Configure a keyless certificate-Edge Security Acceleration(ESA)-阿里云帮助中心

Uploading SSL private keys to a third-party platform creates security and compliance risks, as it may violate policies requiring private keys to remain within your infrastructure. This document describes how to deploy a KeyServer and configure a keyless certificate in the ESA console to enable an HTTPS acceleration service while maintaining exclusive control over your private keys.

What is a keyless certificate

Traditional content delivery network (CDN) solutions require you to upload the certificate and its private key to the CDN console. Hosting a private key on a third-party platform creates a risk of exposure.

A keyless certificate (also known as Keyless SSL) is an advanced SSL/TLS security solution that lets you keep your private key on your own server. Only the certificate's public key is stored on the ESA edge node. When a user initiates an HTTPS request, the edge node sends a remote signing request to your KeyServer to complete the TLS handshake. Throughout this process, the private key never leaves your server.

A keyless certificate offers several advantages over traditional solutions:

Keep private keys on-premises: Your private key remains securely stored on your own server and is never uploaded to any third-party platform.
Meet compliance requirements: Satisfy strict compliance standards for private key management in industries such as finance and government.
Centralized key management: Manage private keys for multiple domains from a single KeyServer.

Use cases

Security and compliance: Industries such as finance and government have strict compliance requirements that prohibit uploading private keys to third-party platforms.
Centralized private key management: You need to manage private keys for multiple domains centrally, avoiding scattered storage.
HSM integration: You use a hardware security module (HSM) to manage private keys. The HSM does not allow keys to be exported, but you need it to perform the signing operations for a TLS handshake.

How it works

ECDHE key exchange

The following is the keyless certificate workflow when a TLS handshake uses ECDHE for key exchange:

The client initiates a TLS handshake with the edge node by sending a ClientHello message.
The edge node forwards the handshake parameters to the pre-configured KeyServer.
The KeyServer uses its locally stored private key to perform the ECDHE signing operation and returns the signature data to the edge node.
The edge node sends the ServerHello message and the signature data to the client.
The client verifies the signature, and an ECDHE-encrypted channel is established.

Note

Throughout this process, the private key remains on your KeyServer. The edge node never holds the private key.

RSA key exchange

The process is similar when using RSA for key exchange:

The client sends a ClientHello message, and the edge node forwards the handshake information to the KeyServer.
The KeyServer uses the RSA private key to decrypt the pre-master secret and returns the result.
The edge node completes the handshake, and an encrypted channel is established.

Communication security

Communication between the edge node and the KeyServer is secured using mutual TLS (mTLS) authentication. When you configure the KeyServer, you can choose whether to enable KeyServer authentication. If enabled, the edge node verifies the KeyServer's certificate.

The edge node stores only the certificate's public key, while the private key is stored on your KeyServer. For each TLS handshake, the edge node sends a remote signing request to the KeyServer to complete the handshake.

Prerequisites

You have added a site in the ESA console.
You have enabled the SSL/TLS feature.
You have a server with a public IP address to deploy the KeyServer. The KeyServer port must be accessible from ESA edge nodes.
You have the public key file for your SSL certificate (in .pem or .crt format).
Your current plan supports the keyless certificate feature. Check your quota in the console. For more information, see Choose a plan that is right for you.

Procedure

Configuring a keyless certificate involves three steps:

Set up and start the KeyServer.
Configure the KeyServer address in the ESA console.
Upload the keyless certificate and associate it with the KeyServer.

Step 1: Set up and start the KeyServer

Complete the following tasks on your own server:

Get the KeyServer source code.
Compile and build the KeyServer application.
Generate a certificate for the communication channel (for mutual TLS (mTLS) authentication between the edge node and the KeyServer).
Configure and start the KeyServer.

Get the source code

The KeyServer source code is hosted on GitHub. Clone the KeyServer code from the alibabacloud-dcdn-keyserver open-source repository:

git clone https://github.com/alibaba/alibabacloud-dcdn-keyserver.git
cd alibabacloud-dcdn-keyserver
git submodule update --init

Compile and build

The KeyServer is built on Nginx. First, download the Nginx source code and apply the required patches:

# Apply patches
patch -p1 -d deps/nginx_tcp_proxy_module/ < tcp_module_compile_fixed.patch
patch -p1 -d deps/nginx_tcp_proxy_module/ < tcp_lurk_keepalive.patch
patch -p1 -d deps/nginx_tcp_proxy_module/ < tcp_access_log_format.patch
patch -p1 -d deps/OpenSSL_1_1_1-stable/ < lurk_openssl_1_1_1-stable.patch

# Download and extract Nginx
wget 'https://nginx.org/download/nginx-1.26.2.tar.gz'
tar -xzvf nginx-1.26.2.tar.gz

# Apply the Nginx TCP module patch
patch -p1 -d nginx-1.26.2 < deps/nginx_tcp_proxy_module/tcp.patch

# Compile
cd nginx-1.26.2
./configure \
    --with-http_ssl_module \
    --with-openssl=../deps/OpenSSL_1_1_1-stable \
    --add-module=../deps/nginx_tcp_proxy_module \
    --add-module=.. \
    --with-cc-opt="-Wno-implicit-fallthrough"
make

After compilation, the executable file is located at nginx-1.26.2/objs/nginx.

Generate the communication channel certificate

The KeyServer and ESA edge nodes communicate over an encrypted TLS channel. You must generate a dedicated certificate and private key for this channel:

# Create an OpenSSL configuration file
cat > openssl.conf << EOF
[ req ]
default_bits = 2048
encrypt_key = no
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
EOF

# Generate a self-signed certificate and private key
openssl req -x509 -new -config ./openssl.conf \
    -subj /CN=keyserver/ \
    -out keyserver-channel.pem \
    -keyout keyserver-channel.key

Important

Securely store the generated keyserver-channel.pem (certificate) and keyserver-channel.key (private key) files. You will paste the certificate content into the ESA console later.

Configure and start the KeyServer

Edit the KeyServer configuration file (refer to the config file in the project). The main parameters are described below:

user root;
worker_processes auto;
error_log logs/error.log;

events {
    worker_connections 1024;
}

tcp {
    # Access log format
    log_format main '{"time":$lurk_start_time,"client_ip":"$client_ip","server_ip":"$host_ip","lurk_id":$lurk_id,"lurk_type":$lurk_type,"lurk_error":$lurk_err_code}';
    access_log logs/lurk_access.log main;

    lurk_get_key_mode local;

    server {
        # KeyServer listening port
        listen 8443 ssl;

        # Communication channel TLS certificate and private key
        ssl_certificate     /path/to/keyserver-channel.pem;
        ssl_certificate_key /path/to/keyserver-channel.key;

        ssl_protocols TLSv1.2;
        ssl_ciphers EECDH+AES256;
        ssl_session_cache shared:lurk:100m;
        ssl_session_timeout 8h;
        ssl_prefer_server_ciphers on;

        lurk;

        # Directory for business certificate private keys
        lurk_pkey_path /path/to/pkeys;

        lurk_keepalive_requests 1000;
    }
}

Key configuration parameters:

Parameter	Description
`listen`	The port the KeyServer listens on. The default is 8443 with SSL enabled.
`ssl_certificate`	The file path to the TLS certificate for the communication channel.
`ssl_certificate_key`	The file path to the TLS private key for the communication channel.
`lurk_pkey_path`	The directory where the private keys of your business domain's SSL certificates are stored. Place the private keys you want to manage in this directory.
`lurk_keepalive_requests`	The maximum number of requests allowed on a single keep-alive connection.

Copy the private key file corresponding to your business domain's certificate to the directory specified by lurk_pkey_path:

1mkdir -p /path/to/pkeys
2cp your-domain.key /path/to/pkeys/

Start the KeyServer with your configuration file:

/path/to/nginx -c /path/to/keyserver.conf

After starting, ensure that the KeyServer's listening port (default 8443) is accessible from the public internet. You can use a firewall or security group rules to restrict access to the IP ranges of ESA edge nodes.

Step 2: Configure the KeyServer address in the ESA console

After setting up your KeyServer, add its address in the ESA console to enable communication between the edge nodes and your KeyServer.

In the ESA console, go toWebsites and click the target site in the Website column.
In the left-side navigation pane, chooseEdge Certificates.
In the KeyServer panel, click Configure.
Note
If the Configure button is disabled with a message indicating the KeyServer configuration limit has been reached, it means the current site has reached its plan's quota for KeyServers.

Fill in the KeyServer configuration form:

Parameter	Description	Required	Example
Name	A unique name for the KeyServer, up to 256 characters.	Yes	`my-keyserver`
Server Address	The KeyServer address. IP addresses and domain names are supported.	Yes	`192.168.1.100`
Server Port	The KeyServer listening port. The value must be between 1 and 65535.	Yes	`8443`
KeyServer Authentication	If enabled, enforces verification of the KeyServer's certificate.	No	Enabled
Certified CA	The PEM-formatted CA certificate. This is required if KeyServer authentication is enabled.	Required if KeyServer Authentication is enabled.	Paste the PEM-formatted content.
KeyClient Certificate	The PEM-formatted client certificate for mutual TLS (mTLS) authentication with the KeyServer.	No	Paste the PEM-formatted content.
KeyClient Private Key	The PEM-formatted client private key for mutual TLS (mTLS) authentication with the KeyServer.	No	Paste the PEM-formatted content.

Note

The Certified CA field is displayed only when the KeyServer Authentication switch is enabled. The KeyClient Certificate and KeyClient Private Key fields are always displayed but are optional.

Click OK to save the configuration.

Step 3: Upload and associate the keyless certificate

After configuring the KeyServer address, upload your SSL certificate (public key) and associate it with the KeyServer.

In the certificate management panel on the certificate configuration page, click Upload Custom Certificate.
For Keyless Certificate, select Keyless Certificate.
Note
The Keyless certificate option is displayed only when the KeyServer feature is available. If you do not see the option, make sure that the KeyServer switch is enabled.

Fill in the certificate information:

Parameter	Description	Required
Keyless Certificate	Select the KeyServer that you configured in Step 2 from the dropdown list.	Yes
Certificate Name	A custom name for the certificate.	Yes
Certificate (Public Key)	Paste the content of your PEM-formatted certificate public key.	Yes

Note

You do not need to enter a private key for a keyless certificate. The private key is managed by your KeyServer.

Click OK.

After you complete the configuration, the keyless certificate appears in the certificate list with its Type shown as Keyless Certificate.

Verify configuration

After you configure the keyless certificate, verify that the configuration works correctly:

Use the curl command to test the HTTPS handshake:
```
curl -vI https://your-domain.com
```
The expected output should contain SSL certificate verify ok, and the certificate issuer should match your actual certificate.
In the certificate management list in the ESA console, check that the certificate's Status is Normal.

Common failure scenarios

Failure scenario	Troubleshooting
KeyServer port is unreachable.	Check that the KeyServer is running and that your firewall allows traffic to the KeyServer port. Ensure the port is accessible from the public internet to ESA edge nodes.
Incomplete certificate chain.	Ensure the uploaded certificate file contains the complete certificate chain (server certificate + intermediate certificates). Contact your certificate authority to obtain the complete chain file if needed.
KeyServer signing timeout.	Check the KeyServer's load and confirm that network latency is acceptable.

Supported plans

This feature is currently available only on the Enterprise plan.

FAQ

HTTPS performance

Yes, there is a minor impact. The TLS handshake for a new connection requires an additional communication round trip with the KeyServer. This adds one round-trip time (RTT) to the initial handshake latency. After the handshake is complete, subsequent data is transmitted using symmetric encryption, which has no performance difference compared to a standard certificate. We recommend deploying your KeyServer in a region with low network latency to minimize the impact.

KeyServer downtime

If the KeyServer becomes unavailable, new TLS connections cannot be established. Existing connections are not affected because their session keys have already been negotiated. We recommend deploying your KeyServer in a high-availability setup, for example, by placing multiple KeyServer instances behind a load balancer.

Supported certificate types

Yes, the KeyServer supports both RSA and ECC key types. You just need to place the corresponding private key file in the directory specified by the lurk_pkey_path parameter.

Self-signed certificates

Yes, the communication channel between the ESA edge node and the KeyServer can use the self-signed certificate that you generated in Step 1.