automated certificate deployment, multi-year certificate deployment for cloud services, automated deployment for cloud services-Certificate Management Service(SSL Certificate)-阿里云帮助中心

SSL certificates are valid for one year. Manually applying for and deploying certificates to cloud services is time-consuming and error-prone. Alibaba Cloud provides an automated certificate deployment solution for cloud services that combines the managed service, DNS-free domain ownership verification, and one-click deployment to cloud services to help you automate the full lifecycle management of certificates. This topic describes the working principles of this solution and provides a deployment example.

Solution overview

Automated certificate deployment for cloud services is implemented through the following three core capabilities, covering the entire process from certificate application to deployment:

Feature	Description
Managed service	Certificate application phase: Automatically submits a renewal application when the certificate is about to expire. Certificate deployment phase: Automatically creates and starts a managed deployment service. Note For information about how to enable the managed service, see Enable certificate hosting.
DNS-free domain authorization	Certificate application phase: Automatically performs domain ownership verification without the need to manually configure DNS records. Note For information about how to implement DNS-free domain authorization, see Domain pre-authorization or Domain ownership verification.
One-click deployment to cloud services	After certificate issuance: Automatically deploys the certificate to the corresponding cloud services through a deployment task. Note For a list of supported cloud services and related instructions, see Deploy SSL certificates to cloud services.

The workflow of the preceding three capabilities is shown in the following figure:

Deployment example

Deployment tasks for cloud services depend on the managed service and are created when you enable it. After a new certificate is issued, the system activates the deployment task and automatically deploys the certificate to the configured cloud services.

Managed service enablement

Only paid certificates support automatic hosting.

Certificate type	Managed service enablement phase
Paid certificate	When you purchase a new certificate When you apply for a certificate

Step 1: Purchase a certificate and enable the managed service

Log on to the Certificate Management Service console.
In the left-side navigation pane, choose Certificate Management > SSL Certificate Management V2.0.
On the Commercial Certificates tab, click Purchase Certificate.
For Purchase Method, select Domain Name, and set Duration to 3 years.
After the purchase is complete, go to the certificate list to view the corresponding certificate subscription instance.

Step 2: Apply for a certificate and enable DNS-free verification

In the certificate list, find the purchased certificate and click Apply for Certificate in the Actions column.
In the Apply for Certificate panel, configure Domain Verification Method. Select the corresponding verification method based on where your DNS resolution service is located:
- If the DNS resolution service for your domain is under your current account, Domain Verification Method defaults to Automatic DNS Verification. The system automatically completes domain ownership verification and no additional action is required.
- If the DNS resolution service for your domain is not under your current account, set Domain Verification Method to Manual DNS Verification. After you submit the application, go to the DNS resolution service provider of your domain and manually add a CNAME record to enable DNS-free verification.
  Set the host record to _dnsauth and the record value to the verification value automatically generated by the system, which you can copy from the panel. After the record is added, click Verify to confirm that the DNS record is correctly configured.

After the certificate is issued, the certificate status in the certificate list is displayed as Hosted.

Step 3: Create a deployment task and deploy the certificate to cloud services

Important

The managed certificate must be successfully deployed to cloud services for the first time before subsequently issued certificates can automatically inherit the list of deployed cloud service resources and achieve automated certificate deployment.

In the certificate list, find the managed certificate and click Deployment to Cloud Services in the Actions column.
On the Create Task page, select the cloud services and corresponding resources to deploy, and then click Preview and Submit.
The Resources by Cloud Service pane on the left lists the cloud services that support deployment (such as CDN and Dynamic Content Delivery Network) along with the corresponding number of resources. The middle area displays the list of domain resources for the selected cloud service.
In the Task Preview panel, verify the certificate instance and cloud service resource information. If everything is correct, click Submit.