# cas-certificate Part of **CAS** # Certificate Management Service Certificate Management Console Guide ## Operations Overview | Operation | Console Navigation Path | Prerequisites | Description | |------|-----------|---------|------| | Apply for Certificate | Console > Certificate Management > Certificates > Create Certificate | A certificate is purchased; For OV certificates with .gov domains: registrant contact information must match company name | Apply for new SSL certificates by providing domain details, verification methods, and organizational information | | Deploy Certificate | Console > Certificate Management > Certificates > Deploy Certificate | A valid SSL certificate has been created; Target server is running and accessible | Deploy certificates to various servers and cloud resources like ECS, Tomcat, Apache, and IIS | | Install Root Certificate | Start > Run > mmc > Add/Remove Snap-in > Certificates > Computer Account > Local computer | A root or intermediate certificate file; Access to target system | Install root certificates on Windows, macOS, Linux, and browsers to establish trust | | Manage Private Certificates | Console > Certificate Management Service > Private CA/Compliance CA > [Target CA] > Operations | Purchase and enable a private CA or compliance CA; Have a VPC already created | Manage private CA certificates including issuing, downloading, installing, and revoking | | Manage SSL Certificate Lifecycle | Console > Certificate Management Service > SSL Certificate Management | Domain name ready for binding; Valid contact information | Handle complete SSL certificate workflow from application to renewal and revocation | | Create CSR File | Console > Certificate Management Service > Create Certificate > Generate CSR | Access to server with command-line tools; OpenSSL or JDK installed | Generate certificate signing request files using OpenSSL or Keytool | | Authorize Access | Console > Certificate Management Service > [Feature Page] > Authorize Access | Alibaba Cloud account with appropriate permissions | Configure service-linked roles to authorize certificate service access to cloud resources | | Remove Password Protection from Private Key | N/A | Access to private key file; OpenSSL tool installed | Handle private keys without password protection for certificate installation | | Verify Domain Ownership | Console > Certificate Management Service > Certificates > Apply for Certificate | Domain registered with Alibaba Cloud; DNS service configured | Complete domain ownership verification during certificate application | | Request Certificate with Domain Names | Console > Certificate Management > Create Certificate | Valid Alibaba Cloud account; Domain ownership verification capability | Specify domain names when requesting a certificate | | Request Paid Certificate | Console > Certificate Management > Request Certificate > Paid Certificate | Business license on file; Domain name with public contact information | Apply for commercial or paid SSL certificates with organizational validation | | Convert Certificate Format | Console > Certificate Management > Convert Certificate Format | Certificate already issued in supported format | Change the format of a downloaded certificate file between PEM, PFX, JKS, and PKCS#8 | | View Web Server Type | Console > Certificate Management > View Server Type | Access to target website domain; Browser with developer tools | Identify the type of web server for proper certificate deployment | | View SSL Certificate Operation Logs | Console > Security > ActionTrail > Query Events | Access to Alibaba Cloud account; ActionTrail service enabled | Access logs related to SSL certificate operations for auditing | | Share SSL Certificate | Console > Certificate Management > Certificates > Share Certificate | Both accounts belong to same verified entity; Source account has certificate ready | Use an SSL certificate across different accounts | | Configure Certificate Reminders | Console > Certificate Management Service > Message Reminders | Valid Alibaba Cloud account; Paid or personal test SSL certificate issued | Set up expiration notifications for SSL certificates | | Apply for Renewed Certificate | Console > Certificate Management Service > Certificates > Renewal | Certificate within 30 days of expiration; Domain ownership verifiable | Download and apply for a certificate after renewal | | Renew Certificate | Console > Certificate Management Service > Certificate Renewal | Certificate in 'About To Expire' status (30 days before expiry) | Renew an expiring SSL certificate via the console | | Deploy Certificate to | Console > Certificate Management > Deploy to | Alibaba Cloud account with Certificate Management Service access; account with permissions | Deploy certificates to multiple cloud services | | Deploy Certificate to | Console > Certificate Management > Deploy Certificates to | Active Alibaba Cloud account; Valid SSL certificate uploaded | Deploy certificates to CDN and ELB | | Deploy Certificate to | Console > Certificate Management > Deploy Certificates to | Valid SSL certificate in Alibaba Cloud Certificate Management Service | Deploy certificates to CLB and WAF | | Pre-authorize Domain | Console > Certificate Management > Domain Pre-authorization | Alibaba Cloud account with domain ownership; DNS provider not using West.cn | Pre-authorize domains for certificate issuance | | Manage Company Profiles | Console > Certificate Management Service > Company Profiles | Valid business license image ready; Company information available | Create, update, or delete company profiles for OV/EV certificates | | Manage Contacts | Console > Certificate Management Service > Contacts > Create Contact | Alibaba Cloud account with proper permissions; Valid email and mobile number | Create, modify, or delete contacts for certificate applications | | Apply for Free Trial | Console > Certificate Management > Private Certificate Management | Alibaba Cloud account not used to purchase private CA; Need to build private CA platform | Sign up for a free trial of Private Certificate Authority (PCA) | | Issue Private Certificate | Console > Certificate Management > Private CA > Subordinate Private CA > Issue Certificate | Purchase and enable subordinate private CA; Ensure quota greater than 0 | Generate a private certificate using PCA | | Manage CRL Service | Console > Certificate Management > PCA Certificate Management | CA created by uploading CA certificate and private key files | Enable, view status, and download CRL for private certificates | | Deploy Private Certificate | Console > > > | Created private certificate file (.crt); Private key file (.key) | Deploy issued private certificates to servers or services | | Download Private Certificate | Console > Certificate Management > Private Certificate Management | Private certificate issued from private intermediate CA | Download a private certificate file | | Manage Private CA | Console > Certificate Management > Private CA > Manage CA | Valid Alibaba Cloud account; Certificate Management Service enabled | Administer private certificate authorities | | Purchase and Assign Certificate Quota | Console > Certificate Management > Private Certificate Management | Private CA that is purchased and enabled | Buy and allocate quota for private certificates | | Purchase Private CA | Console > Certificate Management Service > Private CA > Purchase and Enable | Valid Alibaba Cloud account; Permission to create private CAs | Buy and enable a private certificate authority | | Reset Private CA | Manage Certificates > PCA Certificate Management | Private root CA or private intermediate CA in Enabled status | Reset a private certificate authority to its initial state | | Revoke Private Certificate | Console > Certificate Management > Private Certificate Management | Access to Certificate Management Service console; Private intermediate CA that issued certificate | Revoke a private certificate before expiration | | Download Compliance Certificate | Console > Certificate Management > Subordinate CA > Certificate List | Compliance certificate issued by subordinate CA; USBKey connected | Download a compliance-related certificate | | Revoke Compliance Certificate | Console > Certificate Management Service > Subordinate CA > Certificate List | Access to Certificate Management Service console; Active compliance certificate | Revoke a compliance certificate | | Manage USBKey | Console > Certificate Management Service > USBKey Management | Windows operating system; USBKey device connected | Install and manage USBKey controls for certificate operations | | Apply for SM Compliance Certificate | Console > Certificate Management Service > Compliance CA | Valid Alibaba Cloud account; Windows device for USBKey installation | Request a compliance certificate for cryptographic assessment scenarios | | Apply for Compliance Certificate | Console > Certificate Management > Compliance CA > Sub-CA List > Apply for Certificate | Purchased and enabled Compliance CA Service; Sub-CA with available quota | Submit an application for a compliance certificate | | Purchase Compliance Certificate Quota | Console > Certificate Management Service > Compliance CA > Purchase and Allocate Quota | Compliance CA has been purchased and enabled | Buy and allocate quota for compliance certificates | | Purchase Compliance CA | Private Certificates > Compliance CAs | Enterprise with registered name and official seal; Valid business license | Purchase and enable a compliance certificate authority | | Download Certificate | Console > > > | Created or purchased SSL certificate; Certificate status is issued | Download issued SSL certificates from the console | | Revoke SSL Certificate | Console > > | Logged in with main account; Certificate purchased through service and issued | Revoke an issued SSL certificate | | Manage Certificate Status | Console > > | Logged in to Alibaba Cloud console; Certificate Management Service access | Use the console to monitor and manage certificate lifecycle status | | Migrate Certificate Data | Console > SSL > > | Created certificate data before March 1, 2022 | Transfer certificate data between systems or accounts | | Export Private Certificate | N/A | N/A | Export private certificates in various formats | | Create Private Certificate | Console > > > | Certificate Management Service enabled; Appropriate RAM permissions | Generate and manage private certificates via the console | | Install JKS Certificate | Console > > > | JKS format SSL certificate file; Certificate password file | Install certificates in JKS format on Java-based servers | | Install SSL Certificate on Tomcat | Console > > > > Tomcat | PFX format SSL certificate file; Certificate password file | Deploy SSL certificates to Tomcat servers | | Install SSL Certificate on Apache | Console > > > | Apache server with mod_ssl.so module; Generated CSR | Deploy single or multi-domain certificates to Apache | | Install Wildcard Certificate on Apache | Console > > > | Issued wildcard domain certificate; Apache server with mod_ssl.so module | Deploy wildcard domain certificates to Apache servers | | Deploy SSL Certificate to Cloud Product | Console > > > > | Created and verified SSL certificate; Target cloud product supports binding | Automatically deploy certificates to integrated cloud services | | Deploy Certificate to ECS | Console > > | Purchased ECS trusted instance; Issued single domain RSA SSL certificate | One-click deploy certificates to Elastic Compute Service instances | | Switch Certificate Region | Console > > > | Purchased SSL certificate; Logged in to Certificate Management console | Change the region of an SSL certificate instance | | Deploy SSL Certificate to Web Server | Console > > > Web | Installed supported Nginx version; Completed deployment prerequisites | Deploy certificates to supported web application servers | | Verify Certificate Installation | Console > Certificate Management > Certificates > Verify Installation | SSL certificate applied and bound to domain; Domain resolution effective | Confirm that a certificate has been correctly installed | | Request Refund | Console > Comprehensive Management > Refund Management | Order less than 7 calendar days old; Service not used | Initiate a refund request for SSL certificates | | Purchase Certificate | Console > SSL Certificates Service > Purchase Console | Alibaba Cloud account with real-name registration | Purchase different types of SSL certificates including personal test, commercial, and support services | | Manage Certificate Lifecycle | Console > SSL Certificate Management (V1.0 Discontinued) | Personal test certificate in pending, failed, or expiring status | Revoke, delete, upgrade, and request refunds for certificates | | Configure Notifications | Console > Certificate and Domain Application Services > Notification | Issued certificate in Certificate Management Service; Purchased notification quota (for uploaded certificates) | Set up notifications for certificate events, PCA services, and domain monitoring | | Manage Access Control | Console > RAM > Policies | Alibaba Cloud account with RAM access; Admin privileges | Configure RAM-based access control and system policies for certificate management | | Manage Tags | Console > > > > | Logged in to Certificate Management console; Read/write permissions for certificate | Add and manage tags for certificates through the console | | Manage Orders | Console > > | Logged in Alibaba Cloud account; Certificate Management Service enabled | Handle certificate orders including viewing details and resolving abnormalities | ## Operations Steps ### Apply for Certificate **Navigation**: Console > Certificate Management > Certificates > Create Certificate **Prerequisites**: - A certificate is purchased - For OV certificates with .gov domains: registrant contact information must match company name 1. Locate the 'Pending Application' area and click **Apply** on the 'Certificates' tab - Element: **Apply** (button) — top-right corner of the 'Certificates' tab - Notes: 2. Complete the configuration in the 'Apply' panel and click **OK** to create a certificate application - Element: **OK** (button) — bottom of the 'Apply' panel - Notes: The available options depend on the selected certificate type. Screenshots show both 'Quick Apply' and 'Standard Apply' configurations. 3. Submit the certificate application to the CA for review - Element: **Apply** (button) — in the 'Operations' column under the 'Apply' panel - Notes: If quick apply was not enabled, you must first fill in the application details before submitting. Domain ownership verification is required based on the certificate type. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Certificate Type | dropdown | Yes | Single Domain, Multi-Domain, Wildcard | Selects the type of certificate to be applied for based on the number and type of domains to bind. | | Certificate Brand | dropdown | Yes | — | Choose the brand and type of certificate from the list of available resources. Only brands with purchased resources are shown. | | Domain Name | text | Yes | — | Enter the domain(s) to be protected by the certificate. Format depends on the selected certificate type: one single domain, up to five single domains separated by commas, or one wildcard domain. | | Service Years | dropdown | No | 1 year, 2 years, 3 years | Select the duration of the certificate service. Extending beyond 1 year requires purchasing certificate hosting service. | | Quick Apply | checkbox | No | — | Enable to submit certificate application information immediately during creation. Disable to fill in later. | ### Deploy Certificate **Navigation**: Console > Certificate Management > Certificates > Deploy Certificate **Prerequisites**: - A valid SSL certificate has been created in the Certificate Management Service - The target Simple Application Server or ECS instance is running and accessible 1. Navigate to the Certificate Management Service console - Element: **Certificate Management** (link) — left navigation panel - Notes: 2. Select the certificate you want to deploy from the list - Element: **Certificates** (link) — top navigation bar - Notes: 3. Click the **Deploy** button next to the selected certificate - Element: **Deploy** (button) — main content area - Notes: The 'Deploy' button appears only if the certificate is in 'Issued' status. 4. Select the target server type: Simple Application Server or ECS instance - Element: **Server Type** (dropdown) — deployment form - Notes: 5. Choose the specific server instance from the dropdown list - Element: **Instance** (dropdown) — deployment form - Notes: 6. Review the deployment settings and click **Confirm** - Element: **Confirm** (button) — bottom of the form - Notes: After confirmation, the certificate will be deployed to the selected server. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Server Type | dropdown | Yes | Simple Application Server, ECS Instance | Specifies the type of cloud server where the certificate will be deployed. | | Instance | dropdown | Yes | — | Lists all available instances of the selected server type that can receive the certificate. | ### Install Root Certificate **Navigation**: Start > Run > mmc > Add/Remove Snap-in > Certificates > Computer Account > Local computer **Prerequisites**: - A root certificate or intermediate certificate file - Access to the server with Windows 10 installed 1. Press Win+R to open the Run dialog box, enter 'mmc', and click OK - Element: **Run** (text_input) — keyboard shortcut menu - Notes: 2. In the MMC console, choose File > Add/Remove Snap-in from the menu bar - Element: **File** (menu) — top menu bar - Notes: 3. Select Certificates from the Available Snap-ins list and click Add - Element: **Certificates** (checkbox) — Available Snap-ins list - Notes: 4. Select Computer Account and click Next - Element: **Computer Account** (radio) — Certificates Snap-in dialog box - Notes: 5. Select Local computer and click Finish - Element: **Local computer (the computer this console is running on)** (radio) — Select Computer dialog box - Notes: 6. Expand Certificates (Local Computer) and select the destination folder, such as Enterprise Trust - Element: **Enterprise Trust** (folder) — navigation pane - Notes: 7. Right-click the folder and choose All Tasks > Import - Element: **All Tasks** (menu) — context menu - Notes: ### Manage Private Certificates **Navigation**: Console > Certificate Management Service > Private CA/Compliance CA > [Target CA] > Operations **Prerequisites**: - Purchase and enable a private CA or compliance CA - Have a VPC already created (implied by context) - RAM role configured (implied by context) 1. Navigate to the Private CA or Compliance CA tab in the Certificate Management Service console - Element: **Private CA** (tab) — left navigation panel - Notes: 2. Locate the target root CA and click **Buy** in the operating column - Element: **Buy** (button) — main content area - Notes: For compliance CA, this step is only applicable after purchasing the root CA. 3. In the Buy panel, enter the number of certificates to purchase and complete payment - Element: **Buy** (button) — Buy panel - Notes: The system may waive fees beyond a certain threshold; contact your account manager for details. 4. On the Private CA tab, locate the root CA and click **Assign** in the rest count column - Element: **Assign** (button) — main content area - Notes: 5. In the Assign panel, select the subordinate CA and set the rest count value, then click **Apply** - Element: **Apply** (button) — Assign panel - Notes: 6. On the Private CA tab, locate the target intermediate CA and click **Request Certificate** in the operating column - Element: **Request Certificate** (button) — main content area - Notes: 7. In the Request Certificate panel, configure certificate details such as common name, validity period, SAN extensions, and submit - Element: **Submit** (button) — Request Certificate panel - Notes: Private CA certificates are issued immediately; compliance CA certificates require backend review. 8. On the Certificate List page, find the issued certificate and click **Download** in the operating column - Element: **Download** (button) — main content area - Notes: If the certificate uses SM2 algorithm with USBKey, it cannot be downloaded. 9. In the Download dialog box, select the desired format and confirm download - Element: **Confirm** (button) — Download dialog box - Notes: 10. Install the server certificate on application servers and client certificate on client browsers - Element: **Deploy SSL certificates** (link) — main content area - Notes: For SM2 + USBKey certificates, use the Install button in the console to install directly onto the hardware USBKey. 11. On the Certificate List page, find the target certificate and click **Revoke** in the operating column - Element: **Revoke** (button) — main content area - Notes: Revoked certificates cannot be recovered. Proceed with caution. 12. In the confirmation dialog, click **Revoke** to confirm - Element: **Revoke** (button) — confirmation dialog - Notes: The certificate status changes to 'Revoked' immediately after confirmation. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Certificate Type | dropdown | Yes | Server Certificate, Client Certificate | Specifies whether the certificate is for a server or client. | | Common Name | text | Yes | — | The common name of the private certificate subject. | | Validity Period | number | Yes | — | The duration for which the certificate remains valid. Limited by purchased PCA service duration if less than one year. | | Subject Alternative Name (SAN) | text | No | — | Additional domain names, IP addresses, email addresses, or URIs supported by the certificate. Up to 10 can be added. | | Key Container | dropdown | Yes | Alibaba Cloud Managed, USBKey | Specifies where the private key is stored. USBKey supports only Windows systems. | | Account ID / Login Account | text | No | — | Enter your Alibaba Cloud account ID for console login or system login account for business system access. | ### Manage SSL Certificate Lifecycle **Navigation**: Console > Certificate Management Service > SSL Certificate Management **Prerequisites**: - Domain name ready for binding - Valid contact information for certificate - Business license if required for commercial certificate - Server access for certificate deployment 1. Click on **Purchase Certificate** button - Element: **Purchase Certificate** (button) — top-right corner of the dashboard - Notes: Select certificate type based on business needs: single-domain, wildcard, or multi-domain. 2. Enter domain name or specify quantity - Element: **Domain Name Input Field** (text_input) — main content area - Notes: For personal test certificates, use the 'Buy Personal Test Certificate' option. 3. Select a certificate authority (CA) such as DigiCert, GlobalSign, or GeoTrust - Element: **Certificate Authority Dropdown** (dropdown) — form field section - Notes: Ensure the selected CA supports the desired certificate type. 4. Submit application with required details including domain name, verification method, contact info, and business license - Element: **Submit Application** (button) — bottom of form - Notes: Verification method options include DNS record, HTTP file upload, or email confirmation. 5. Complete domain ownership verification via DNS or file-based method - Element: **Verify Domain Ownership** (link) — verification section - Notes: Follow instructions provided by the CA to verify control over the domain. 6. Download issued certificate and deploy it to server - Element: **Download Certificate** (button) — certificate details page - Notes: Supports Apache, NGINX, and IIS servers. Use appropriate format (PEM, PFX, etc.). 7. Initiate renewal before expiration to avoid security alerts - Element: **Renew Certificate** (button) — certificate list page - Notes: Renewal is recommended at least 30 days before expiry. 8. Revoke certificate if no longer needed for security reasons - Element: **Revoke Certificate** (button) — certificate actions menu - Notes: Revoked certificates cannot be used for secure communication. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Domain Name | text | Yes | — | The domain name to be secured by the certificate. | | Certificate Type | dropdown | Yes | Single-Domain, Wildcard, Multi-Domain | Choose the type of certificate based on your website's requirements. | | Certificate Authority | dropdown | Yes | DigiCert, GlobalSign, GeoTrust | Select a trusted CA to issue the certificate. | | Verification Method | radio | Yes | DNS Record, HTTP File Upload, Email Confirmation | Method used to prove ownership of the domain name. | | Contact Information | text | Yes | — | Valid contact details for certificate holder. | | Business License | file_upload | No | — | Required for commercial certificates; not needed for personal test certificates. | ## FAQ Q: Where do I find the option to apply for a new certificate after purchase? A: After purchasing a certificate, navigate to Console > Certificate Management > Certificates. Look for the 'Pending Application' area and click the 'Apply' button in the top-right corner of the Certificates tab. Q: What happens if I leave the 'Quick Apply' option unchecked during certificate creation? A: If 'Quick Apply' is not enabled, you must manually fill in the application details before submitting to the CA for review. The certificate will remain in 'Pending Application' status until you complete and submit the application form. Q: Can I modify certificate details after submission but before CA approval? A: Yes, you can modify certificate details before CA approval. Navigate to the certificate in 'Pending Submission' or 'Under Review' status, click the 'More' icon in the Actions column, and select 'Modify' to update the application information. Q: What permissions do I need to deploy certificates to cloud products? A: You need appropriate RAM permissions to deploy certificates to cloud products. Specifically, you need permissions for both the Certificate Management Service (to access the certificate) and the target cloud service (such as SLB, CDN, or ECS) to perform the deployment operation. Q: How do I handle domain ownership verification for domains registered with third-party DNS providers? A: For domains using third-party DNS providers, you must manually add DNS records (TXT or CNAME) in your DNS provider's console. In the Certificate Management Service, select 'Manual DNS verification' as your verification method, copy the required record values, and add them to your DNS provider's management interface. ## Pricing & Billing ### Billing Model per_request ### Unit Price | Tier | Input Price | Output Price | Other Price | |------|-------------|--------------|-------------| | DV Certificate | 0.01 / | — | — | | OV Certificate | 0.05 / | — | — | | EV Certificate | 0.10 / | — | — | | Standard Certificate | 0.5 / | — | — | | Extended Validation (EV) Certificate | 10 / | — | — | | Commercial SSL Certificate | 0.002 /tokens | 0.002 /tokens | — | | Personal Test Certificate (Free Edition) | — | — | | Personal Test Certificate (Pro) | 0.01 / | — | — | | HTTPS Acceleration Gateway | 0.02 / | — | — | | private_ca | 0.01 / | — | — | | compliance_ca | 0.02 / | — | — | | Message reminder resource | 0.01 / | — | — | | standard | 0.05 / | — | — | | compliance_certificate | 0.5 / | — | — | ### Free Tier 100 10 100 1 100 tokens Free SSL certificates available for testing via individual test certificate application Personal test certificate (Free Edition) is free Free, limited to 20 certificates per year ### Quota Limits 100 10 5 10 Up to 100 certificates per account per month in free tier CA1000 1000 100 QPS Quota limits: 100 certificates per month for free tier users ### Billing Notes EV EV certificates require additional manual verification steps and incur higher fees Certificates are charged per issuance. Free DV certificates are subject to usage limits and may require renewal after expiration. Certificate renewal is charged per renewal cycle; no additional fees for issuance if approved. Billing occurs when the certificate combination process is completed successfully. Certificates issued by CAs have a maximum validity of 397 days. Multi-year subscriptions are available but billed per year. Certificate hosting is only available for commercial certificates and not for personal test or uploaded certificates. Refunds available within 7 days of purchase only if no service has been used. Once any part of a service package is used, it becomes non-refundable.