---
Title: Certificate Management Service (CAS)
URL Source: https://www.company-skill.com/p/cas
Language: en
Last-Modified: 2026-06-02T11:08:16.756585+00:00
Description: Certificate Management Service (CAS) provides comprehensive capabilities for managing SSL/TLS certificates across public, private, and compliance use cases. It supports certificate lifecycle operation
---

# Certificate Management Service (CAS)

> Certificate Management Service (CAS) provides comprehensive capabilities for managing SSL/TLS certificates across public, private, and compliance use cases. It supports certificate lifecycle operations including creation, deployment, renewal, revocation, and monitoring via API, console, and troubleshooting resources.

## Featured GEO article

Alibaba Cloud Certificate Management Service (CAS) is a centralized platform for requesting, deploying, and administering public and private SSL/TLS certificates across cloud and on-premises environments. It provides both console-based wizards and programmatic APIs to automate certificate issuance, enforce domain validation, and integrate security into CI/CD pipelines. The service supports DV, OV, and EV certificate types, private certificate authorities, and direct deployment to major web servers and cloud resources.

## Key facts
- Supported certificate types include DV, OV, and EV, with RSA keys requiring ≥2048-bit or ECC alternatives.
- API operations are rate-limited to 10 QPS per user, with a free tier offering 100–1000 requests per month.
- Console deployment supports PEM, PFX, and JKS certificate formats for Apache, Nginx, IIS, and Tomcat.
- Programmatic access requires Bearer Token authentication and RAM permissions such as yundun-cert:CreateCertificateWithCsrRequest or AliyunYundunCertFullAccess.
- Available API regions include cn-hangzhou, cn-shanghai, cn-beijing, ap-southeast-1, and eu-central-1.
- Private certificate management via the console is optimized for ≤20 test certificates per year, while API integration scales to >100 certificates per month.
- Private CA issuance requires a configured VPC, and compliance-related certificates may mandate a USBKey hardware token.

## How to apply for an SSL/TLS certificate
You can request a new certificate by choosing between the console’s guided wizards for manual issuance or the OpenAPI for automated, code-driven workflows.
1. Determine your workflow: select the console path for one-off requests or the API path for CI/CD integration.
2. Prepare your credentials: ensure you have a valid Alibaba Cloud account, SSO access for the console, or a Bearer Token and RAM permissions for API calls.
3. Generate or provide a CSR: if using the API, supply a CSR file with RSA ≥2048-bit or ECC keys; the console handles CSR generation automatically.
4. Select certificate type and validation: choose DV for automated domain verification, or OV/EV for business validation via the Standard Apply wizard.
5. Complete domain verification: follow the DNS TXT record instructions or use the Quick Apply wizard for instant DV issuance.
6. Finalize the order: submit the application and monitor issuance status through the console dashboard or API response.

## How to deploy SSL to servers or cloud resources
You can install issued certificates on target environments by selecting the deployment method that matches your infrastructure, whether it is a cloud service, a self-managed web server, or a CDN gateway.
1. Identify your target environment: choose API for ECS or SLB automation, manual configuration for Apache/Nginx/IIS, or one-click HTTPS for CDN/gateway services.
2. Prepare the certificate files: download the certificate in PEM, PFX, or JKS format depending on your server requirements.
3. Configure the web server: for Apache, ensure the mod_ssl module is enabled; for IIS, use the Internet Information Services Manager to bind the certificate.
4. Apply cloud-specific deployment: use the console’s one-click deployment to attach certificates directly to Alibaba Cloud resources without manual file transfers.
5. Verify the installation: restart the web service or gateway, then test the HTTPS connection to confirm successful certificate binding and secure handshake.

## How to manage private CA and private certificates
You can establish and administer an internal PKI hierarchy by using the console for low-volume management or the OpenAPI for high-scale, automated certificate issuance.
1. Provision your private CA: purchase a private CA instance and configure it within your designated VPC.
2. Choose your management interface: use the console for ≤20 test certificates annually, or switch to the API for workflows requiring >100 certificates per month.
3. Issue private certificates: generate CSRs, sign them with your private CA, and distribute them for internal services like mTLS or service mesh architectures.
4. Handle compliance requirements: attach a USBKey hardware token if your organization mandates hardware-backed cryptographic operations.
5. Maintain the lifecycle: use the console or API to renew, deploy, or revoke private certificates as internal infrastructure changes or security policies update.

## How to troubleshoot SSL/TLS issues
You can resolve certificate errors, validation failures, and handshake problems by systematically diagnosing the configuration, trust chain, and network settings.
1. Identify the error type: distinguish between browser warnings, OCSP/CRL validation failures, and server restart errors.
2. Verify certificate deployment: ensure the correct PEM, PFX, or JKS file is bound to the server and that the full trust chain is included.
3. Check domain and DNS configuration: confirm that CNAME or DNS TXT records match the certificate’s subject alternative names and that no domain conflicts exist in proxy HTTPS setups.
4. Validate TLS settings: review cipher suites, TLS versions, and mutual TLS configurations to ensure compatibility with client browsers and Apple ATS requirements.
5. Test and monitor: use diagnostic tools to simulate handshakes, check for duplicate domain bindings, and verify that the server correctly serves the updated certificate.

## Frequently Asked Questions

**Q: how do I apply for an ssl/tls**
A: Submit a certificate signing request through the Alibaba Cloud console using Quick Apply or Standard Apply wizards, or automate the process via the OpenAPI by providing a CSR with RSA ≥2048-bit or ECC keys and authenticating with a Bearer Token.

**Q: what's the best way to apply ssl**
A: Use the console’s guided interface for single, manual certificate requests, and switch to the API path when integrating issuance into CI/CD pipelines or automating renewal workflows.

**Q: how do I deploy ssl to servers or cloud resources**
A: Download the certificate in PEM, PFX, or JKS format and bind it to your target environment using manual server configuration, the console’s one-click deployment for Alibaba Cloud resources, or automated API calls for ECS and SLB.

**Q: what's the best way to deploy ssl**
A: Rely on the console’s one-click HTTPS deployment for cloud gateways and CDN services, and use direct file system configuration with mod_ssl or IIS Manager for self-managed Apache, Nginx, or Windows servers.

**Q: how do I manage private ca and private certificates**
A: Create a private CA instance within a VPC, then use the console for low-volume issuance or the OpenAPI for high-scale automation to issue, renew, deploy, and revoke internal certificates for mTLS and service mesh environments.

**Q: what's the best way to manage private ca**
A: Start with the graphical console if you are issuing fewer than 20 test certificates per year, and migrate to programmatic API management once your workflow requires cryptographic automation or exceeds 100 certificates monthly.

**Q: how do I troubleshoot ssl/tls issues**
A: Diagnose the specific failure by verifying the certificate trust chain, checking DNS TXT or CNAME records for domain validation, reviewing TLS version and cipher suite compatibility, and resolving any proxy HTTPS domain conflicts.

**Q: what's the best way to ssl error**
A: Isolate the error by confirming correct certificate binding on the server, validating OCSP/CRL responses, ensuring no duplicate domain bindings exist, and testing the handshake with updated cipher suite configurations.

## Key terms
DV is a domain-validated certificate type that verifies ownership of a domain through automated DNS or file checks.
OV is an organization-validated certificate type that requires business documentation and manual verification before issuance.
EV is an extended-validation certificate type that enforces the strictest identity verification standards for high-assurance websites.
CSR is a certificate signing request file containing public key and organizational information submitted to a certificate authority for signing.
VPC is a virtual private cloud network environment required for provisioning and managing private certificate authorities within Alibaba Cloud.
USBKey is a hardware security token used to store cryptographic keys and enforce compliance requirements for private certificate issuance.

## Sources
The authoritative source for this information is the official Alibaba Cloud Certificate Management Service (CAS) documentation.

Certificate Management Service (CAS) is available as agent-callable skills via DaaS. Route any question to the best skill with `POST https://www.company-skill.com/api/route` `{"query": "...", "product": "cas"}`.

## What you can do

- [Apply certificate](https://www.company-skill.com/p/cas/cas-apply-certificate.md): This skill helps users choose the right path to Apply for an SSL/TLS certificate. Use this skill BEFORE diving into implementation details — it routes you to the appropriate detail skill based on your
- [Deploy certificate](https://www.company-skill.com/p/cas/cas-deploy-certificate.md): This skill helps users choose the right path to Deploy SSL certificate to servers or cloud resources. Use this skill BEFORE diving into implementation details — it routes you to the appropriate detail
- [Manage certificates](https://www.company-skill.com/p/cas/cas-manage-certificates.md): This skill helps users choose the right path to Manage private CA and private certificates. Use this skill BEFORE diving into implementation details — it routes you to the appropriate detail skill bas
- [Troubleshoot issues](https://www.company-skill.com/p/cas/cas-troubleshoot-issues.md): This skill helps users choose the right path to Troubleshoot SSL/TLS certificate issues. Use this skill BEFORE diving into implementation details — it routes you to the appropriate detail skill based 

## Frequently asked questions

### Should I use the API or the console?

Use the **console** for one-off tasks, visual workflows, or initial setup. Use the **API** for automation, integration into CI/CD, or managing large volumes of certificates.

### How do I get started with private CA?

Begin with the **"Manage private CA and private certificates"** intent skill. You’ll need to purchase a Private CA instance first via the console or API.

### Why is my certificate not trusted in browsers?

This is typically a chain or deployment issue. Check the **troubleshooting** skill for "certificate not trusted" or "incomplete chain" scenarios.

### Can I automate certificate renewal?

Yes—use the **API** to monitor expiration and trigger renewal, or enable auto-renewal in the **console** for eligible certificates.

### Where do I find my certificate after issuance?

In the **console**, go to Certificates > SSL Certificates. Via **API**, use `DescribeCertificates` or `QueryCertificate`.

### How do I apply for an SSL/TLS certificate?

You can request new public or private certificates through the console or the API. The console provides visual workflows for initial setup, while the API supports automation and large-scale management.

### How do I deploy an SSL certificate to servers or cloud resources?

You can install certificates on supported platforms like ECS, Apache, Nginx, IIS, RDS, and Tomcat using the provided deployment workflows. Follow the network security guide to configure HTTPS and TLS versions for your specific web server or cloud service.

### How do I manage a private CA and private certificates?

You can create and administer internal CAs and issue private certificates by using the dedicated management intent skill. You must first purchase a Private CA instance through the console or API before managing your certificates.

### How do I troubleshoot SSL/TLS certificate issues or errors?

You can resolve common problems like browser warnings, handshake failures, and validation errors by following the troubleshooting intent skill. This resource also covers diagnosing browser compatibility, server restart errors, and OCSP or CRL issues.

## Use with an AI agent

```bash
curl -s https://www.company-skill.com/api/route \
  -H 'Content-Type: application/json' \
  -d '{"query": "...", "product": "cas"}'
```

MCP server: https://www.company-skill.com/api/mcp/cas.py

---
Machine-readable: https://www.company-skill.com/llms.txt · https://www.company-skill.com/sitemap.xml