DocsICP FilingConsole
官方文档
首页

Select a certificate deployment method

更新时间:
复制 MD 格式
产品详情
我的收藏

This topic describes how to choose an appropriate certificate deployment method based on your business needs, so you can enable HTTPS secure access for your websites and applications.

Scope

Deploying an SSL certificate involves two steps:

  • Deploy an SSL certificate on the server (Required): To enable HTTPS for a website, API, or application, you must deploy an SSL certificate on the server.

  • Install a root certificate on the client (Optional): You only need to install a root certificate on the client when the client device cannot verify a self-signed certificate, does not recognize the certificate authority (CA), lacks the required root certificate, or the root certificate has expired. Clients must have the root certificate pre-installed to ensure secure communication and verify server identity. In most cases, operating systems and browsers already include mainstream root certificates.

Deploy an SSL certificate on the server

Before you begin

Before you deploy a certificate, make sure you meet the following requirements:

  • Certificate status: You have an SSL certificate issued by a trusted CA, and its Certificate Status is Issued. To purchase and apply for a certificate, see Purchase a commercial certificate and Submit a CA application.

  • Domain Name Matching: Ensure the certificate covers all domain names you want to protect. If you need to add or change a domain name, you can purchase a paid certificate or add and replace domain names.

    • Exact domain name: An exact domain name certificate applies only to the specified domain name.

      • A certificate for example.com applies only to example.com.

      • A certificate for www.example.com applies only to www.example.com.

    • Wildcard domain name: A wildcard domain name certificate applies only to first-level subdomains.

      • A certificate for *.example.com applies to first-level subdomains such as www.example.com and a.example.com.

      • A certificate for *.example.com does not apply to the root domain example.com or multi-level subdomains such as a.b.example.com.

    Note

    To match a multi-level subdomain, the Bound Domains field must include the specific domain name (for example, a.b.example.com) or a corresponding wildcard domain name (for example, *.b.example.com).

  • Domain Name Filing and Resolution:

    • ICP Filing: The domain name has completed MIIT ICP filing (for servers in the Chinese mainland only).

    • DNS Resolution: The domain name is resolved to the server's public IP address by using an A record.

    Note

    You can use the Network Diagnostic Analysis tool. Enter your domain name and check the DNS Provider Resolution Result and ICP Filing Check sections to make sure that the requirements are met.

Confirm the certificate deployment location

Deploy SSL certificates on every network node that handles HTTPS traffic, including web servers (such as Nginx, Apache, and IIS), Application Load Balancer (ALB), Content Delivery Network (CDN), Web Application Firewall (WAF), API Gateway, and more. Deploying certificates on these nodes ensures end-to-end encryption from the client to the server, preventing plaintext transmission on any intermediate link.

Based on the traffic path, certificate deployment falls into the following two scenarios:

  • Traffic goes directly to the server: When public traffic accesses the origin web server directly, it does not pass through any intermediate nodes.

  • Traffic passes through multiple network nodes: When a user accesses a website through a domain name, traffic typically passes through multiple intermediate nodes such as CDN and ALB before being forwarded to the origin server.

Traffic goes directly to the server

When public traffic accesses the origin web server directly, you only need to deploy the SSL certificate on that server.

image

Traffic passes through multiple network nodes

If traffic passes through multiple intermediate nodes (such as CDN and WAF) before reaching the origin server, every node that handles HTTPS traffic must have a certificate deployed.

Important

This topic uses the "End user → CDN → WAF → ALB → origin server" architecture as an example to illustrate the certificate deployment strategy for multi-node scenarios. Deploy certificates on the nodes that match your actual network architecture.

For each scenario, the certificate deployment nodes and the scope of transmission encryption are as follows:

Scenario

Encrypted link (HTTPS)

Plaintext link (HTTP)

Nodes requiring certificates

Description

Scenario 1

User ↔ CDN

CDN → WAF → ALB → origin server

CDN

Encrypts only the link from the client to the CDN. This is the most cost-effective option but leaves backend traffic unencrypted.

Scenario 2

User ↔ WAF

WAF → ALB → origin server

CDN, WAF

Extends encryption to WAF, improving security.

Scenario 3

User ↔ ALB

ALB → origin server

CDN, WAF, ALB

Only the last hop to the origin server is unencrypted. This provides strong security.

Scenario 4

User ↔ origin server

None

CDN, WAF, ALB, origin server

End-to-end encryption for the highest level of security.
image

Choose a certificate deployment method

Note

If you need assistance with certificate deployment, . You can also contact a product technical expert for assistance. For more information, see One-on-one Expert Service.

Before choosing an SSL certificate deployment method, determine your deployment target (server or cloud product) and select according to the following rules:

  • Deploy to a server: Applicable to Alibaba Cloud ECS, Simple Application Server, non-Alibaba Cloud servers, and self-managed servers.

  • Deploy to a cloud product: Applicable to Alibaba Cloud products such as SLB, CDN, and WAF (excluding ECS and Simple Application Server), as well as cloud products such as CDN, WAF, and CLB on third-party platforms like Tencent Cloud, Huawei Cloud, and AWS.

Deploy to a server

Choose the appropriate method below to deploy a certificate to your server.

Alibaba Cloud ECS and Simple Application Server

Choose a certificate deployment tutorial based on your web server software and operating system. To determine your web server type, see FAQ 4: How do I find my web server type?.

Non-Alibaba Cloud servers

Choose a certificate deployment tutorial based on your web server software and operating system. To determine your web server type, see FAQ 4: How do I find my web server type?.

Deploy to a cloud product

Alibaba Cloud

  • Deploy a standard SSL certificate (RSA/ECC)

    Deploy from the Certificate Management Service console

    In the following scenarios, you can use the cloud product deployment feature in the Certificate Management Service console to push a certificate to the relevant products with one click, without manually uploading it. For more information, see Deploy SSL certificates to cloud services.

    Note

    • If your product is not supported by the "cloud product deployment" feature, refer to the product's documentation for deployment instructions. Products that support one-click push are listed in the table below.

    • "Update existing certificate" in the table below refers to the scenario where a certificate is already deployed on a cloud product and you need to replace it.

    Cloud product

    Deployment task scenario

    Certificate configuration scenario

    Cloud Web Hosting

    Initial deployment, Update existing certificate

    Enable HTTPS access for websites

    Container Registry (ACR)

    Update existing certificate

    Access a Container Registry Enterprise Edition instance over HTTPS with a custom domain name

    Container Service for Kubernetes (ACK)

    Update existing certificate

    Update AlbConfig certificates and Secret certificates in ACK managed and dedicated clusters

    Important

    Do not manually modify a Secret in ACK. The system creates a new Secret automatically.

    Serverless App Engine - gateway routing

    Update existing certificate

    Configure HTTPS as the forwarding protocol for gateway routing (ALB and CLB)

    Function Compute (FC)

    Update existing certificate

    HTTP function scenario

    Microservices Engine - cloud-native gateway

    Update existing certificate

    Cloud-native gateway routing scenario

    API Gateway

    Update existing certificate

    Access an API over HTTPS with a domain name

    Global Accelerator (GA)

    Update existing certificate

    Accelerate HTTPS domain name access securely

    • Application Load Balancer (ALB)

    • Network Load Balancer (NLB)

    • Classic Load Balancer (CLB)

    Update existing certificate

    Forward requests over HTTPS using an HTTPS listener (server certificate)

    Note

    To deploy a client certificate, see E2E HTTPS encryption for data transfers.

    Content Delivery Network (CDN)

    Initial deployment, Update existing certificate

    HTTPS secure acceleration

    Dynamic Route for CDN (DCDN)

    Initial deployment, Update existing certificate

    HTTPS secure acceleration

    Edge Security Acceleration (ESA)

    Update existing certificate

    HTTPS secure acceleration

    Object Storage Service (OSS)

    Update existing certificate

    Access OSS over HTTPS

    Note

    If your domain name uses CDN acceleration, replace the certificate in the CDN console.

    Web Application Firewall (WAF)

    Update existing certificate

    CNAME access scenario

    Anti-DDoS Pro and Anti-DDoS Premium

    Update existing certificate

    Domain name access for Anti-DDoS Pro and Anti-DDoS Premium

    ApsaraVideo for Live

    Initial deployment, Update existing certificate

    HTTPS secure acceleration for stream ingest and playback

    ApsaraVideo for VOD

    Initial deployment, Update existing certificate

    Content distribution and acceleration

    Platform for AI (PAI)

    Update existing certificate

    Elastic Algorithm Service (EAS) model serving: use a custom domain name for a dedicated gateway

    Deploy from the cloud product console

    Find the corresponding cloud product in the table below, then follow the documentation in the References column to go to the product's console and complete the certificate deployment.

    Cloud product

    Certificate configuration scenario

    References

    Cloud Web Hosting

    Enable HTTPS access for websites

    Enable HTTPS encrypted access

    Container Registry (ACR)

    Access a Container Registry Enterprise Edition instance over HTTPS with a custom domain name

    Use a custom domain name to access a Container Registry Enterprise Edition instance

    Container Service for Kubernetes (ACK)

    Update AlbConfig certificates and Secret certificates in ACK managed and dedicated clusters

    Important

    Do not manually modify a Secret in ACK. The system creates a new Secret automatically.

    Serverless App Engine - gateway routing

    Configure HTTPS as the forwarding protocol for gateway routing (ALB and CLB)

    Function Compute (FC)

    HTTP function scenario

    Configure a custom domain name

    Microservices Engine - cloud-native gateway

    Cloud-native gateway routing scenario

    Create a domain name

    API Gateway

    Access an API over HTTPS with a domain name

    Call APIs through an HTTPS domain name

    Global Accelerator (GA)

    Accelerate HTTPS domain name access securely

    • Application Load Balancer (ALB)

    • Network Load Balancer (NLB)

    • Classic Load Balancer (CLB)

    Forward requests over HTTPS using an HTTPS listener (server certificate)

    Note

    To deploy a client certificate, see E2E HTTPS encryption for data transfers.

    Content Delivery Network (CDN)

    HTTPS secure acceleration

    Configure an HTTPS certificate

    Dynamic Route for CDN (DCDN)

    HTTPS secure acceleration

    Configure an HTTPS certificate

    Edge Security Acceleration (ESA)

    HTTPS secure acceleration

    Configure edge certificates

    Object Storage Service (OSS)

    Access OSS over HTTPS

    Note

    If your domain name uses CDN acceleration, replace the certificate in the CDN console.

    Access OSS over HTTPS

    Web Application Firewall (WAF)

    CNAME access scenario

    Anti-DDoS Pro and Anti-DDoS Premium

    Domain name access for Anti-DDoS Pro and Anti-DDoS Premium

    Update an HTTPS certificate

    ApsaraVideo for Live

    HTTPS secure acceleration for stream ingest and playback

    ApsaraVideo for VOD

    Content distribution and acceleration

    HTTPS secure acceleration

    Platform for AI (PAI)

    Elastic Algorithm Service (EAS) model serving: use a custom domain name for a dedicated gateway

    Use a dedicated gateway

    Website Builder

    Enable HTTPS access for websites

    Website HTTPS

    Enterprise Website Builder

    Enable HTTPS access for websites

    Website HTTPS

  • Deploy a China Cryptography Standard SSL certificate (SM2, supported only by CDN, DCDN, and Anti-DDoS Pro and Anti-DDoS Premium)

Tencent Cloud, Huawei Cloud, and AWS

  • Deploy from the Certificate Management Service console

    You can use the Alibaba Cloud Certificate Management Service console to deploy certificates to the following third-party cloud platforms. For more information, see Multi-cloud deployment: Deploy certificates to third-party clouds. Supported cloud platforms and services are as follows:

    • Tencent Cloud: Content Delivery Network (CDN), Web Application Firewall (WAF), Classic Load Balancer (CLB)

    • AWS: Amazon CloudFront (CDN), load balancers (ALB, NLB, and CLB)

    • Huawei Cloud: Content Delivery Network (CDN), Elastic Load Balance (ELB)

  • Refer to the cloud provider's official documentation

    You can also refer to the following cloud providers' official documentation for certificate deployment:

Install a root certificate on the client

For business scenarios such as IoT devices, embedded systems, internal enterprise systems, offline applications, older browsers, and Java clients, CA root certificates are generally not pre-installed. After deploying an SSL certificate, clients may not trust the certificate, requiring you to manually download and install the root certificate on the client. For more information, see Download and install root certificates.

FAQ

FAQ 1: How do I download a root certificate?

You can refer to Download and install root certificates to download the root certificate for the relevant certificate brand.

FAQ 2: What if the certificate chain is incomplete or intermediate certificates are missing?

If the client's root certificate or intermediate certificate is missing or expired, refer to Troubleshoot an incomplete SSL certificate chain to download and install the missing root or intermediate certificate, then try accessing again.

FAQ 3: What if I receive an error "One or more intermediate certificates in the certificate chain are missing" when deploying a certificate?

This error may occur when deploying an SSL certificate on certain server systems (such as IIS on Windows Server 2008 R2). You need to install the missing root or intermediate certificate on the server.

FAQ 4: How do I find my web server type?

Use browser developer tools

  1. Access your domain name in a browser.

  2. Press F12 to open developer tools and check the server type.

    image.png

Use commands

  1. Log on to the server.

  2. Run the following command on the server to check the web server type:

    curl -I https://yourdomain
    Note

    yourdomain is a required parameter. Replace it with your actual domain name, for example, curl -I https://www.aliyundoc.com. The parameter -I (uppercase I) means only retrieve the response header information.

    The following shows sample output:

    HTTP/1.1 200 OK
Server: nginx/1.24.0
Date: Thu, 15 May 2026 10:00:00 GMT
Content-Type: text/html

    The value of the Server field indicates the web server type, which is Nginx in this example.

    image

Consult the website development engineer

If you still cannot determine the web server type, consult the engineer who built the website. If you encounter other issues, . You can also contact a product technical expert for assistance. For more information, see One-on-one Expert Service.

Previous:Deploy SSL certificatesNext:Deploying certificate manually