Deploy SSL certificates to cloud services

更新时间:
复制 MD 格式

This topic explains how to deploy SSL certificates to Alibaba Cloud services individually or in bulk by creating a scheduled deployment task.

Prerequisites

  • This topic does not cover Elastic Compute Service (ECS) or Simple Application Server. To deploy a certificate to an ECS instance or a Simple Application Server instance, see Update an existing certificate on an Alibaba Cloud ECS instance or a Simple Application Server instance.

  • You have purchased and applied for a certificate in Certificate Management Service, and its Status is Issued. To purchase and apply for a certificate, see Purchase a commercial certificate and Apply for a certificate.

  • The SSL certificate alias must not contain Chinese characters. The following figure shows an example.

    image

  • The domain name has an MIIT ICP filing. This is required only for services deployed in the Chinese mainland.

    How to check DNS records and ICP filing information

    Go to the Network Probe tool, select Website Diagnostic Analysis, enter the domain name, and confirm the following information:

    • DNS Provider Resolution Result:

      • If it is an A record, the IP address to which it points must be the same as the public IP address of the target server where the certificate will be deployed.

      • If it is a CNAME record, the domain name to which it points must be the same as the CNAME address provided by the traffic entry point, such as WAF, CDN, or SLB, where the certificate will be deployed.

    • Verify that the Filing Inspection status is The website has been filed. If the status is The website has not been filed, please consult the website server provider., you must complete the ICP filing before you can install the certificate.

  • Verify the certificate's status and ensure it matches the target domain names.

    Check certificate status and domain match

    On the SSL Certificate Management page, find the target certificate and check the following information:

    1. Certificate Status: Ensure the status is Issued. If the status is About to Expire or Expired, you must renew the SSL certificate.

    2. Bound Domains: Ensure the certificate covers all domain names you want to protect. Otherwise, users will see a security warning when accessing an unmatched domain name over HTTPS. To add or change a domain name, see Add and replace domain names.

      Domain name matching rules

      The Bound Domains of a certificate can include multiple exact and wildcard domain names. The matching rules are as follows:

      • Exact domain name: Secures only the specified domain name.

        • example.com secures only example.com.

        • www.example.com secures only www.example.com.

      • Wildcard domain name: Secures only its first-level subdomains.

        • *.example.com secures first-level subdomains such as www.example.com and a.example.com.

        • *.example.com does not secure the root domain name example.com or multi-level subdomains such as a.b.example.com.

      Note

      To secure a multi-level subdomain, the Bound Domains field must include that specific domain name (for example, a.b.example.com) or a corresponding wildcard domain name (for example, *.b.example.com).

Limitations

  • Deploying international standard certificates

    Note
    • If the one-click deployment feature does not support your cloud product, refer to that product's documentation to deploy the certificate.

    • In the table below, "Update existing certificate" refers to replacing a certificate that is already deployed on a cloud product.

    Cloud product

    Deployment scenarios

    Scenario

    Cloud Web Hosting

    Initial deployment, Update existing certificate

    HTTPS encrypted access for websites

    Container Registry (ACR)

    Update existing certificate

    Access a Container Registry Enterprise Edition instance over HTTPS using a custom domain name.

    Container Service for Kubernetes (ACK)

    Update existing certificate

    Update AlbConfig certificates and Secret certificates in ACK managed clusters and dedicated clusters

    Important

    Do not manually modify a Secret in ACK. The system automatically creates a new Secret.

    Serverless App Engine - gateway routing

    Update existing certificate

    Configure HTTPS as the forwarding protocol for gateway routing (ALB and CLB)

    Function Compute (FC)

    Update existing certificate

    HTTP-triggered functions

    Microservices Engine - cloud-native gateway

    Update existing certificate

    Cloud-native gateway routing

    API Gateway

    Update existing certificate

    Access an API over HTTPS using a domain name.

    Global Accelerator (GA)

    Update existing certificate

    Securely accelerate access to an HTTPS domain name

    • Application Load Balancer (ALB)

    • Network Load Balancer (NLB)

    • Classic Load Balancer (CLB)

    Update existing certificate

    Use an HTTPS listener to forward requests over HTTPS (server certificate)

    Note

    To deploy a client certificate, see Configure end-to-end HTTPS to encrypt communication.

    Content Delivery Network (CDN)

    Initial deployment, Update existing certificate

    HTTPS secure acceleration

    Dynamic Route for CDN (DCDN)

    Initial deployment, Update existing certificate

    HTTPS secure acceleration

    Edge Security Acceleration (ESA)

    Update existing certificate

    HTTPS secure acceleration

    OSS

    Update existing certificate

    Access OSS over HTTPS

    Note

    If you bind a domain name for CDN acceleration, you must replace the certificate in the CDN console.

    Web Application Firewall (WAF)

    Update existing certificate

    CNAME access

    Anti-DDoS Pro and Anti-DDoS Premium

    Update existing certificate

    Domain name access to Anti-DDoS Pro and Anti-DDoS Premium

    ApsaraVideo for Live

    Initial deployment, Update existing certificate

    HTTPS secure acceleration for stream ingest and playback

    ApsaraVideo for VOD

    Initial deployment, Update existing certificate

    Content distribution and acceleration

    Platform for AI (PAI)

    Update existing certificate

    Elastic Algorithm Service (EAS) for online model services: Use a custom domain name for a dedicated gateway

  • Deploy an SM certificate (SM2, supported only by CDN, DCDN, and Anti-DDoS Pro and Anti-DDoS Premium)

Procedure

Step 1: Purchase deployment quota

Note

Your deployment quota is consumed only when you deploy certificates of the Uploaded type. If your certificate is not of the Uploaded type, proceed directly to Step 2: Authorization Check.

  • If you have insufficient deployment quota, purchase deployment quotas. Each deployment costs CNY 30 and is valid for one year.

  • Deployment quota is not consumed for certificates other than the Uploaded type, or for certificates shared between Alibaba Cloud accounts that belong to the same identity-verified individual or enterprise. If a deployment fails, the quota is refunded.

Step 2: Check authorizations

Note

For deployment tasks that do not involve ACK, proceed to Step 3: Deploy the certificate to cloud service resources.

Before you deploy a certificate to Container Service for Kubernetes (ACK), log on to the ACK console with your Alibaba Cloud account and grant the AliyunCASDefaultRole RAM role permissions to manage the destination cluster. Otherwise, the Certificate Management Service console cannot discover the cluster namespace.

  1. Go to the Authorization Management page in the ACK console. On the RAM Roles tab, enter AliyunCASDefaultRole and click Modify Permissions.

  2. On the Permission Management tab, grant the O&M Engineer permission for the destination cluster.

    image

Step 3: Deploy the certificate

Single deployment

  1. If this is your first time using the deployment service, you must grant permissions as prompted on the page before you can create deployment tasks. For more information, see Grant permissions to access cloud resources.

  2. Log in to the Certificate Management Service console.

  3. In the navigation pane on the left, choose Certificate Management > SSL Certificate Management.

  4. On the SSL Certificate Management page, click the appropriate certificate tab. In the certificate list, find the certificate that you want to deploy and click Deploy in the Actions column.

    Certificates issued by Private CA are synchronized to the Uploaded Certificates tab, where you can manage them.

  5. On the Create Task page, in the Select Resource step, select or adjust the cloud services and resources, and then click Preview and Submit.

    • The system automatically matches cloud service resources that are already configured with an SSL certificate. In the automatic matching dialog box, click OK. The system adds the matched resources to the Selected Instances: area. You can then adjust the selection as needed.

      image

    • The system automatically discovers and retrieves all resources from your cloud services. If you cannot find a target resource, check the following:

      • In the Total Resources section, check if resource synchronization is complete. If resources are still being synchronized (indicated by a grayed-out state), wait for the process to finish. The synchronization time depends on the number of resources in your cloud services.

        image

      • If you still cannot find the resource after synchronization is complete, confirm that you meet the deployment prerequisites.

  6. In the Task Preview panel, review the certificate and resource information. If everything is correct, click Submit.

    The preview page displays the number of matching certificates for each cloud service and the deployment quota that will be consumed. A match count of 0 indicates a mismatch between the certificate and the resource, which will cause the deployment to fail. Verify your selection carefully.

Bulk deployment

  1. If this is your first time using the deployment service, you must grant permissions as prompted on the page before you can create deployment tasks. For more information, see Grant permissions to access cloud resources.

  2. Log in to the Certificate Management Service console.

  3. In the navigation pane on the left, choose Deployment and Resource Management > Deployment to Cloud Services.

  4. On the Deployment to Cloud Services page, click Create Task and deploy the SSL certificates.

    1. In the Configure Basic Information step, set the task name, contact, and deployment time. Then, click Next.

      Parameter

      Description

      Task Name

      Enter a custom name for the deployment task.

      Contact

      Select contacts to receive notifications for the deployment task. You can add up to 10 contacts.

      Deployment Time

      • Deploy Now: Deploys the certificates to the cloud services immediately.

      • Custom Time: Schedules the deployment task to start at a specific time.

    2. In the Select Certificate step, choose the SSL certificates that correspond to the cloud resources. Then, click Next.

      • Certificates issued by Private CA are synchronized to the The ID of the certificate in Alibaba Cloud. You must upload a certificate first. tab, where you can select them.

      • A single deployment task can include only certificates of one type.

    3. In the Select Resource step, select or adjust the cloud services and resources, and then click Preview and Submit.

      Note

      Bulk deployment is not supported for Server Load Balancer (SLB) scenarios where a single listener is bound to multiple server certificates.

      • The system automatically matches cloud service resources that are already configured with an SSL certificate. In the automatic matching dialog box, click OK. The system adds the matched resources to the Selected Resources area. You can then adjust the selection as needed.

        image

      • The system automatically discovers and retrieves all resources from your cloud services. If you cannot find a target resource, check the following:

        • In the The total resource requests for all replicated pods exceed the recommended resource requests (4 vCores and 8 GB of memory). This may lead to quick consumption of resource plans. section, check if resource synchronization is complete. If resources are still being synchronized (indicated by a grayed-out state), wait for the process to finish. The synchronization time depends on the number of resources.

          image

        • If you still cannot find the resource after synchronization is complete, confirm that your scenario supports initial certificate deployment. For more information, see Prerequisites.

    4. In the Task Preview panel, review the certificate and resource information. If everything is correct, click Submit.

      The preview page displays the number of matching certificates for each cloud service and the deployment quota that will be consumed. A match count of 0 indicates a mismatch between the certificates and the resources, which will cause the deployment to fail. Verify your selections carefully.

Related operations

View deployment task details

  1. On the Deployment to Cloud Services page, find the deployment task and click Details in the Actions column.

  2. On the task details page, you can view the deployment status for each instance resource. If a resource deployment fails, check the Actions column for the reason and take the appropriate action.

    If you cannot determine the specific reason for the failure, contact a product technical expert for assistance. For more information, see One-on-one expert service.

Roll back a deployment task

Important

Deployment quota is not refunded after a successful rollback.

After a certificate is deployed successfully, if an incorrect certificate was deployed or you need to undo the deployment, you can roll back to the previous state:

  1. On the Deployment to Cloud Services page, find the deployment task and click Details in the Actions column.

  2. On the task details page, click the cloud service, find the instance resource, and then click Roll Back in the Actions column.

    After a successful rollback, the task status changes to Rolled Back.

Delete a deployment task

Important

Deleted tasks cannot be recovered. Proceed with caution.

On the Deployment to Cloud Services page, find the deployment task and click Delete in the Actions column. You can also select multiple deployment tasks and click Delete at the bottom of the list.

FAQ

Can SSL certificates be deployed to cloud products across different Alibaba Cloud accounts?

SSL certificates cannot be directly deployed across different accounts.

  • If accounts belong to the same entity that has completed identity verification, you can use the certificate sharing feature for free cross-account deployment. For more information, see Upload, sync, and share SSL certificates.

  • If the accounts belong to different entities, you must download the certificate from the original account and then manually upload and deploy it in the target account.

After a certificate is successfully deployed, is HTTPS automatically enabled on the cloud product?

No. A successful deployment in the Certificate Management Service console only means the certificate has been delivered to the corresponding cloud product. You must still go to that product's console to enable and configure it for HTTPS traffic.

Why is the number of cloud resources displayed as 0 during deployment?

When you create a deployment task, the system automatically discovers resources. If you cannot find a target resource, check the following:

  • In the Total Resources area, confirm that resource synchronization is complete. If resources are still being synchronized (indicated by a grayed-out state), wait. The synchronization time depends on the number of your resources.

    image

  • If you still cannot find the resource after synchronization is complete, confirm if your scenario supports initial deployment. If not, you may need to deploy it in the console of the corresponding cloud product first. For more information, see initial configuration.