Configure a third-party cloud account and deploy certificates to third-party cloud services-Certificate Management Service(SSL Certificate)-阿里云帮助中心

If your cloud services are not hosted on Alibaba Cloud, you can deploy SSL certificates to third-party cloud products through the Digital Certificate Management Service after the certificates are issued. This simplifies the certificate migration and configuration process.

Limits

You can deploy SSL certificates to the following third-party cloud platforms and products:

Cloud platform	Cloud product
Tencent Cloud	Content Delivery Network (CDN) Cloud Load Balancer (CLB) Web Application Firewall (WAF)
AWS	Amazon CloudFront (CDN) Elastic Load Balancing (ALB, NLB, and CLB)
Huawei Cloud	Content Delivery Network (CDN) Elastic Load Balance (ELB)

Note

If you need to deploy certificates to other cloud products, contact your One-on-one expert service to submit a request to the product team.

Prerequisites

You have purchased and applied for a certificate by using the SSL Certificates Service, and its Status is Issued. To purchase and apply for a certificate, see Purchase a paid certificate and Apply for a certificate.
The domain name has completed MIIT ICP filing (for services deployed in the Chinese mainland only).
How to check DNS records and ICP filing information
Open the Network Probe Tool, select Network Diagnostic Analysis, enter your domain name, and confirm the following information:
- DNS Provider Resolution Result:
  If the DNS record is an A record, it must point to the public IP address of the target server where you want to deploy the certificate.
  If the DNS record is a CNAME record, it must point to the CNAME provided by the traffic entry point, such as WAF, CDN, or ALB.
- The ICP Filing Check status is ICP Filed. If the status is "The website is not ICP filed. Please contact the website server provider.", you must complete the ICP filing before you install the certificate.
  If you use an Alibaba Cloud server, go to the Alibaba Cloud ICP Filing system to complete the website ICP filing. For detailed instructions, see ICP filing process.
  If you do not use an Alibaba Cloud server, go to your server provider's filing system or the MIIT ICP Filing website to complete the ICP filing.

Procedure

Step 1: Purchase deployment quotas

Note

Deployment quotas are consumed only when you deploy Uploaded certificates. For other certificate types, go directly to Step 2: Connect to a third-party cloud account.

If you have insufficient deployment quotas, purchase deployment quotas.
Deployment quotas are not consumed in the following scenarios:
- The certificate type is not Uploaded.
- The certificate is shared between Alibaba Cloud accounts that belong to the same verified individual or enterprise.
If a deployment fails, the consumed deployment quota is returned.

Step 2: Connect to a third-party cloud account

Before deploying an SSL certificate to a third-party cloud product, you must authorize the corresponding permission policies for a sub-user on the third-party cloud platform and then connect the sub-user's AccessKey pair to Alibaba Cloud.

Log in to the Certificate Management Service console.
In the navigation pane on the left, choose Comprehensive Management > Multi-cloud AK Management.
On the Multi-cloud AK Management page, click Add Authorization.
Click the target cloud service provider and configure the user account by following the on-screen instructions.
The following example demonstrates how to authorize a Tencent Cloud sub-user (for reference only):
1. Log on to the Tencent Cloud console, go to the User List, and click Create User.
2. On the Create User page, click Quick Create.
3. On the Quick Create User page, configure the user information.
  - Username: Enter a custom username.
  - Access Mode: Click the icon and select Programmatic Access.
  - User Permissions: Click the icon, and select QcloudSSLFullAccess (full read and write access for SSL certificates) and the read and write permissions for the corresponding cloud product.
    Note
    For example, to deploy an Alibaba Cloud certificate to Tencent Cloud CDN, you must also grant QcloudCDNFullAccess (full read and write access for Content Delivery Network).
  The following example shows a successfully created user:
4. On the Submit AK wizard in the Digital Certificate Management Service console, enter the Tencent Cloud sub-user or main account credentials, and click OK.

Step 3: Deploy the SSL certificate to a third-party cloud product

In the navigation pane on the left, choose Deployment and Resource Management > Multi-cloud Deployment.

On the Multi-cloud Deployment page, click Create Task and complete the certificate deployment by performing the following steps.

On the Configure Basic Information wizard page, configure the deployment task name, select an AccessKey pair, specify contacts and a deployment time, and then click Next.

Parameter	Description
Task Name	Customize the name of the deployment task.
Select AK	Select the third-party cloud account that you connected in Step 2. If no AccessKey pair is available, click Add New AK and configure the AccessKey pair by referring to Supported third-party cloud products.
Contact	Select contacts to receive deployment task notifications. You can add up to 10 contacts.
Deployment Time	Deploy Now: Immediately deploy the certificate to the corresponding cloud product. Custom Time: Specify a time to run the deployment task. The system automatically starts the task at the specified time.

On the Select Certificate wizard page, select the SSL certificate that corresponds to the cloud product resource (you can select one or more certificates), and then click Next.
- Certificates issued by the Private Certificate Authority (PCA) service are synchronized to the Uploaded Certificates tab, where you can select them.
- A single deployment task supports only one certificate type.
On the Select Resource wizard page, the system automatically identifies and retrieves all resources from the corresponding cloud product. Select the target cloud product and resources (you can select one or more), and then click Preview and Submit.
On the Task Preview page, confirm that the certificate instance and cloud product resource information are correct, and then click Submit.
The preview page displays the number of certificates that match the cloud product and the deployment quotas to be consumed.
- If the number of matching certificates is 0, the selected certificates do not match the cloud product resources, and the deployment will fail. Carefully verify your certificate selection.
- The consumed deployment quota is based on the number of resources matched by the uploaded certificate. If a match is found but the deployment ultimately fails after the task starts, the consumed quota for that resource is returned.

Step 4: Verify whether the SSL certificate is installed

Access your domain name over HTTPS. Example: https://example.com. Replace example.com with your actual domain name.
If a lock icon appears in the browser's address bar, the certificate is deployed successfully. If an access error occurs or the lock icon does not appear, clear your browser's cache or try again in incognito or private mode.
Starting with Chrome 117, the icon in the address bar has been replaced by a new icon. Click this icon to view the security lock information.

Note

If the issue persists, see FAQ for troubleshooting.

Next steps (Optional)

Enable domain monitoring

After the certificate is deployed, we recommend that you enable domain name monitoring. The system automatically checks the validity period of the certificate and sends reminders before the certificate expires. This helps you renew the certificate in a timely manner to prevent service interruptions. For more information, see Purchase and enable public domain name monitoring.

FAQ

Certificate not working or HTTPS inaccessible

Common causes include:

The domain name has not completed ICP filing. For more information, see How to view domain name resolution records and ICP filing information.
The Bound Domains of the certificate does not include the domain name you are accessing. For more information, see How to determine whether the bound domain name matches all protected domain names.
The certificate file is not correctly replaced. Make sure that the certificate file is the latest and valid version.
The domain name is integrated with cloud services such as CDN, SLB, or WAF, but the certificate is not installed on the corresponding service. For more information, see Certificate deployment location when traffic passes through multiple cloud services.
The domain name resolves to multiple servers, but the certificate is installed on only some of them. You must install the certificate on each server.

Note

For further troubleshooting, see Troubleshoot certificate deployment issues based on browser errors and SSL certificate deployment troubleshooting guide.

Cross-account certificate deployment

You cannot directly deploy Alibaba Cloud SSL certificates across different accounts.

If multiple accounts belong to the same verified identity, you can use the certificate sharing feature to deploy certificates across accounts at no charge. For more information, see Upload, synchronize, and share SSL certificates.
If the accounts belong to different verified identities, you must download the certificate from the source account and then manually upload and deploy it to the destination account.

Does deployment enable HTTPS automatically?

Deploying a certificate from the SSL Certificates Service console only pushes it to the target cloud service. You must still verify the deployment in that service's management console.