Create a certificate-Server Load Balancer(SLB)-阿里云帮助中心

To configure an HTTPS listener for a CLB instance, you must first create a certificate.

Certificate overview

CLB supports two authentication modes:

one-way authentication: CLB requires only a server certificate. In this mode, the client verifies the identity of the server.
mTLS: CLB requires both a server certificate and a CA certificate. In this mode, the client and the server authenticate each other.

CLB supports certificates from two sources:

Alibaba Cloud Certificate Management Service: You can directly select a certificate that you have purchased or uploaded to Alibaba Cloud Certificate Management Service. This method enables centralized management, expiration reminders, and one-click renewals. This source supports only server certificates and does not support CA certificates.
third-party certificate: You can upload a certificate issued by another provider or a self-signed certificate. With this method, you must manually provide the public key and private key of the certificate. This source supports both server certificates and CA certificates.

After you upload a certificate to CLB, CLB manages the certificate. You do not need to bind the certificate to your backend servers.

Ensure you have purchased or uploaded the required certificate in the Certificate Management Service console.
Log on to the CLB console.
In the navigation pane, choose CLB > Certificates.
On the Certificates page, click Add Certificate.
In the Add Certificate panel, select Alibaba Cloud Certificates, select your SSL certificate from the list, and then select the deployment regions.

Certificates are region-specific. If you want to use a certificate in multiple regions, select all required regions.
Click Create. After the certificate is created, it appears on the Certificates page.

Before you begin:
- Prepare the public key and private key files of the server certificate in PEM format.
- For mTLS, you must also prepare the public key file of the CA certificate in PEM format.
Log on to the CLB console.
In the navigation pane, choose CLB > Certificates.
On the Certificates page, click Add Certificate.

In the Add Certificate panel, select Third-party Certificates, configure the following parameters, and then click Create.

Parameter	Description
Certificate Type	Select the type of certificate to upload: Server Certificate: To configure one-way authentication, upload only the server certificate and its private key. CA Certificate: To configure mTLS, you must upload a CA certificate in addition to the server certificate.
Public Key Certificate:	Paste the content of the server certificate or CA certificate. The public key certificate contains the public key, signature, and other information. CLB uses certificates in Nginx format. Certificate files in Nginx format that you obtain from a certificate provider usually have a .pem extension, but can also have other extensions such as .crt. Click View Sample to see the correct certificate format. For more information, see Certificate requirements.
Private Key:	Paste the private key of the server certificate. Private key files in Nginx format that you obtain from a certificate provider usually have a .key extension. Click View Sample to see the correct key format. For more information, see Private key format requirements. Important A private key is required only when you upload a server certificate.
Region	Select the region where you want to deploy the certificate. A certificate can be used only in the regions where it is deployed. If you need to use the certificate in multiple regions, select all required regions.

A certificate can be used in multiple regions. Each region is limited to 100 server certificates and 100 CA certificates.
CLB supports the following public key algorithms: RSA 1024, RSA 2048, and RSA 4096.
Uploaded certificates must be in PEM format. PEM files that contain the BEGIN DH PARAMETERS string are not supported. This is because HTTPS listeners use ECDHE cipher suites that support perfect forward secrecy and do not support the security enhancement parameter files required by DHE cipher suites.
Certificates cannot be shared between accounts. To use a certificate in another account, you must first download it in Nginx format from its original account, and then import it into the target account.