After you enable a private CA or a compliance CA, you can issue private certificates through a subordinate CA for identity authentication and data encryption and decryption in internal enterprise applications. This topic describes how to purchase, assign, request, download, install, and revoke private certificates.
Background
Private certificates (end-entity certificates) include server certificates and client certificates. They can only be issued by private subordinate CAs or compliance subordinate CAs. After you install the corresponding private certificates on both the server and the client, trusted encrypted communication can be established between them.
Get started
When you configure private certificates for the first time, follow the flow in the table below.
CA type | Configuration flow |
Private CA | |
Compliance CA |
Prerequisites
You have purchased and enabled a private CA or a compliance CA. For more information, see Purchase and enable a private CA and Purchase and enable a compliant CA.
Purchase private certificates
Private CA: When you create a private root CA, the system allocates one root CA and one subordinate CA. The subordinate CA includes 10 certificate resources by default. If you need more certificates, you can purchase additional ones.
Compliance CA: After you purchase and enable a compliance root CA, you must purchase certificate resources separately before you can issue private certificates.
Log in to the Certificate Management Service console.
In the navigation pane on the left, choose . On the Private Certificate Management page, select the region where the PCA service is located.
On the Private CAs or Compliant CA tab, locate the target root CA. In the Actions column, click Purchase Certificate.
In the Purchase Certificate panel, enter the number of certificates to purchase, and click Purchased to complete the payment.
NoteFor a single root CA, if the cumulative number of purchased certificates exceeds a specific threshold, the fees for certificates beyond that threshold are waived. To learn the exact threshold, contact a product technical expert. For more information, see Expert one-on-one service.
Assign private certificates
A root CA cannot directly issue certificates. You must first assign certificate resources from the root CA to a subordinate CA. Before assignment, both the root CA and the subordinate CA must meet the following conditions:
Both the root CA and the subordinate CA are in the Enabled state.
The remaining certificate count of the root CA is greater than 0.
Log in to the Certificate Management Service console.
In the navigation pane on the left, choose . On the Private Certificate Management page, select the region where the PCA service is located.
On the Private CAs or Compliant CA tab, locate the target root CA. In the Remaining Certificates column, click Assign Certificate.
In the Assign Certificate panel, select the target subordinate CA, set the Remaining Certificates value, and click OK.
Request private certificates
You can request private certificates from a subordinate CA only when its Remaining Certificates value is greater than 0.
Log in to the Certificate Management Service console.
In the navigation pane on the left, choose . On the Private Certificate Management page, select the region where the PCA service is located.
On the Private CAs or Compliant CA tab, locate the target subordinate CA. In the Actions column, click Apply for Certificate.
In the Apply for Certificate panel, configure the certificate details and click Confirm.
After you submit the request, private CA certificates are issued immediately , but compliance CA certificates require a backend review and are issued only after the review is approved. After a private certificate is issued, you can click Certificates in the Actions column of the subordinate CA to view the issued certificates on the Certificates page.
Server Certificate: Install on your application server for server-side identity authentication.
Client Certificate: Install on clients for client-side identity authentication.
If the service duration is less than one year, the certificate validity period cannot exceed the purchased PCA service duration. For example, if you purchase a one-month PCA service, the maximum certificate validity period is 31 days. To extend the validity period, renew your PCA service. For renewal steps, see Renewal policy.
If the service duration is one year or longer, the supported certificate validity period ranges from 1 to 100 years.
If the certificate needs to apply to multiple subjects, add other subject information using the SAN extension.
For server certificates, enter domain names or IP addresses. For client certificates, enter email addresses or URIs.
You can add up to 10 SAN extensions.
Select Alibaba Cloud for Key Container to let Alibaba Cloud manage the private certificate keys.
Select USBKey for Key Container to request certificates using a local USBKey. Before requesting certificates, install the USBKey control and insert the hardware USBKey into your local operating system. For instructions, see Install USBKey control.
After installing the USBKey control, return to the Apply for Certificate page and enter your USBKey security token as prompted.
Private CA:
Configuration item | Description |
Certificate Type | |
Common Name (CN) | The Common Name of the certificate subject. |
Validity Period | The validity period of the private certificate. The validity period depends on the service duration of your subordinate CA: |
SAN | The SAN extension property of the private certificate, used to apply the certificate to multiple subjects. Note SAN (Subject Alternative Name) is an extension field defined in the X.509 standard that allows a single certificate to support multiple domain names. A URI (Uniform Resource Identifier) identifies the Alibaba Cloud resource associated with the certificate, such as the Elastic Compute Service (ECS) instance where the private certificate is deployed. |
More | To add certificate name, company, or department information to the certificate, click More. |
Include CRL Address | Enabled by default. For more information about CRL, see CRL service. |
Compliance CA:
Configuration item | Description |
Personal Name | The name of the private certificate owner. |
More | To add certificate name, company, or department information to the certificate, click More. |
USBKey supports only Windows systems.
Configuration item | Description |
Personal Name | The name of the private certificate owner. |
System Account | Enter your Alibaba Cloud account ID if you use the certificate to log on to the Alibaba Cloud Management Console. Enter your system login account if you use the certificate to log on to your enterprise business system. To view your Alibaba Cloud account ID, see Modify account basic information. |
Download private certificates
After a private certificate is issued, you can download it and distribute it to the corresponding entity for installation.
Log in to the Certificate Management Service console.
In the navigation pane on the left, choose . On the Private Certificate Management page, select the region where the PCA service is located.
On the Private CAs or Compliant CA tab, locate the target subordinate CA. In the Actions column, click Certificates.
On the Certificates page, locate the target private certificate. In the Actions column, click Download.
NoteIf you requested a compliance CA certificate with the SM2 algorithm and a USBKey key container, you cannot download the certificate.
In the Download Certificate dialog box, select the certificate format and click Confirm and Download.
Install private certificates
After downloading private certificates, install server certificates on your application servers and client certificates on client browsers. The installation method for server certificates is the same as for SSL certificates. For instructions, see Deploy SSL certificates.
If you requested a compliance CA certificate with the SM2 algorithm and a USBKey key container, install the certificate on the hardware USBKey using the following steps.
Log in to the Certificate Management Service console.
In the navigation pane on the left, choose . On the Private Certificate Management page, select the region where the PCA service is located.
On the Compliant CA tab, locate the target subordinate CA. In the Actions column, click Certificates.
On the Certificates page, locate the target private certificate. In the Actions column, click Install Certificate.
In the Install Certificate panel, the system automatically checks whether the hardware USBKey and USBKey control are installed on your local system. After the check passes, click Install.
For instructions on installing the USBKey control and drivers, see Install USBKey control.
If your certificate installation environment is complex and you need one-on-one technical guidance, you can purchase certificate deployment services. After purchase, a certificate technical expert helps you complete the installation. Click the links below to purchase deployment services:
For more information about deployment services, see Purchase certificate application assistance and deployment services. The deployment services above are provided by certificate technical experts through remote guidance. For on-site deployment services, contact a product technical expert. For more information, see Expert one-on-one service.
Revoke private certificates
If you no longer need a private certificate before it expires, you can revoke it.
After you revoke or delete a private certificate, it is no longer trusted in your internal environment and cannot be recovered or re-enabled. Proceed with caution.
Log in to the Certificate Management Service console.
In the navigation pane on the left, choose . On the Private Certificate Management page, select the region where the PCA service is located.
On the Private CAs or Compliant CA tab, locate the target subordinate CA. In the Actions column, click Certificates.
On the Certificates page, locate the target private certificate. In the Actions column, click Revoke.
In the Confirmation dialog box, click Revoke.
After confirmation, the certificate is revoked immediately. Its Status changes to Revoke. At this point, you can delete the certificate from the certificate list.