Issue a server or client certificate from a private CA-Certificate Management Service(SSL Certificate)-阿里云帮助中心

This topic describes how to issue a client certificate or a server certificate by using a private CA.

Prerequisites

You have purchased and enabled a subordinate private CA. For more information, see Purchase and enable a private CA.
Ensure the Remaining Certificates for your subordinate private CA is greater than 0. To purchase and allocate a private certificate quota, see Allocate a private certificate quota.

Procedure

Log in to the Certificate Management Service console.
In the navigation pane on the left, choose Certificate Management > Private Certificate Management. On the Private Certificate Management page, select the region where the PCA service is located.
On the Private CAs tab, find the target subordinate private CA and click Apply for Certificate in the Actions column.

In the Apply for Certificate panel, configure the certificate settings as described in the table below, and then click Confirm.

After submitting the application, the private certificate is issued immediately. Then, click Certificates in the Actions column for the subordinate private CA to view details of the issued certificate.

Parameter	Description
Certificate Type	Server Certificate: Installed on an application server. Client Certificate: Installed on a client that accesses an application.
Personal Name	Required only for a client certificate. A unique identifier for the client user.
Common Name (CN)	Required only for a server certificate. The Common Name (CN) of the private certificate's subject. Enter a domain name or an IP address.
Validity Period	The validity period of a private certificate depends on the service duration of your subordinate private CA: If the service duration is less than one year, the validity period of the private certificate cannot exceed the service duration of your private CA. For example, if you purchased a one-month service for your private CA, the maximum validity period of an issued certificate is 31 days. If you need a longer validity period, you can renew your private CA service to extend its duration. For more information, see Renewal instructions. If the service duration is one year or longer, you can set a validity period of 1 to 100 years.
SAN	If the certificate must support multiple subjects, use the SAN extension to add them. For a server certificate, you can specify a service domain name or a server IP address. For a client certificate, you can specify a user email address or a URI. You can add up to 10 SAN extension attributes. Note SAN (Subject Alternative Name) is an extension to the X.509 standard. An SSL certificate that uses the SAN extension can support multiple domain names. A URI (Uniform Resource Identifier) identifies the Alibaba Cloud resource to which the certificate belongs. For example, you can use a URI to identify the ECS instance where the private certificate is deployed.
More	To add details such as a certificate name, company, and department information, click More.
Include CRL Address	Enabled by default. For more information about CRL (Certificate Revocation List), see CRL service.

Next steps

After the private certificate is issued, download and install it on the appropriate client or server. For more information, see Download a private certificate and Best practices for installing a private certificate on a server.