A CSR (Certificate Signing Request) is the raw file of an SSL certificate. It contains the public key, certificate holder subject, and geographic location information, and must be submitted to a CA for review. Alibaba Cloud automatically generates a CSR when you create a certificate. You only need to manually create a CSR when you want to customize the key algorithm and its strength. After creation, you can select the existing CSR when submitting a certificate application. This topic describes how to create, upload, and manage CSR files.
Create a CSR
When you create a CSR in the console, the system automatically manages the private key without requiring you to store it manually. A manually created CSR can only be used within the same account and region.
The key algorithm of the CSR must match the certificate order. Otherwise, the certificate application will fail.
Log in to the Certificate Management Service console.
-
In the left-side navigation pane, choose .
-
On the CSR Management tab, click Create CSR.
-
In the CSR Generator panel, configure the CSR parameters described in the following table, and then click Generate Certificate CSR.
Parameter
Description
CSR Name
Specify a custom CSR name.
The name can be up to 50 characters in length, and can contain uppercase and lowercase letters (a to z and A to Z), digits (0 to 9), underscores (_), hyphens (-), and periods (.).
Domains
Enter the domain name for which you want to apply for a certificate.
NoteYou can enter only one domain name here. To apply for an SSL certificate for multiple domain names, enter the other domain names in the SANs field.
SANs
Enter other domain names that share the same certificate with the Domains domain. You can enter multiple domain names separated by commas (,).
Example: To bind
www.aliyundoc.com,example.aliyundoc.com, andtest.aliyundoc.comto the same SSL certificate, set Domains towww.aliyundoc.com, and set SANs toexample.aliyundoc.com,test.aliyundoc.com.Contact
Select the contact information of the person responsible for certificate management, including the name and phone number.
If you have not created a contact, click Create Contact to create one. Digital Certificate Management Service saves the contact information for future use. For more information about how to create a contact, see Configure contacts.
Company
Select the company information for the certificate application, including the company name and phone number.
If you have not created company information, click Create Company Profile to create one. Digital Certificate Management Service saves the company information for future use. For more information about how to create company information, see Configure company information.
Encryption Algorithm
Select the key algorithm type. Valid values:
RSA (default): The RSA algorithm is an asymmetric algorithm that is widely used in the world and provides high compatibility.
ECC: The ECC algorithm is an encryption algorithm based on elliptic curves.
Compared with the RSA algorithm, the ECC algorithm is more advanced and secure. The ECC algorithm provides faster encryption and higher efficiency at lower server resource consumption. The ECC algorithm is promoted among mainstream browsers.
SM2: The SM2 algorithm is developed and approved by the State Cryptography Administration of China based on the ECC algorithm. This algorithm is suitable for government agencies, public institutions, large state-owned enterprises, and financial banks that need to implement localization transformation and comply with Chinese cryptographic algorithm requirements.
Encryption Strength
Select the key strength.
-
RSA algorithm: 2048, 3072, 4096.
-
ECC algorithm: p256, p384, p512.
-
SM2 algorithm: 256.
When you subsequently submit a certificate application, you can set CSR Generation to Select Existing CSR and select the CSR you created. For more information, see Apply for a certificate.
Upload a CSR
If you have already generated a CSR file locally, you can upload it to the console for centralized management and use when applying for certificates. You do not need to provide the private key file when uploading a CSR.
Log in to the Certificate Management Service console.
-
In the left-side navigation pane, choose .
-
On the CSR Management tab, click Upload CSR.
-
In the Upload CSR panel, configure the following parameters and click OK.
Parameter
Description
CSR Name
Specify a custom CSR name.
The name can be up to 50 characters in length, and can contain uppercase and lowercase letters (a to z and A to Z), digits (0 to 9), underscores (_), and hyphens (-).
CSR File
Enter the CSR file content.
You can open the CSR file with a text editor, copy all the content, and paste it into the text box. Alternatively, click Upload and Parse File below the text box to select and upload a CSR file from your local computer. The system automatically parses and populates the file content.
Private Key Content
Enter the PEM-encoded certificate private key.
You can open the KEY-format private key file with a text editor, copy the content, and paste it into this text box. Alternatively, click Upload and Parse File below the text box to select and upload a private key file from your local computer.
When you subsequently submit a certificate application, you can set CSR Generation to Select Existing CSR and select the CSR you uploaded. For more information, see Apply for a certificate.