This topic explains how to deploy SSL certificates to Alibaba Cloud services individually or in bulk by creating a scheduled deployment task.
Prerequisites
This topic does not cover Elastic Compute Service (ECS) or Simple Application Server. To deploy a certificate to an ECS instance or a Simple Application Server instance, see Update an existing certificate on an Alibaba Cloud ECS instance or a Simple Application Server instance.
You have purchased and applied for a certificate in Certificate Management Service, and its Status is Issued. To purchase and apply for a certificate, see Purchase a commercial certificate and Apply for a certificate.
The SSL certificate alias must not contain Chinese characters. The following figure shows an example.

The domain name has an MIIT ICP filing. This is required only for services deployed in the Chinese mainland.
Verify the certificate's status and ensure it matches the target domain names.
Limitations
Deploying international standard certificates
NoteIf the one-click deployment feature does not support your cloud product, refer to that product's documentation to deploy the certificate.
In the table below, "Update existing certificate" refers to replacing a certificate that is already deployed on a cloud product.
Cloud product
Deployment scenarios
Scenario
Cloud Web Hosting
Initial deployment, Update existing certificate
HTTPS encrypted access for websites
Container Registry (ACR)
Update existing certificate
Access a Container Registry Enterprise Edition instance over HTTPS using a custom domain name.
Container Service for Kubernetes (ACK)
Update existing certificate
Update AlbConfig certificates and Secret certificates in ACK managed clusters and dedicated clusters
ImportantDo not manually modify a Secret in ACK. The system automatically creates a new Secret.
Serverless App Engine - gateway routing
Update existing certificate
Configure HTTPS as the forwarding protocol for gateway routing (ALB and CLB)
Function Compute (FC)
Update existing certificate
HTTP-triggered functions
Microservices Engine - cloud-native gateway
Update existing certificate
Cloud-native gateway routing
API Gateway
Update existing certificate
Access an API over HTTPS using a domain name.
Global Accelerator (GA)
Update existing certificate
Securely accelerate access to an HTTPS domain name
Application Load Balancer (ALB)
Network Load Balancer (NLB)
Classic Load Balancer (CLB)
Update existing certificate
Use an HTTPS listener to forward requests over HTTPS (server certificate)
NoteTo deploy a client certificate, see Configure end-to-end HTTPS to encrypt communication.
Content Delivery Network (CDN)
Initial deployment, Update existing certificate
HTTPS secure acceleration
Dynamic Route for CDN (DCDN)
Initial deployment, Update existing certificate
HTTPS secure acceleration
Edge Security Acceleration (ESA)
Update existing certificate
HTTPS secure acceleration
OSS
Update existing certificate
Access OSS over HTTPS
NoteIf you bind a domain name for CDN acceleration, you must replace the certificate in the CDN console.
Web Application Firewall (WAF)
Update existing certificate
CNAME access
Anti-DDoS Pro and Anti-DDoS Premium
Update existing certificate
Domain name access to Anti-DDoS Pro and Anti-DDoS Premium
ApsaraVideo for Live
Initial deployment, Update existing certificate
HTTPS secure acceleration for stream ingest and playback
ApsaraVideo for VOD
Initial deployment, Update existing certificate
Content distribution and acceleration
Platform for AI (PAI)
Update existing certificate
Elastic Algorithm Service (EAS) for online model services: Use a custom domain name for a dedicated gateway
Deploy an SM certificate (SM2, supported only by CDN, DCDN, and Anti-DDoS Pro and Anti-DDoS Premium)
Content Delivery Network (CDN): Use the SetCdnDomainSMCertificate operation to configure an SM certificate.
Dynamic Route for CDN (DCDN): Configure SM HTTPS.
Anti-DDoS Pro and Anti-DDoS Premium: Replace an HTTPS server certificate.
Procedure
Step 1: Purchase deployment quota
Your deployment quota is consumed only when you deploy certificates of the Uploaded type. If your certificate is not of the Uploaded type, proceed directly to Step 2: Authorization Check.
If you have insufficient deployment quota, purchase deployment quotas. Each deployment costs CNY 30 and is valid for one year.
Deployment quota is not consumed for certificates other than the Uploaded type, or for certificates shared between Alibaba Cloud accounts that belong to the same identity-verified individual or enterprise. If a deployment fails, the quota is refunded.
Step 2: Check authorizations
For deployment tasks that do not involve ACK, proceed to Step 3: Deploy the certificate to cloud service resources.
Before you deploy a certificate to Container Service for Kubernetes (ACK), log on to the ACK console with your Alibaba Cloud account and grant the AliyunCASDefaultRole RAM role permissions to manage the destination cluster. Otherwise, the Certificate Management Service console cannot discover the cluster namespace.
Go to the Authorization Management page in the ACK console. On the RAM Roles tab, enter
AliyunCASDefaultRoleand click Modify Permissions.On the Permission Management tab, grant the O&M Engineer permission for the destination cluster.

Step 3: Deploy the certificate
Single deployment
If this is your first time using the deployment service, you must grant permissions as prompted on the page before you can create deployment tasks. For more information, see Grant permissions to access cloud resources.
Log in to the Certificate Management Service console.
In the navigation pane on the left, choose .
On the SSL Certificate Management page, click the appropriate certificate tab. In the certificate list, find the certificate that you want to deploy and click Deploy in the Actions column.
Certificates issued by Private CA are synchronized to the Uploaded Certificates tab, where you can manage them.
On the Create Task page, in the Select Resource step, select or adjust the cloud services and resources, and then click Preview and Submit.
The system automatically matches cloud service resources that are already configured with an SSL certificate. In the automatic matching dialog box, click OK. The system adds the matched resources to the Selected Instances: area. You can then adjust the selection as needed.

The system automatically discovers and retrieves all resources from your cloud services. If you cannot find a target resource, check the following:
In the Total Resources section, check if resource synchronization is complete. If resources are still being synchronized (indicated by a grayed-out state), wait for the process to finish. The synchronization time depends on the number of resources in your cloud services.

If you still cannot find the resource after synchronization is complete, confirm that you meet the deployment prerequisites.
In the Task Preview panel, review the certificate and resource information. If everything is correct, click Submit.
The preview page displays the number of matching certificates for each cloud service and the deployment quota that will be consumed. A match count of 0 indicates a mismatch between the certificate and the resource, which will cause the deployment to fail. Verify your selection carefully.
Bulk deployment
If this is your first time using the deployment service, you must grant permissions as prompted on the page before you can create deployment tasks. For more information, see Grant permissions to access cloud resources.
Log in to the Certificate Management Service console.
In the navigation pane on the left, choose .
On the Deployment to Cloud Services page, click Create Task and deploy the SSL certificates.
In the Configure Basic Information step, set the task name, contact, and deployment time. Then, click Next.
Parameter
Description
Task Name
Enter a custom name for the deployment task.
Contact
Select contacts to receive notifications for the deployment task. You can add up to 10 contacts.
Deployment Time
Deploy Now: Deploys the certificates to the cloud services immediately.
Custom Time: Schedules the deployment task to start at a specific time.
In the Select Certificate step, choose the SSL certificates that correspond to the cloud resources. Then, click Next.
Certificates issued by Private CA are synchronized to the The ID of the certificate in Alibaba Cloud. You must upload a certificate first. tab, where you can select them.
A single deployment task can include only certificates of one type.
In the Select Resource step, select or adjust the cloud services and resources, and then click Preview and Submit.
NoteBulk deployment is not supported for Server Load Balancer (SLB) scenarios where a single listener is bound to multiple server certificates.
The system automatically matches cloud service resources that are already configured with an SSL certificate. In the automatic matching dialog box, click OK. The system adds the matched resources to the Selected Resources area. You can then adjust the selection as needed.

The system automatically discovers and retrieves all resources from your cloud services. If you cannot find a target resource, check the following:
In the The total resource requests for all replicated pods exceed the recommended resource requests (4 vCores and 8 GB of memory). This may lead to quick consumption of resource plans. section, check if resource synchronization is complete. If resources are still being synchronized (indicated by a grayed-out state), wait for the process to finish. The synchronization time depends on the number of resources.

If you still cannot find the resource after synchronization is complete, confirm that your scenario supports initial certificate deployment. For more information, see Prerequisites.
In the Task Preview panel, review the certificate and resource information. If everything is correct, click Submit.
The preview page displays the number of matching certificates for each cloud service and the deployment quota that will be consumed. A match count of 0 indicates a mismatch between the certificates and the resources, which will cause the deployment to fail. Verify your selections carefully.
Related operations
View deployment task details
On the Deployment to Cloud Services page, find the deployment task and click Details in the Actions column.
On the task details page, you can view the deployment status for each instance resource. If a resource deployment fails, check the Actions column for the reason and take the appropriate action.
If you cannot determine the specific reason for the failure, contact a product technical expert for assistance. For more information, see One-on-one expert service.
Roll back a deployment task
Deployment quota is not refunded after a successful rollback.
After a certificate is deployed successfully, if an incorrect certificate was deployed or you need to undo the deployment, you can roll back to the previous state:
On the Deployment to Cloud Services page, find the deployment task and click Details in the Actions column.
On the task details page, click the cloud service, find the instance resource, and then click Roll Back in the Actions column.
After a successful rollback, the task status changes to Rolled Back.
Delete a deployment task
Deleted tasks cannot be recovered. Proceed with caution.
On the Deployment to Cloud Services page, find the deployment task and click Delete in the Actions column. You can also select multiple deployment tasks and click Delete at the bottom of the list.
FAQ
Can SSL certificates be deployed to cloud products across different Alibaba Cloud accounts?
SSL certificates cannot be directly deployed across different accounts.
If accounts belong to the same entity that has completed identity verification, you can use the certificate sharing feature for free cross-account deployment. For more information, see Upload, sync, and share SSL certificates.
If the accounts belong to different entities, you must download the certificate from the original account and then manually upload and deploy it in the target account.
After a certificate is successfully deployed, is HTTPS automatically enabled on the cloud product?
No. A successful deployment in the Certificate Management Service console only means the certificate has been delivered to the corresponding cloud product. You must still go to that product's console to enable and configure it for HTTPS traffic.
Why is the number of cloud resources displayed as 0 during deployment?
When you create a deployment task, the system automatically discovers resources. If you cannot find a target resource, check the following:
In the Total Resources area, confirm that resource synchronization is complete. If resources are still being synchronized (indicated by a grayed-out state), wait. The synchronization time depends on the number of your resources.

If you still cannot find the resource after synchronization is complete, confirm if your scenario supports initial deployment. If not, you may need to deploy it in the console of the corresponding cloud product first. For more information, see initial configuration.