account.

DescribeUserCertificateExpireCount

Queries the number of domain names whose certificates have expired.

SetCdnDomainSMCertificate

Configures an SM certificate.

DescribeCdnSMCertificateList

Queries the list of SM certificates.

DescribeCdnSMCertificateDetail

Queries the details of an SM certificate.