DocsICP FilingConsole
官方文档
首页

Purchase and enable a private CA

更新时间:
复制 MD 格式
产品详情
我的收藏

Purchase and enable a private CA to issue and manage internal certificates, such as encrypting data in enterprise applications like OA and HR systems without regulatory or industry compliance requirements.

Private CA types

PCA offers two types: Enterprise Private CA and Alibaba Cloud Shared CA.

Feature

Enterprise Private CA

Alibaba Cloud Shared CA

Customization

Supported. Fully customize the issuer identity, organization, and details for the root CA and all subordinate CAs.

Not supported. You share an Alibaba Cloud-managed root CA with other users.

Activation

Manual activation. Configure and enable the root CA and subordinate CAs after purchase.

Automatic activation. Root CA and subordinate CAs are enabled immediately after purchase.

Hierarchy support

Supported. Build a multi-tier intermediate CA hierarchy for complex organizational structures.

Not supported. Flat architecture only.

Cost

Higher cost. Best for large enterprises that need full control over CA identity and brand customization.

Lower cost. Best for quick, cost-effective encryption of internal applications.

Enterprise private CA

An Enterprise Private CA lets you create root and intermediate CAs, customize issuer identity, and build a multi-tier hierarchy matching your enterprise structure.

Step 1: Purchase a private root CA

Purchase a private root CA as the foundation of your private CA hierarchy.

Private root CA

Each root CA instance includes one root CA, one intermediate CA, and a quota of 10 free private certificates.

Free quota rules:

  • Usage window: Issue certificates within 30 days of purchase. Unused quota expires after this window.

  • Certificate validity: Free-quota certificates are valid for 30 days from issuance. Renewing the root CA does not extend this period.

For separately purchased private certificates, set a custom validity period at the time of purchase.

  1. Log in to the Certificate Management Service console.

  2. In the navigation pane on the left, choose Certificate Management > Private Certificate Management. On the Private Certificate Management page, select the region where the PCA service is located.

  3. On the Private CAs tab, click Purchase Private Root CA.

  4. In the Purchase Private Root CA panel, complete the purchase configuration.

    Parameter

    Description

    Extended Key Usage

    By default, For Internal Compliance is selected. Encrypts network communications for internal systems (OA, HR) to ensure secure data transmission and user authentication, without regulatory or industry compliance requirements.

    Commodity Specifications

    Select Create CA Certificate.

    Certificate Algorithm

    The encryption algorithm used to issue certificates.

    Options: RSA, SM, and ECC.

    Subscription Duration

    Select the subscription duration for the service.

    • If the subscription duration is less than 1 year, the maximum validity period for the root CA is 20 years.

    • If the subscription duration is 1 year or longer, the maximum validity period for the root CA is 100 years.

    Note

    After the service expires, you can no longer issue certificates or use any remaining private certificate resources.

  5. Select Terms of Service, click Buy Now, and complete the payment.

Step 2: Enable private root and subordinate CAs

After purchase, enable the root CA first. Subordinate CAs can only be enabled after their parent root CA is enabled.

Enable the root CA

  1. On the Private CAs tab, find the target root CA and click Enable in the Actions column.

  2. In the CA Information panel, configure the root CA's information, and click Confirm and Enable.

    Multiple methods are available to enable a root CA.

    Create CA Certificate

    Parameter

    Description

    Enable Mode

    Select Create CA Certificate.

    Common Name (CN)

    The common name or abbreviation of the organization. Chinese and English characters are supported.

    Example: Alibaba Cloud.

    Organizational Unit (OU)

    The organizational unit name. Chinese and English characters are supported.

    Example: IT Department.

    Organization (O)

    The organization name. Chinese and English characters are supported.

    Example: Alibaba Cloud Computing Co., Ltd.

    City (L)

    The city where the organization is located. Chinese and English characters are supported.

    Example: Hangzhou.

    Province (S)

    The province or state where the organization is located. Chinese and English characters are supported.

    Example: Zhejiang.

    Country/Region (C)

    The country or region where the organization is located. Chinese and English characters are supported.

    Example: China.

    Private Key Algorithm

    The private key algorithm for the CA.

    The available options depend on the CA algorithm you selected at purchase:

    • If the CA algorithm is RSA, the available options are RSA_1024, RSA_2048, and RSA_4096.

    • If the CA algorithm is SM, the available option is Private Key Algorithm.

    • If the CA algorithm is Private Key Algorithm, the available options are ECC_256, ECC_384, and Private Key Algorithm.

    Validity Period

    The validity period of the root CA.

    The maximum validity period depends on your subscription duration:

    • If the subscription is less than 1 year, the supported validity period is 1 to 20 years.

    • If the subscription is 1 year or longer, the supported validity period is 1 to 100 years.

    Note

    After the service expires, you can no longer issue certificates or use any remaining private certificate resources.

    Enable CRL Service

    Enable or disable the CRL service. When enabled, revoked CA certificates are visible in the CRL. CRL Service.

    Upload CA Certificate and Private Key

    Parameter

    Description

    Enable Mode

    Select Upload CA Certificate and Private Key.

    Certificate File

    Enter the PEM-encoded certificate content.

    Open the certificate file (.pem or .crt) in a text editor, then copy and paste its content into the text box. You can also click Upload and Parse File to upload the file directly.

    Certificate Key

    Enter the PEM-encoded private key content.

    Open the private key file (.key) in a text editor, then copy and paste its content into the text box. You can also click Upload and Parse File to upload the file directly.

    Use HSM

    Parameter

    Description

    Enable Mode

    Select Use HSM.

    HSM Cluster

    Select an HSM cluster instance.

    Important

    HSM clusters are supported only in the China (Shanghai) region.

    To create an HSM cluster, click Create HSM Cluster - China (Shanghai) Region Only and use the following settings:

    • Region: Select China (Shanghai).

    • Cryptography Service Type: Select General Server HSM (GVSM).

    • Use HSM: Select Yes.

    • vSwitch: Use vSwitches in Zone cn-shanghai-b or Zone cn-shanghai-g.

    Configure the remaining parameters as needed and click Buy Now.

    Common Name (CN)

    The common name or abbreviation of the organization. Chinese and English characters are supported.

    Example: Alibaba Cloud.

    Organizational Unit (OU)

    The organizational unit name. Chinese and English characters are supported.

    Example: IT Department.

    Organization (O)

    The organization name. Chinese and English characters are supported.

    Example: Alibaba Cloud Computing Co., Ltd.

    City (L)

    The city where the organization is located. Chinese and English characters are supported.

    Example: Hangzhou.

    Province (S)

    The province or state where the organization is located. Chinese and English characters are supported.

    Example: Zhejiang.

    Country/Region (C)

    The country or region where the organization is located. Chinese and English characters are supported.

    Example: China.

    Private Key Algorithm

    The private key algorithm for the CA.

    The available options depend on the CA algorithm you selected at purchase:

    • If the CA algorithm is RSA, the available options are RSA_1024, RSA_2048, and RSA_4096.

    • If the CA algorithm is Private Key Algorithm, the available option is SM2_256.

    • If the CA algorithm is Algorithm, the available options are Encryption Algorithm, Private Key Algorithm, and ECC_512.

    Validity Period

    The validity period of the root CA.

    The maximum validity period depends on your subscription duration:

    • If the subscription is less than 1 year, the supported validity period is 1 to 20 years.

    • If the subscription is 1 year or longer, the supported validity period is 1 to 100 years.

    Note

    After the service expires, you can no longer issue certificates or use any remaining private certificate resources.

    Enable CRL Service

    Enable or disable the CRL service. When enabled, revoked CA certificates are visible in the CRL. CRL Service.

  3. In the Tip dialog box, confirm the information and click OK.

    After you enable the root CA, its status changes to Enabled. To correct any mistakes, you can reset the CA. For more information, see Reset a private CA.

Enable the subordinate CA

  1. On the Private CAs tab, find the target root CA, and click the expand icon (expand icon) next to its name.

  2. Find the target subordinate CA and click Enable in the Actions column.

  3. In the CA Information panel, configure the subordinate CA's information, and click Confirm and Enable.

    Multiple methods are available to enable a subordinate CA.

    Create CA Certificate

    Parameter

    Description

    Enable Mode

    Select Create CA Certificate.

    CA Usage

    The purpose of the subordinate CA. Select Intermediate CA or User CA.

    • Intermediate CA: Can issue subordinate CAs beneath it.

    • User CA: Can issue only end-entity certificates, such as server certificates and client certificates.

    Length Limit

    If you set CA Usage to Intermediate CA, configure the path length constraint. This parameter defines the maximum depth of the subordinate CA chain that this intermediate CA can issue.

    Valid values: 1 to 5.

    Important

    If Length Limit is set to 1, the subordinate CA must be a User CA.

    Common Name (CN)

    The common name or abbreviation of the organization. Chinese and English characters are supported.

    Example: Alibaba Cloud.

    Organizational Unit (OU)

    The organizational unit name. Chinese and English characters are supported.

    Example: IT Department.

    Organization (O)

    The organization name. Chinese and English characters are supported.

    Example: Alibaba Cloud Computing Co., Ltd.

    City (L)

    The city where the organization is located. Chinese and English characters are supported.

    Example: Hangzhou.

    Province (S)

    The province or state where the organization is located. Chinese and English characters are supported.

    Example: Zhejiang.

    Country/Region (C)

    The country or region where the organization is located. Chinese and English characters are supported.

    Example: China.

    Private Key Algorithm

    The private key algorithm for the CA.

    The available Private Key Algorithm options depend on the CA algorithm you selected during purchase:

    • If the CA algorithm is RSA, the available options are RSA_1024, RSA_2048, and Private Key Algorithm.

    • If the CA algorithm is SM2, the available option is SM2.

    • If the CA algorithm is Private Key Algorithm, the available options are Private Key Algorithm, Algorithm, and ECC_512.

    Validity Period

    The validity period of the subordinate CA.

    The maximum validity period depends on your subscription duration:

    • If the subscription is less than 1 year, the supported validity period is 1 to 20 years.

    • If the subscription is 1 year or longer, the supported validity period is 1 to 100 years.

    Enable CRL Service

    Enable or disable the CRL service. When enabled, revoked CA certificates are visible in the CRL. CRL Service.

    Extended Key Usage

    The intended purposes of the certificate's public key. Use this to categorize and differentiate certificates.

    Upload CA Certificate and Private Key

    Parameter

    Description

    Enable Mode

    Select Upload CA Certificate and Private Key.

    Certificate File

    Enter the PEM-encoded certificate content.

    Open the certificate file (.pem or .crt) in a text editor, then copy and paste its content into the text box. You can also click Upload and Parse File to upload the file directly.

    Certificate Key

    Enter the PEM-encoded private key content.

    Open the private key file (.key) in a text editor, then copy and paste its content into the text box. You can also click Upload and Parse File to upload the file directly.

  4. In the Tip dialog box, confirm the information and click OK.

    After you enable the subordinate CA, its status changes to Enabled. To correct any mistakes, you can reset the CA. For more information, see Reset a private CA.

Step 3: (Optional) Purchase a private subordinate CA

Purchase additional subordinate CAs under a root CA for different departments or organizational units. Newly purchased subordinate CAs do not include certificate resources.

  1. On the Private CAs tab, find the target root CA and click Create Private Intermediate CA in the Actions column.

  2. In the Create Private Intermediate CA panel, complete the purchase configuration.

    Important

    The subordinate CA's algorithm must match the root CA's algorithm. You cannot change it.

  3. Select Terms of Service, click Buy Now, and complete the payment.

Step 4: Configure private certificates

After purchasing and enabling a private CA, obtain a quota to issue private certificates. Purchase and allocate a private certificate quota.

Alibaba Cloud Shared CA

A Shared CA uses an Alibaba Cloud-managed root CA and intermediate CA shared among users. You cannot customize the issuer identity or organization, or build a multi-tier CA hierarchy.

Important

A Shared CA is intended only for inter-service calls within Alibaba Cloud (for example, Cloud Firewall). If your business requires strong certificate isolation and control, use an Enterprise Private CA instead.

Step 1: Purchase Alibaba Cloud Shared CA

  1. Log in to the Certificate Management Service console.

  2. In the navigation pane on the left, choose Certificate Management > Private Certificate Management. On the Private Certificate Management page, select the region where the PCA service is located.

  3. On the Private CAs tab, click Purchase Private Root CA.

  4. In the Purchase Private Root CA panel, configure the purchase settings.

    Parameter

    Description

    Commodity Usage

    Select For Internal Compliance.

    Commodity Specifications

    Select Intermediate CA.

    Certificate Algorithm

    Select the encryption algorithm for issuing certificates.

    Options: RSA, SM, and ECC.

    Subscription Duration

    Select the subscription duration. Available durations: 1 month to 2 years.

    Note

    Certificates can only be issued while the service is active. After expiration, remaining certificate resources become unavailable.

  5. Select Terms of Service, click Buy Now, and complete the payment.

Step 2: Configure private certificates

After purchasing the private CA, configure private certificates. For more information, see Manage private certificates.

Previous:Private CANext:Purchase and assign a quota on private certificates