This topic describes how to configure an SSL certificate on a Node.js server running Linux, including the steps to download and upload certificate files and verify the installation.
Prerequisites
You have purchased and applied for a certificate by using the SSL Certificates Service, and its Status is Issued. To purchase and apply for a certificate, see Purchase a paid certificate and Apply for a certificate.
Your domain name is correctly resolved to the current server, and you have completed the MIIT ICP filing (for servers in the Chinese mainland).
You have administrative permissions on this server (a root account or an account with sudo permissions).
Procedure
Step 1: Download the SSL certificate and private key files
Go to the SSL Certificate Management page, locate the target certificate to deploy, and confirm the following information:
Certificate Status: Make sure the status is Issued. If the status is About to Expire or Expired, see SSL certificate renewal and expiration.
Bound Domains: Make sure it can match all domain names that need to be protected. Otherwise, a security warning will appear when accessing unmatched domain names over HTTPS. If you need to add or modify domain names, see Append or change a domain name.
In the Actions column of the target certificate, click Download and download the certificate whose Server Type is Nginx.
Decompress the downloaded certificate package. The package contains the following files:
Signing certificate:
<certificate-bindng-domain>_sm2_sign.pemand<certificate-binding-domain>_sm2_sign.keyEncryption certificate:
<certificate-binding-domain>_sm2_enc.pemand<certificate-binding-domain>_sm2_enc.keyNoteIf you used tools such as OpenSSL or Keytool to generate a CSR file when applying for the certificate, the private key file is saved only on your local machine and is not included in the downloaded certificate package. If the private key is lost, the certificate cannot be used. You need to Purchase a commercial certificate again and generate the CSR and private key.
Step 2: Install the SSL certificate on Node.js
Log on to the Linux server.
Alibaba Cloud server
The following operations use an Alibaba Cloud ECS instance as an example. For other types of servers, see their respective documentation.
Log on to the ECS console. In the top navigation bar, select the region where the target ECS instance is located.
In the left-side navigation pane, choose . On the Instances page, find the target ECS instance and click Remote Connection in the Remote connection column.
In the dialog box that appears, select Workbench and click Sign in now.
Select Terminal Connection as the connection method, enter the authentication information, and follow the on-screen instructions to complete the logon. You can then access the server terminal. For more information, see Connect to an ECS instance by using Workbench.
NoteIf the Security Group Whitelist Opening Prompt panel appears, click Add Rule as prompted.
Other cloud providers
Use the remote connection feature provided by the cloud provider to log on to the server terminal.
On-premises servers
Use an SSH tool on your local machine to log on to the server terminal.
Windows: Run the
ssh <username>@<server_ip_address>command in Command Prompt (cmd) or PowerShell. If the ssh command is not supported, you can use a third-party tool, such as PuTTY or WinSCP, to establish a connection.macOS/Linux: Run the
ssh <username>@<server_ip_address>command in the built-in terminal.
Some of the following commands vary based on the operating system. Select the appropriate command for your server's OS.
RHEL/CentOS series: includes Alibaba Cloud Linux, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, Anolis OS, and their derivatives.
Debian/Ubuntu series: includes Debian, Ubuntu, and their derivatives.
Open port 443 in the security group and firewall.
Run the following command in the server terminal to check whether port 443 is open:
RHEL/CentOS
command -v nc > /dev/null 2>&1 || sudo yum install -y nc # Replace <your_server_public_ip_address> with the public IP address of your server. sudo ss -tlnp | grep -q ':443 ' || sudo nc -l 443 & sleep 1; nc -w 3 -vz <your_server_public_ip_address> 443If the output contains
Ncat: Connected to <your_server_public_ip_address>:443, port 443 is open. Otherwise, you must open port 443 in the security group and firewall.Debian/Ubuntu
command -v nc > /dev/null 2>&1 || sudo apt-get install -y netcat # Replace <your_server_public_ip_address> with the public IP address of your server. sudo ss -tlnp | grep -q ':443 ' || sudo nc -l -p 443 & sleep 1; nc -w 3 -vz <your_server_public_ip_address> 443If the output contains
Connection to <your_server_public_ip_address> port [tcp/https] succeeded!or[<your_server_public_ip_address>] 443 (https) open, port 443 is open. Otherwise, you must open port 443 in the security group and firewall.Open port 443 in the security group.
ImportantIf your server is deployed on a cloud platform, make sure that its security group allows inbound traffic on TCP port 443. Otherwise, the service is not accessible from the internet. The following operations use an Alibaba Cloud ECS instance as an example. For other cloud platforms, see their official documentation.
Go to the ECS Instances page and click the name of the target instance to go to its details page. For more information, see Add a security group rule. Add a rule to the security group with Action set to Allow, Protocol Type set to TCP, Port Range set to HTTPS(443), and Authorization Object set to Anywhere (0.0.0.0/0).
Open port 443 in the firewall.
Run the following command to identify the current firewall service on your system:
if command -v systemctl >/dev/null 2>&1 && systemctl is-active --quiet firewalld; then echo "firewalld" elif command -v ufw >/dev/null 2>&1 && sudo ufw status | grep -qw active; then echo "ufw" elif command -v nft >/dev/null 2>&1 && sudo nft list ruleset 2>/dev/null | grep -q 'table'; then echo "nftables" elif command -v systemctl >/dev/null 2>&1 && systemctl is-active --quiet iptables; then echo "iptables" elif command -v iptables >/dev/null 2>&1 && sudo iptables -L 2>/dev/null | grep -qE 'REJECT|DROP|ACCEPT'; then echo "iptables" else echo "none" fiIf the output is
none, no further action is required. Otherwise, based on the firewall type (firewalld,ufw,nftables, oriptables), run the corresponding command to open port 443:firewalld
sudo firewall-cmd --permanent --add-port=443/tcp && sudo firewall-cmd --reloadufw
sudo ufw allow 443/tcpnftables
sudo nft add table inet filter 2>/dev/null sudo nft add chain inet filter input '{ type filter hook input priority 0; }' 2>/dev/null sudo nft add rule inet filter input tcp dport 443 counter accept 2>/dev/nulliptables
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPTTo prevent iptables rules from being lost after a system reboot, run the following command to make the rules persistent:
RHEL/CentOS
sudo yum install -y iptables-services sudo service iptables saveDebian/Ubuntu
sudo apt-get install -y iptables-persistent sudo iptables-save | sudo tee /etc/iptables/rules.v4 >/dev/null
Upload the SSL certificate and private key files to the target directory on the server.
ImportantThis topic uses
ssl.pem(certificate file) andssl.key(private key file) as examples, and uploads them to the /etc/ssl/cert directory on the server. If this directory does not exist, runsudo mkdir -p /etc/ssl/certto create it.Alibaba Cloud server
The following operations use Alibaba Cloud Elastic Compute Service (ECS) as an example. For other types of servers, refer to the corresponding product documentation.
On the logged-in Workbench page, choose File > Open New File Tree from the top menu bar.
In the file tree on the left, right-click the target directory (/etc/ssl/cert), select Upload File, and select and upload the certificate file
ssl.pem.Repeat the preceding operation. Right-click the target directory (
/etc/ssl/cert) again, select Upload File, and select and upload the private key filessl.key.After the upload is complete, the certificate file path is
/etc/ssl/cert/ssl.pem, and the private key file path is/etc/ssl/cert/ssl.key.
Other cloud provider servers
Use the file upload feature provided by the corresponding cloud provider to upload the certificate and private key files to the target directory on the server (
/etc/ssl/cert).Non-cloud servers (such as physical servers or IDC-hosted machines)
Upload the certificate file and private key file from your local machine using an SSH tool. In the following examples,
<username>is the username of the current server, and<server_ip>is the public IP address of the current server.Windows
Use the built-in Command Prompt (cmd) or PowerShell to upload files using the
scpcommand. The following example assumes the certificate file and private key file are located in the localC:\directory.# Upload the local certificate file to the server. Replace the path C:\ssl.pem and /etc/ssl/cert with the actual source file and target directory. scp C:\ssl.pem <username>@<server_ip>:/etc/ssl/cert # Upload the local private key file to the server. Replace the path C:\ssl.key and /etc/ssl/cert with the actual source file and target directory. scp C:\ssl.key <username>@<server_ip>:/etc/ssl/certIf the scp command is not integrated into the system, you can use the open-source free PuTTY client and its bundled pscp.exe tool to upload files via the command line. You can also use the graphical WinSCP to upload files.
Linux/macOS
Use the built-in terminal to upload files using the
scpcommand. The following example assumes the certificate file and private key file are located in the local/tmpdirectory.# Upload the local certificate file to the server. Replace the path /tmp/ssl.pem and /etc/ssl/cert with the actual source file and target directory. scp /tmp/ssl.pem <username>@<server_ip>:/etc/ssl/cert # Upload the local private key file to the server. Replace the path /tmp/ssl.key and /etc/ssl/cert with the actual source file and target directory. scp /tmp/ssl.key <username>@<server_ip>:/etc/ssl/certGo to the working directory (such as
/home) and create the Node.js project filehttps_server_test.js.# The /home directory is used only as an example. Replace it with your actual working directory. cd /home # Create a test project file. Replace it with your actual project file. sudo touch https_server_test.jsEdit the
https_server_test.jsfile.vim https_server_test.jsPress i to enter edit mode, and add the following content to the https_server_test.js file.
// The https module is required to start the HTTPS server // The fs module is required to read files const https = require('https'); const fs = require('fs'); // Read the two certificate files into the options object // Use the readFileSync() method to sequentially execute file reading and server startup operations const options = { key: fs.readFileSync('/etc/ssl/cert/ssl.key'), // Replace with the actual absolute path of the uploaded private key file. cert: fs.readFileSync('/etc/ssl/cert/ssl.pem') // Replace with the actual absolute path of the uploaded SSL certificate file. }; // Create the server, start it, and set the listening port https.createServer(options, (req, res) => { res.end('hello world\n'); }).listen(443);ImportantThe certificate file paths must be configured correctly. Otherwise, the certificate configuration will fail and HTTPS access will not work.
Press
Escto exit edit mode, type:wq, and then pressEnterto save and exit the file.Run the following command to activate the SSL certificate.
sudo node https_server_test.js
Step 3: Verify that the SSL certificate is installed successfully
Access your domain name over HTTPS. Example:
https://example.com. Replaceexample.comwith your actual domain name.If a lock icon appears in the browser's address bar, the certificate is deployed successfully. If an access error occurs or the lock icon does not appear, clear your browser's cache or try again in incognito or private mode.

Starting with Chrome 117, the
icon in the address bar has been replaced by a new
icon. Click this icon to view the security lock information.
If issues persist, refer to the FAQ for troubleshooting.
Next steps (Optional)
Enable domain monitoring
After the certificate is deployed, we recommend that you enable domain name monitoring. The system automatically checks the validity period of the certificate and sends reminders before the certificate expires. This helps you renew the certificate in a timely manner to prevent service interruptions. For more information, see Purchase and enable public domain name monitoring.
FAQ
Certificate not working or HTTPS inaccessible
Common causes are as follows:
The domain name has not completed ICP filing. See How to view domain name resolution records and ICP filing information.
Port 443 is not opened in the server security group or firewall. See Open port 443 in the security group and firewall.
The Bound Domains of the certificate does not include the domain name currently being accessed. See Procedure.
The Node.js service was not restarted after modifying the project file. For details, see Restart the Node.js service.
The certificate files were not correctly replaced, or the Node.js configuration does not correctly specify the certificate paths. Check whether the certificate files are up-to-date and valid.
The domain name is integrated with cloud services such as CDN, SLB, or WAF, but the certificate is not installed on the corresponding service. For more information, see Certificate deployment location when traffic passes through multiple cloud services.
The domain name resolves to multiple servers, but the certificate is installed on only some of them. You must install the certificate on each server.
For further troubleshooting, see Troubleshoot certificate deployment issues based on browser errors and SSL certificate deployment troubleshooting guide.
How to update (replace) an installed SSL certificate in Node.js
Back up the original certificate files (.pem and .key) on the server first. Then log on to the Certificate Management Service console, download the new certificate files (.pem and .key), and upload them to the target server to overwrite the original files (ensure the paths and file names are consistent). Finally, restart the Node.js service to activate the new certificate.