# cas-network Part of **CAS** > 💡 **Path Selection**: This skill is one implementation path for the following routing skills. If you're unsure which path to take, check the corresponding routing skill: > - [Deploy SSL certificate to servers or cloud resources](../../intent/cas-deploy-certificate/SKILL.md) > - [Troubleshoot SSL/TLS certificate issues](../../intent/cas-troubleshoot-issues/SKILL.md) # Certificate Management Service Network Security Console Guide ## Operations Overview | Operation | Console Navigation Path | Prerequisites | Description | |-----------|------------------------|---------------|-------------| | Install Root Certificate on macOS | Launchpad > Keychain Access | Root or intermediate certificate file | Install root certificates using macOS Keychain Access utility | | Verify SSL Certificate Deployment | Browser address bar | Domain with deployed SSL certificate | Check if SSL certificates work properly by accessing https://domain | | Enable One-Click HTTPS | Console > Certificate Management Service > SSL Certificates | SSL certificate uploaded, web app accessible via HTTP | Enable one-click HTTPS functionality for certificates | | Configure TLS Version | Multiple paths (Anti-DDoS Proxy, WAF, SLB, CDN, DCDN) | Certificate uploaded, region selected | Set minimum TLS protocol version for secure connections | | Configure SSL Certificate for Apple ATS | Console > Certificate Management Service > Certificates | Valid OV/EV certificate from supported CA | Configure certificates to meet Apple App Transport Security requirements | | Purchase HTTPS Acceleration Gateway | Console > Certificate Management Service > HTTPS Acceleration Gateway | Valid Alibaba Cloud account | Buy an HTTPS acceleration gateway instance and GRCQ quota | | Enable HTTPS Acceleration Gateway | Console > Certificate Management Service > HTTPS Acceleration Gateway > Add Domain | HTTPS acceleration gateway purchased | Configure domain, origin server, and CNAME record for HTTPS acceleration | | Enable Auto-renewal for GRCQ Quota | Console > Certificate Management Service > HTTPS Acceleration Gateway > Settings | HTTPS acceleration gateway enabled | Set up automatic renewal for Gateway Resource Computing Quota | | Configure One-way TLS Authentication | Console > Certificate Management Service > Private CA > Root CA | Server certificate from Private CA service | Set up one-way TLS authentication on EMQX servers using PCA certificates | | Configure Mutual TLS Authentication | Console > Certificate Management Service > Private CA | Client and server certificates from PCA | Set up mutual TLS authentication on EMQX using PCA certificates | | Configure mTLS Authentication | Console > Certificate Management > PCA Certificate Management | PCA service purchased, certificates issued | Set up mutual TLS on Nginx with PCA certificates | | Install SSL Certificate | Multiple paths depending on target (RDS, Web servers) | Valid SSL certificate, server access | Deploy SSL certificates to various platforms including RDS, Apache, Nginx, IIS, etc. | | Enable HTTPS Access | Console > Certificate Management Service > Certificates | Cloud virtual host instance created | Turn on HTTPS encryption for cloud virtual hosts | | Configure DNS CNAME for HTTPS Proxy | Cloud DNS Console > Domain Resolution > Resolve Settings | Domain added to HTTPS proxy service | Modify DNS records to point to SSL certificate service CNAME address | | Whitelist Origin IP Addresses | Console > Certificate Management Service > Website Proxy HTTPS > Statistics | HTTPS proxy service enabled, security software installed | Add back-to-origin IP ranges to security software whitelist | | Add Domain to SSL Proxy | Console > SSL Certificate Service > Website Proxy HTTPS > Add Domain | Website Proxy HTTPS instance purchased | Register domains with SSL proxy services and complete configuration | | View SSL Certificate Status | Console > Network Security > Asset Center | Network security authorization completed | Check SSL certificate status for website assets | | Install SSL Certificate on Tomcat | Console > Digital Certificate Management Service > Certificates > Download > Tomcat | CentOS OS, Tomcat 8.5/9, JDK installed | Deploy SSL certificates to Tomcat on CentOS | | Install SSL Certificate on Apache2 | Console > Digital Certificate Management Service > Certificates > Download > Apache | Ubuntu OS, Apache2 installed | Deploy SSL certificates to Apache2 on Ubuntu | | Configure HTTPS Acceleration | Console > Certificate Management Service > HTTPS Acceleration Gateway | SSL certificate uploaded, domain verified | Set up and manage HTTPS acceleration gateway services | | Configure Mutual Authentication | Console > SLB > ALB > [Instance] > Listeners | Server certificate, CA certificate, ALB instance | Set up mutual authentication on HTTPS listeners | | Enable Domain Monitoring | Console > Security & Compliance > Certificate Management Service > Website Security | Publicly accessible domain with HTTPS | Purchase and enable public domain name monitoring services | ## Step-by-Step Instructions ### Install Root Certificate on macOS **Navigation**: Launchpad > Keychain Access **Prerequisites**: - You have a root certificate or an intermediate certificate. - To download a root certificate from Alibaba Cloud, see Download a root certificate. 1. Open the macOS Launchpad. - Element: **Launchpad** (link) — desktop dock 2. In the Launchpad search box, enter Keychain Access and click Keychain Access. - Element: **Keychain Access** (link) — search results in Launchpad 3. On the Keychain Access page, click the Certificates tab. - Element: **Certificates** (tab) — top of Keychain Access window 4. Drag and drop the downloaded root certificate into a blank area on the Certificates tab in Keychain Access. - Notes: macOS will automatically check if the root certificate is valid. 5. Right-click the target root certificate and click Get Info. - Element: **Get Info** (menu) — context menu after right-clicking certificate 6. On the Certificate Details page, select Always Trust and click the icon. - Element: **Always Trust** (checkbox) — Certificate Details dialog - Notes: The icon is represented as an image in the document. ### Verify SSL Certificate Deployment **Navigation**: Browser address bar 1. Enter https:// followed by the domain name bound to your digital certificate in the browser's address bar. - Element: (text_input) — address bar 2. Press Enter to load the web page. - Element: (button) — keyboard ### Enable One-Click HTTPS **Navigation**: Console > Certificate Management Service > SSL Certificates > Enable One-Click HTTPS **Prerequisites**: - SSL certificate already uploaded to Certificate Management Service - Web application deployed and accessible via HTTP - Access to origin server configuration files 1. Navigate to the SSL Certificates page in the Certificate Management Service console. - Element: **SSL Certificates** (link) — left navigation panel 2. Select the certificate you want to enable one-click HTTPS for. - Element: **Enable One-Click HTTPS** (button) — main content area - Notes: The button appears only if the certificate is active and properly configured ### Configure TLS Version **Navigation**: Multiple paths: - Console > Anti-DDoS Proxy > Provisioning > Website Config - Console > WAF 3.0 > Onboarding - Console > SLB > Instances - Console > CDN > Domain Names - Console > DCDN > Domain Names **Prerequisites**: - Certificate must be uploaded or purchased - Region must be selected correctly - For CLB: only guaranteed-performance instances support TLS security policies - For CDN/DCDN: HTTPS certificate must be configured before setting TLS versions 1. Log on to the console. - Element: **Anti-DDoS Proxy console** (link) — top navigation bar 2. Select region. - Element: **Chinese Mainland** (radio) — top navigation bar 3. Navigate to Website Config. - Element: **Provisioning > Website Config** (menu) — left-side navigation pane 4. Edit target domain. - Element: **Edit** (button) — Actions column 5. Update TLS Security Settings. - Element: **Modify Website Configurations** (tab) — main content area 6. Log on to WAF console. - Element: **WAF 3.0 console** (link) — top navigation bar 7. Select resource group and region. - Element: **Resource Group and Region dropdown** (dropdown) — top navigation bar 8. Click Default SSL/TLS Settings. - Element: **Default SSL/TLS Settings** (button) — CNAME Record tab 9. Configure TLS Version. - Element: **TLS Version** (dropdown) — dialog box - Notes: Options: TLS 1.0 and Later, TLS 1.1 and Later, TLS 1.2 and Later, Support TLS 1.3 10. Log on to SLB console. - Element: **Classic Load Balancer (CLB) console** (link) — top menu bar 11. Select region. - Element: **Region dropdown** (dropdown) — top menu bar 12. Click Configure Listener. - Element: **Configure Listener** (button) — Actions column 13. Set listener protocol to HTTPS. - Element: **Select Listener Protocol** (dropdown) — Protocol & Listener wizard page 14. Select a server certificate. - Element: **Certificate Management Service** (wizard page) — main content area 15. Modify Advanced Settings. - Element: **Modify** (button) — Advanced Settings section 16. Select a TLS Security Policy. - Element: **TLS Security Policy** (dropdown) — Advanced Settings dialog 17. Log on to CDN console. - Element: **CDN console** (link) — top navigation bar 18. Click Domain Names. - Element: **Domain Names** (menu) — left-side navigation pane 19. Click Manage for target domain. - Element: **Manage** (button) — Actions column 20. Click HTTPS in navigation pane. - Element: **HTTPS** (tab) — domain's navigation pane 21. Select TLS versions and cipher suite. - Element: **Configure TLS Cipher Suite and Version** (section) — main content area - Notes: Options include All Cipher Suite Groups (Default), Enhanced Cipher Suite, Custom Cipher Suite 22. Log on to DCDN console. - Element: **DCDN console** (link) — top navigation bar 23. Click Domain Names. - Element: **Domain Names** (menu) — left-side navigation pane 24. Click Configure for target domain. - Element: **Configure** (button) — Actions column 25. Click HTTPS Settings. - Element: **HTTPS Settings** (tab) — left-side navigation tree 26. Select cipher suites and enable TLS versions. - Element: **Configure TLS Cipher Suite and Version** (section) — main content area - Notes: Options include All Cipher Suite Groups (Default), Enhanced Cipher Suite, Custom Cipher Suite | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | TLS Version | dropdown | No | TLS 1.0 and Later (Best Compatibility and Low Security), TLS 1.1 and Later (High Compatibility and High Security), TLS 1.2 and Later (High Compatibility and Best Security), Support TLS 1.3 | Select the minimum TLS version to accept connections from clients. | | HTTPS Upload Type | dropdown | No | Upload an SSL certificate, Use existing certificate | Choose how to provide the SSL certificate for HTTPS traffic. | | HTTPS Cipher Suite | dropdown | No | (Default) All Cipher Suites (High Compatibility and Low Security), Custom Cipher Suite (Select It based on protocol version. Proceed with caution.) | Select the cipher suites to enable for secure communication. | ### Configure SSL Certificate for Apple ATS **Navigation**: Console > Certificate Management Service > Certificates > Configure Certificate **Prerequisites**: - A valid SSL/TLS certificate from a supported CA (e.g., GlobalSign, DigiCert, GeoTrust) - Web server software version meeting minimum TLS 1.2 requirements - Administrative access to the web server configuration 1. Navigate to the Certificate Management Service console. - Element: **Certificate Management Service** (link) — left navigation panel 2. Go to the Certificates page. - Element: **Certificates** (link) — top navigation bar 3. Select a certificate to configure. - Element: **Select** (button) — main content area - Notes: Ensure the selected certificate is OV or EV from a supported CA. 4. Click on 'Configure' to open the configuration panel. - Element: **Configure** (button) — action menu | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Certificate Authority | dropdown | Yes | GlobalSign, DigiCert, GeoTrust, CFCA (not recommended) | Choose a trusted CA that supports Apple ATS requirements. | | Key Length | dropdown | Yes | 2048-bit RSA, 4096-bit RSA | Specifies the strength of the private key used in the certificate. | | Hash Algorithm | dropdown | Yes | SHA-256, SHA-384, SHA-512 | Determines the cryptographic hash function used in the certificate signature. | | TLS Protocol Version | checkbox | Yes | TLS 1.2, TLS 1.3 | Enables secure communication protocols required by Apple ATS. | | Cipher Suites | text | Yes | — | Enter one or more ATS-compliant cipher suites separated by colons. | ### Purchase HTTPS Acceleration Gateway **Navigation**: Console > Certificate Management Service > HTTPS Acceleration Gateway **Prerequisites**: - A valid Alibaba Cloud account - Access to the Certificate Management Service console - Understanding of domain types and restrictions 1. Click the 'Buy Now' button on the HTTPS acceleration gateway tab. - Element: **Buy Now** (button) — top-right corner of the tab 2. Configure parameters in the purchase panel and click 'Buy Now'. - Element: **Buy Now** (button) — bottom of the purchase panel 3. Navigate to the GRCQ section and click 'Buy Now'. - Element: **Buy Now** (button) — in the GRCQ remaining count section - Notes: Screenshot shows the GRCQ section with current usage and available options 4. Select specifications and purchase quantity, then click 'Buy Now'. - Element: **Buy Now** (button) — bottom of the purchase panel - Notes: Screenshot shows the purchase panel with specification options | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Edition | dropdown | Yes | Starter edition - single domain name, Basic edition - all domain types except restricted ones, Wildcard domain name support | Choose the edition that matches your website's domain type and requirements. | | Number of domains | number | Yes | — | Enter the number of domain names to add. Valid values: 1 to 100,000 (China) or 99,999 (International). | | Subscription duration | dropdown | Yes | 1 month, 3 months, 6 months, 1 year, 2 years, 3 years | Select the subscription period for the gateway instance. Maximum is 3 years. | | Auto-renewal | checkbox | No | — | Enable to automatically renew the instance before expiration. If enabled, renewal duration matches original purchase. | | Automatic repeat purchase | checkbox | No | — | Enable to automatically buy a new GRCQ resource pack when remaining GRCQ drops below 50%. | ### Enable HTTPS Acceleration Gateway **Navigation**: Console > Certificate Management Service > HTTPS Acceleration Gateway > Add Domain **Prerequisites**: - You have purchased the HTTPS acceleration gateway service. - You have a stable origin server. - You have a domain name for HTTPS acceleration. 1. Find the target instance on the HTTPS acceleration gateway tab and click 'Add Domain' in the operation column. - Element: **Add Domain** (button) — main content area 2. Enter the domain name and configure parameters such as redirect HTTP to HTTPS and select an alert contact. - Element: **Domain** (text_input) — form fields - Notes: The domain must be 1-67 characters long, contain only lowercase letters, digits, and hyphens. Wildcard domains are supported up to third-level. Chinese domains must be converted to Punycode. 3. Set the origin server address, which can be an IP or domain name, and select port 80 or 443 based on protocol. - Element: **Origin server address** (text_input) — form fields - Notes: Origin server cannot be the same as the acceleration domain name to avoid resolution loops. 4. Click 'Verify Domain Ownership' in the operation column after adding the domain. - Element: **Verify** (button) — main content area 5. Complete domain ownership verification via automatic DNS record addition (if using Alibaba Cloud DNS) or manual TXT/CNAME record addition (if using third-party DNS). - Element: **Verify** (button) — wizard page - Notes: Verification takes 5–15 minutes. Use the provided host and record value from the console. 6. Get the assigned CNAME record from the HTTPS acceleration gateway page. - Element: **CNAME record** (text_input) — main content area - Notes: The CNAME record is displayed in the console after successful domain addition. 7. Log in to the DNS console and add a CNAME record with the correct hostname and value. - Element: **Add Record** (button) — DNS console - Notes: For root domains, use '@' as hostname; for wildcards, use '*'; for subdomains, use the prefix. TTL defaults to 10 minutes. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Domain | text | Yes | — | Enter the domain name for the HTTPS acceleration gateway. Must meet format requirements: 1–67 characters, only lowercase letters, digits, and hyphens. No consecutive hyphens or special characters. | | Redirect HTTP to HTTPS | checkbox | No | — | If enabled, all HTTP requests from browsers are redirected to HTTPS. | | Alert Contact | dropdown | No | Select an alert contact from the drop-down list, Create new contact | Select up to 10 contacts who will receive SSL certificate expiration and resource usage alerts via email and mobile. | | Origin server address | text | Yes | — | The public IP address or domain name of your origin server. Cannot be the same as the acceleration domain name. | | Port | dropdown | Yes | 80 (HTTP), 443 (HTTPS) | Select based on the protocol used by your origin server. Only standard ports 80 and 443 are supported. | ### Enable Auto-renewal for GRCQ Quota **Navigation**: Console > Certificate Management Service > HTTPS Acceleration Gateway > Settings **Prerequisites**: - HTTPS acceleration gateway feature must be enabled - User must have permissions to modify gateway settings 1. Navigate to the HTTPS Acceleration Gateway settings page. - Element: **Settings** (link) — left navigation panel 2. Toggle the auto-renewal switch to enable or disable automatic renewal of GRCQ quota. - Element: **Auto-renewal** (toggle) — main content area - Notes: The toggle is initially set to 'On' by default. Users can turn it off if they prefer manual control. 3. Adjust the GRCQ quota amount that will be automatically renewed. - Element: **Renewal Quota** (text_input) — main content area - Notes: Enter a value between 10 and 1000. The default is 100. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Auto-renewal | toggle | No | On, Off | Enables or disables automatic renewal of GRCQ quota when the current quota is insufficient. | | Renewal Quota | number | Yes | — | Specifies the amount of GRCQ quota to renew automatically. Must be between 10 and 1000. | ### Configure One-way TLS Authentication **Navigation**: Console > Certificate Management Service > Private CA > Root CA > Operations > View Details **Prerequisites**: - A server certificate from Alibaba Cloud Private CA service - Access to the Alibaba Cloud Private CA console - EMQX server with certificate directory at \emqx\etc\certs - MQTT client software (e.g., mqttfx) 1. Find your target root CA in the Private CA tab. - Element: **Root CA** (tab) — top navigation panel 2. Click the View Details button in the HTTPS Operating column. - Element: **View Details** (button) — operations column 3. Copy the content of the root CA certificate. - Element: (text_input) — certificate detail panel - Notes: Paste into a local text file and save as cacert.pem 4. Find your target subordinate CA in the Private CA tab. - Element: **Subordinate CA** (tab) — top navigation panel 5. Click the Certificate List button in the HTTPS Operating column. - Element: **Certificate List** (button) — operations column 6. Find your target server certificate and click Download in the HTTPS Operating column. - Element: **Download** (button) — operations column 7. In the download dialog, select PEM format, include trust chain, and click Confirm Download. - Element: **Confirm Download** (button) — download dialog - Notes: Ensure PEM format is selected and trust chain is included 8. Rename the downloaded certificate file to cert.pem and private key file to key.pem. - Element: (text_input) — local file system - Notes: Unzip the package first, then rename files 9. Replace existing certificate files in \emqx\etc\certs with cert.pem, cacert.pem, and key.pem. - Element: (file_system) — EMQX certificate directory - Notes: Backup original files if needed 10. Open Windows PowerShell (Admin) and navigate to \emqx\bin. - Element: **Windows PowerShell (Admin)** (link) — right-click context menu 11. Run the command ./emqx start to start the EMQX server. - Element: (text_input) — PowerShell terminal 12. Open the MQTT client and click the settings icon. - Element: **Settings Icon** (icon) — top-right corner 13. Enter the broker address (domain name bound to the certificate). - Element: **Broker Address** (text_input) — connection settings 14. Select the CA certificate file (cacert.pem) for verification. - Element: **CA certificate file** (file_input) — security settings 15. Click Apply and OK to save configuration. - Element: **Apply** (button) — bottom of settings panel 16. Click Connect in the MQTT client. - Element: **Connect** (button) — main interface 17. Subscribe to the testtopic/# topic. - Element: **Subscribe** (button) — Subscribe tab 18. Open the EMQX dashboard at localhost:18083. - Element: (url_input) — browser address bar 19. Navigate to Tools > Websocket in the left-side navigation pane. - Element: **Tools > Websocket** (menu) — left navigation panel 20. Click Connect in the Websocket section. - Element: **Connect** (button) — Websocket section 21. Send a message in the Messages section. - Element: **Send** (button) — Messages section | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Broker Address | text | Yes | — | The domain name bound to the certificate used for connecting to the EMQX server | | CA certificate file | file_input | Yes | — | The server's certificate chain file (cacert.pem) used to verify the server's identity | ### Configure Mutual TLS Authentication **Navigation**: Console > Certificate Management Service > Private CA > View Private CA > Download Certificates **Prerequisites**: - Client and server certificates requested from Alibaba Cloud Private Certificate Authority - EMQX server installed and accessible - MQTT client tool (e.g., mqttfx) installed 1. Find the target root CA in the Private CA tab and click 'View Details' in the HTTPS Operations column. - Element: **View Details** (link) — HTTPS Operations column 2. Copy the root CA certificate content and save it as cacert.pem. - Element: **Copy** (button) — View Details panel 3. Find the target subordinate CA and click 'Certificate List' in the HTTPS Operations column. - Element: **Certificate List** (link) — HTTPS Operations column 4. Find the target server certificate and click 'Download' in the HTTPS Operations column. - Element: **Download** (link) — HTTPS Operations column 5. In the download dialog, set format to PEM, enable trust chain, and click 'Confirm Download'. - Element: **Confirm Download** (button) — Download dialog 6. Unzip the package and rename files to cert.pem and key.pem. - Element: (text_input) — - Notes: Rename .pem file to cert.pem and .key file to key.pem 7. Repeat steps 3–5 for the client certificate. - Element: **Download** (link) — HTTPS Operations column 8. Unzip the client certificate package and rename files to client-cert.pem and client-key.pem. - Element: (text_input) — - Notes: Rename .pem file to client-cert.pem and .key file to client-key.pem 9. Copy all certificate files to the EMQX certs directory at \emqx\etc\certs. - Element: (file_system) — - Notes: Replace existing files 10. Open Windows PowerShell (Admin) and navigate to \emqx\bin. - Element: **Windows PowerShell (Admin)** (link) — Start menu 11. Run the command ./emqx start to start the EMQX service. - Element: **emqx start** (code) — PowerShell terminal 12. Open the MQTT client and click the settings icon. - Element: **Settings Icon** (icon) — top-left corner - Notes: Image shows a gear icon 13. Configure Self Signed Certificates with CA File, Client Certificate File, and Client Key File. - Element: **Self signed certificates** (tab) — Settings panel 14. Click Apply, then OK to save configuration. - Element: **Apply** (button) — bottom of dialog 15. Click Connect in the MQTT client. - Element: **Connect** (button) — main interface 16. Subscribe to testtopic/# on the Subscribe tab. - Element: **Subscribe** (button) — Subscribe tab 17. Open EMQX Management Dashboard at localhost:18083. - Element: **localhost:18083** (text_input) — browser address bar 18. Navigate to Tools > Websocket in the left-side navigation pane. - Element: **Tools** (menu) — left-side navigation panel 19. Click Connect in the Websocket section. - Element: **Connect** (button) — Websocket section 20. Publish a message in the Publish section. - Element: **Publish** (button) — Publish section | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | CA File | text | Yes | — | Path to the server certificate chain file (cacert.pem) | | Client Certificate File | text | Yes | — | Path to the client certificate file (client-cert.pem) | | Client Key File | text | Yes | — | Path to the client private key file (client-key.pem) | ### Configure mTLS Authentication **Navigation**: Console > Certificate Management > PCA Certificate Management **Prerequisites**: - PCA service is purchased and enabled - Client certificate and server certificate have been issued from the private CA 1. Navigate to PCA Certificate Management in the console. - Element: **Certificate Management** (menu) — left navigation panel 2. Click Details for the root CA. - Element: **Details** (button) — bottom of the Details panel 3. Copy the root CA certificate content and save it as caroot.crt. - Element: **Copy** (button) — bottom of the Details panel 4. Go to the Certificate List page for the subordinate CA. - Element: **Certificate List** (button) — top of the page 5. Click Download and select certificate format to download server and client certificates. - Element: **Download** (button) — top of the page 6. Open Google Chrome Settings and navigate to Manage certificates. - Element: **Settings** (link) — top-right corner 7. Click Privacy and security > Security > Manage certificates. - Element: **Privacy and security** (menu) — left navigation panel 8. Import the root CA certificate into Trusted Root Certification Authorities. - Element: **Import** (button) — Trusted Root Certification Authorities tab 9. Import the client certificate (PFX) into Personal tab and enter password. - Element: **Import** (button) — Personal tab ### Install SSL Certificate **Navigation**: Multiple paths depending on target platform **Prerequisites**: - Varies by platform (see individual operations) *Note: This operation covers multiple installation scenarios. See specific operations below for detailed steps.* ### Enable HTTPS Access **Navigation**: Console > Certificate Management Service > Certificates > Bind to Cloud Virtual Host **Prerequisites**: - Already created cloud virtual host instance - SSL/TLS certificate issued or uploaded in Certificate Management Service 1. Enter the Certificate Management Service console. - Element: **Certificate Management Service** (link) — left navigation bar 2. Find the certificate to bind in the certificate list. - Element: **Certificate List** (tab) — main content area 3. Click the "Bind" button on the right side of the certificate. - Element: **Bind** (button) — operation column - Notes: This button is only visible when the certificate status is "Issued" 4. Select the target cloud virtual host in the pop-up binding window. - Element: **Select Cloud Virtual Host** (dropdown) — binding dialog - Notes: Can select one or multiple cloud virtual host instances from the dropdown menu 5. Click confirm to complete binding. - Element: **OK** (button) — bottom of dialog ### Configure DNS CNAME for HTTPS Proxy **Navigation**: Cloud DNS Console > Domain Resolution > Resolve Settings **Prerequisites**: - Domain added to HTTPS proxy service - Obtained SSL certificate service CNAME address 1. Log in to Cloud DNS console. - Element: **Cloud DNS Console** (link) — browser address bar or navigation entry 2. Locate the target domain on the domain resolution page, and click Resolve Settings in the operation column. - Element: **Resolve Settings** (link) — operation column 3. On the resolve settings page, locate the host record (record type A or CNAME), and click Modify in the operation column. - Element: **Modify** (link) — operation column 4. In the modify record panel, select record type as CNAME, and fill in the SSL certificate service CNAME address. - Element: **Record Type** (dropdown) — modify record panel - Notes: Note: Different record types conflict with each other. If modification is needed, may need to delete other conflicting records (such as A, TXT, etc.) first 5. Click confirm button to submit modification. - Element: **OK** (button) — bottom of modify record panel - Notes: Status should change to normal after modification; can verify effectiveness with ping command, recommend waiting 10 minutes before retrying 6. Verify domain access status. - Element: **Access Status** (text_input) — Website Proxy HTTPS page - Notes: Access status updated to normal indicates successful access to HTTPS proxy service | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Record Type | dropdown | Yes | A, CNAME, MX, TXT | Specify DNS record type, must select CNAME here | | Record Value | text_input | Yes | — | Fill in SSL certificate service provided CNAME address, used to point to HTTPS proxy instance | ### Whitelist Origin IP Addresses **Navigation**: Console > Certificate Management Service > Website Proxy HTTPS > Statistics **Prerequisites**: - HTTPS proxy service enabled - Security software installed on origin server (e.g., SafeDog, YunSuo) 1. On the Website Proxy HTTPS page, click the Statistics tab. - Element: **Statistics** (tab) — top of page 2. Locate the Help section at the bottom of the page to query the back-to-origin IP address ranges for Website Proxy HTTPS service. - Element: **Help** (section) — bottom of page - Notes: Different security software have different whitelist setup methods, please refer to specific security software operation guide for setup. 3. Add the obtained back-to-origin IP address ranges to the whitelist of the security software used on the origin server. - Notes: Setup must be completed according to the specific operation instructions of the security software used ### Add Domain to SSL Proxy **Navigation**: Console > SSL Certificate Service > Website Proxy HTTPS > Add Domain **Prerequisites**: - Website Proxy HTTPS instance purchased 1. On the Website Proxy HTTPS tab, locate the instance to use (certificate status is not applied), click Add Domain in the operation column. - Element: **Add Domain** (button) — operation column 2. In the Add Domain panel, fill in domain information including certificate binding domain, domain verification method, contact, location, CSR generation method and CSR file content, then click Next. - Element: **Next** (button) — bottom of Add Domain panel - Notes: If domain is in Alibaba Cloud Domain Service console, automatic DNS verification is automatically selected; otherwise only manual DNS verification is supported. 3. Complete domain ownership verification according to verification method prompt, then click Verify. - Element: **Verify** (button) — Add Domain panel - Notes: If using manual DNS verification, need to log in to domain management console to add TXT type DNS resolution record. 4. After successful domain verification, click Submit Review, then click Confirm in the pop-up prompt dialog. - Element: **Confirm** (button) — prompt dialog - Notes: CA center will review certificate application, please keep contact phone and check review emails in mailbox promptly. 5. Wait for CA center to complete review and issue certificate. - Notes: After certificate issuance, certificate status changes to normal, but HTTPS proxy is not yet effective. 6. On the Website Proxy HTTPS tab, locate the instance with certificate status normal and CNAME value empty, click Add Domain in the operation column. - Element: **Add Domain** (button) — operation column - Notes: If CNAME value is not empty, it means back-to-origin is already configured, can skip this step. 7. In the Add Domain panel, complete back-to-origin configuration including setting origin address, force HTTPS access and TLS/SSL offload function. - Element: **Confirm** (button) — bottom of Add Domain panel - Notes: Origin address supports IPv4 (up to 3) or domain (only 1), does not support IP or CNAME provided by security protection products. 8. After clicking Confirm, view the generated CNAME address on the Website Proxy HTTPS tab. - Element: **CNAME** (text_input) — Website Proxy HTTPS page - Notes: At this point access status is abnormal, need to manually modify DNS resolution record. 9. Log in to Cloud DNS console, on domain resolution page locate target domain, click Resolve Settings in operation column. - Element: **Resolve Settings** (link) — operation column - Notes: If domain is not hosted in Alibaba Cloud Cloud DNS, need to operate in corresponding service provider system. 10. On resolve settings page, locate host record (A or CNAME type), click Modify in operation column. - Element: **Modify** (link) — operation column - Notes: Note different record types conflict with each other, if modification needed, should delete conflicting records first. 11. In modify record panel, set record type to CNAME, and fill CNAME address obtained from Website Proxy HTTPS in record value. - Element: **Confirm** (button) — bottom of modify record panel - Notes: Recommend deleting existing A or TXT conflicting records first. 12. After clicking Confirm, wait for resolution record to take effect, and verify with ping command if resolved to CNAME address. - Element: **Confirm** (button) — bottom of modify record panel - Notes: DNS resolution taking effect may take 10 minutes, if fails can wait and retry. 13. Verify domain access status, confirm it updates to normal. - Element: **Access Status** (text_input) — Website Proxy HTTPS page - Notes: After access status is normal, website requests will be forwarded to proxy instance and after HTTPS redirect reach origin. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Certificate Binding Domain | text | Yes | — | Fill in website domain for certificate application. | | Domain Verification Method | dropdown | Yes | Automatic DNS Verification, Manual DNS Verification | Select method to verify domain holder identity. If domain is in Alibaba Cloud Domain Service console, automatic DNS verification is automatically selected. | | Contact | text | Yes | — | Fill in contact information for receiving CA center review emails. | | Location | dropdown | Yes | — | Select certificate application region. | | CSR Generation Method | dropdown | Yes | — | Select CSR (Certificate Signing Request) generation method. | | CSR File Content | text | No | — | Manually input CSR file content for certificate application. | | Origin Address | text | Yes | — | Fill in origin server IP address (up to 3, comma separated) or domain (only 1). | | Force HTTPS Access | toggle | No | On, Off | Default on, means all HTTP requests from browser will be 301 redirected to HTTPS. | | TLS/SSL Offload | toggle | No | On, Off | Default on, means Alibaba Cloud server accesses origin with HTTP protocol. When off, uses same protocol as client. | ### View SSL Certificate Status **Navigation**: Console > Network Security > Asset Center **Prerequisites**: - Network security usage authorization completed 1. Enter the Asset Center page of Network Security console. - Element: **Asset Center** (link) — left navigation bar 2. View SSL certificate status for all website assets in website list. - Element: **Expand Icon** (button) — left of website domain - Notes: Click this icon to expand and view subdomains included in website 3. Perform corresponding actions based on certificate status. - Element: **Expiration Time** (text_input) — website information area (illustration ①) - Notes: If certificate is about to expire, recommend timely renewal 4. Enable HTTPS or purchase certificate for websites without deployed SSL certificates. - Element: **Enable HTTPS** (button) — website operation area (illustration ②) - Notes: Clicking will pop up operation panel for purchasing certificate instance 5. Purchase certificate for websites without deployed SSL certificates. - Element: **Purchase Certificate** (button) — website operation area (illustration ②) - Notes: Clicking will pop up operation panel for purchasing certificate instance ### Install SSL Certificate on Tomcat **Navigation**: Console > Digital Certificate Management Service > Certificate List > Select Certificate > Download > Tomcat **Prerequisites**: - Operating System: CentOS - Web Server: Tomcat 8.5 or 9 - JDK environment variables installed - Domain name filing completed - Security group and firewall opened port 443 1. Click More in target certificate column to enter certificate details page. - Element: **More** (link) — certificate list page 2. Download Tomcat certificate on Download tab. - Element: **Tomcat** (dropdown) — Download tab 3. Log in to Linux server and upload certificate files to Tomcat conf directory. - Element: (text_input) — command line terminal - Notes: Need to use scp or sftp tools to upload files 4. Use vim to edit server.xml file. - Element: **vim ./conf/server.xml** (text_input) — command line terminal - Notes: Need sudo permissions 5. Modify Connector port to 443, and configure certificate path and password in SSLHostConfig. - Element: (form_field) — server.xml file content - Notes: Need to remove comment symbols 6. Optional: Add security constraint configuration in web.xml to implement HTTP auto-redirect to HTTPS. - Element: **web.xml** (text_input) — command line terminal - Notes: Need to add security-constraint configuration within tags 7. Execute shutdown.sh to stop Tomcat service, then execute startup.sh to restart service. - Element: **shutdown.sh** (button) — bin directory - Notes: Ensure service completely stops before starting ### Install SSL Certificate on Apache2 **Navigation**: Console > Digital Certificate Management Service > Certificate List > Select Certificate > Download > Select Apache Format **Prerequisites**: - Ubuntu operating system - Apache2 Web server installed - Valid SSL certificate (including public key, private key and certificate chain) - Server SSH login permissions - Ensure port 443 is open in security group and firewall 1. On certificate list page, click "More" operation button for target certificate. - Element: **More** (button) — right operation bar of certificate list row 2. After entering certificate details page, switch to "Download" tab. - Element: **Download** (tab) — top navigation of certificate details page 3. In download options, select "Apache" format and download certificate package. - Element: **Apache** (radio) — download format selection area - Notes: Need to confirm downloading Apache format certificate package, containing .crt, .chain.crt and .key files ### Configure HTTPS Acceleration **Navigation**: Console > Certificate Management Service > HTTPS Acceleration Gateway > Create or Configure Gateway **Prerequisites**: - SSL certificate uploaded to Certificate Management Service - Domain name already registered and verified - Basic understanding of HTTPS and CDN concepts 1. Navigate to the HTTPS Acceleration Gateway page in the Certificate Management Service console. - Element: **HTTPS Acceleration Gateway** (link) — left navigation panel 2. Click the 'Create Gateway' button to start the setup wizard. - Element: **Create Gateway** (button) — top-right corner - Notes: The button is only visible if you have the required permissions. 3. Select the domain name from the dropdown list. - Element: **Domain Name** (dropdown) — main content area - Notes: The domain must be associated with a valid SSL certificate in the service. 4. Upload or select an existing SSL certificate for the gateway. - Element: **SSL Certificate** (dropdown) — form fields section - Notes: If no certificate is available, click 'Upload Certificate' to add one. 5. Configure the acceleration settings such as caching policy and security rules. - Element: **Acceleration Settings** (tab) — main content area - Notes: This step includes setting up HTTP/2 support and TLS version preferences. 6. Review the configuration summary and click 'Confirm' to deploy the gateway. - Element: **Confirm** (button) — bottom of the form - Notes: Deployment may take up to 2 minutes. A success message will appear upon completion. | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Domain Name | dropdown | Yes | — | The domain name that will be accelerated via HTTPS. | | SSL Certificate | dropdown | Yes | — | Choose an SSL certificate from your certificate library to secure the connection. | | Caching Policy | dropdown | No | Default, No Cache, Custom TTL | Set how long content should be cached at edge locations. | | HTTP/2 Support | toggle | No | — | Enable or disable HTTP/2 protocol for improved performance. | ### Configure Mutual Authentication **Navigation**: Console > SLB > ALB > [ALB Instance] > Listeners > Add Listener **Prerequisites**: - A server certificate has been purchased or uploaded to Certificate Management Service - An intermediate CA certificate is purchased or a self-signed root CA certificate is uploaded to Certificate Management Service - A VPC (VPC1) and two ECS instances (ECS01, ECS02) are created with NGINX configured for HTTPS services - A standard or WAF-enabled ALB instance is created - A server group with ECS01 and ECS02 as backend servers is created 1. Choose the region where your ALB instance is located. - Element: **Region dropdown** (dropdown) — top navigation bar 2. Click the ID of your ALB instance. - Element: **[ALB Instance] ID** (link) — ALB instance list 3. Click the Listeners tab and then click Add Listener. - Element: **Add Listener** (button) — instance details page 4. Set Protocol to HTTPS and Port to 443. - Element: **HTTPS** (radio) — Listener configuration step 5. Select the purchased server certificate. - Element: **Server Certificate** (dropdown) — Certificate configuration step 6. Turn on Client Certificate Verification and select a CA certificate source and CA certificate. - Element: **Client Certificate Verification** (checkbox) — Certificate configuration step - Notes: If using Alibaba Cloud-issued CA, select from the drop-down; if using self-signed CA, upload it first 7. Select the created server group from the drop-down list. - Element: **Server Group** (dropdown) — Backend Server Configuration step 8. Confirm the configuration and click Next. - Element: **Next** (button) — Review step 9. Copy the DNS name of your ALB instance. - Element: **DNS Name** (text_input) — ALB instance details page 10. Go to Authoritative DNS Resolution and find your custom domain name. - Element: **DNS Settings** (link) — Domain list page - Notes: For non-Alibaba Cloud domains, add the domain first 11. Click Add DNS Record and configure a CNAME record. - Element: **Add DNS Record** (button) — DNS Settings page - Notes: Set Record Type to CNAME and Record Value to ALB instance DNS name | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Protocol | dropdown | Yes | HTTP, HTTPS, QUIC | The protocol used by the listener | | Port | number | Yes | — | The port number for the listener | | Server Certificate | dropdown | Yes | — | The SSL certificate used by the server | | Client Certificate Verification | checkbox | No | — | Enables mutual authentication by requiring client certificates | | CA Certificate Source | dropdown | Yes | Alibaba Cloud Issued, Non-Alibaba Cloud Issued | Specifies whether the CA certificate is issued by Alibaba Cloud or another provider | | CA Certificate | dropdown | Yes | — | The CA certificate used to verify client certificates | | Record Type | dropdown | Yes | A, AAAA, CNAME, MX, TXT | The type of DNS record to create | | Record Value | text | Yes | — | The value of the DNS record, typically the ALB instance DNS name | ### Enable Domain Monitoring **Navigation**: Console > Security & Compliance > Certificate Management Service > Website Security > Public Domain Name Monitoring **Prerequisites**: - Domain name must be accessible over the public network - Server must support HTTPS on the specified port - Egress IP addresses of monitoring service must be whitelisted if access control is used - No domain names ending with .id are supported 1. Navigate to the Public Domain Name Monitoring page. - Element: **Public Domain Name Monitoring** (link) — left navigation panel 2. Click Buy Now in the Unavailable area. - Element: **Buy Now** (button) — top-right corner 3. Configure monitoring parameters on the purchase page. - Element: **Parameter configuration table** (text_input) — main content area - Notes: Select only 'Count' as the package type. Set monitoring frequency based on business needs. Specify number of domains to monitor (no wildcard domains allowed). Choose subscription period (default: 1 year). 4. Click Buy Now to complete payment. - Element: **Buy Now** (button) — bottom of purchase form 5. Click Open Monitoring after purchase. - Element: **Open Monitoring** (button) — top-right corner 6. Enter domain name(s) in the Add Site dialog box. - Element: **Add Site** (dialog) — center of screen - Notes: Enter single domain or multiple domains separated by commas. Use template upload for batch addition. 7. Select contacts for alert notifications. - Element: **Remind Contacts** (dropdown) — main content area - Notes: Up to three contacts can be selected. Create new contact if none exist. 8. Set HTTPS port (default: 443). - Element: **HTTPS Port** (text_input) — main content area - Notes: Ensure server provides HTTPS services on this port. Common misconfigurations include using port 80 or 8080. 9. Turn on the monitoring switch to start immediately. - Element: **Switch** (toggle) — main content area - Notes: After turning on, monitoring period begins and refund is no longer eligible. 10. View monitoring report for a domain. - Element: **Details** (button) — Operate column - Notes: Click Details in the Operate column to view comprehensive monitoring information including certificate details, IP addresses, ATS compliance, and ownership history. 11. Download individual domain monitoring report. - Element: **Download Report** (button) — details page 12. Download monthly domain monitoring report. - Element: **Download Monthly Report** (button) — top of page | Parameter | Type | Required | Options/Values | Description | |-----------|------|----------|----------------|-------------| | Service Type | dropdown | Yes | Public Domain Monitoring | The service monitors HTTPS availability for public domain names, providing alerts for certificate issues and connection problems. | | Package Type | radio | Yes | Count | Only Count package type is supported. Each quota monitors one single domain name. | | Monitoring Frequency | dropdown | No | 1 hour, 30 minutes, 15 minutes, 5 minutes | Interval for scanning domain names. Higher frequency results in higher fees. | | Number of Domains | number | Yes | — | Number of single domain names to monitor. Wildcard domains like *.example.com are not supported. | | Subscription Period | dropdown | Yes | 1 year | Duration of monitoring service. Includes 365 monitoring days starting from first enablement. | | Domain Name/IP Address | text | Yes | — | Single domain name or IP address to monitor. Multiple domains can be entered separated by commas. | | Remind Contacts | checkbox | No | — | Contacts who will receive alert notifications. Up to three contacts can be selected. | | HTTPS Port | number | No | — | Port number used by the domain's server for HTTPS. Default is 443. | | Enable Monitoring | toggle | No | — | Turn on to start monitoring immediately after adding the domain. | ## FAQ Q: Where can I find the option to enable one-click HTTPS for my certificate? A: Navigate to Console > Certificate Management Service > SSL Certificates, then select your certificate and look for the "Enable One-Click HTTPS" button in the main content area. This button only appears if your certificate is active and properly configured. Q: What happens if I leave the TLS version field empty when configuring security settings? A: If you don't explicitly configure the TLS version, the system will use the default setting which is typically "TLS 1.0 and Later (Best Compatibility and Low Security)". For better security, it's recommended to select at least "TLS 1.2 and Later". Q: Can I modify the domain binding for an SSL certificate after it has been issued? A: No, you cannot modify the domain binding for an issued certificate. The domain names are cryptographically bound to the certificate during issuance. If you need to secure additional domains, you'll need to request a new certificate that includes all required domains. Q: What permissions do I need to configure mutual TLS authentication on EMQX servers? A: You need access to the Alibaba Cloud Private CA console to download certificates, administrative access to the EMQX server to replace certificate files in the \emqx\etc\certs directory, and permissions to restart the EMQX service. Q: How do I verify that my SSL certificate deployment is working correctly? A: Enter https:// followed by your domain name in a browser's address bar and press Enter. If the certificate is properly deployed, you should see a security lock icon in the address bar and the page should load without certificate warnings. ## Pricing & Billing ### Billing Model Most certificate management operations are free, but some services like HTTPS acceleration gateway, domain monitoring, and commercial certificates follow a per-request billing model. ### Price Reference | Service | Tier | Price | |---------|------|-------| | HTTPS Acceleration Gateway | Starter edition | 0.01 / | | HTTPS Acceleration Gateway | Basic edition | 0.02 / | | HTTPS Acceleration Gateway | Wildcard domain | 0.03 / | | GRCQ quota | Standard | 0.001 / | | Domain monitoring | Count | 0.01 / | | Commercial certificates | DigiCert DV SSL | 0.002 /tokens | ### Free Tier - RDS SSL certificates are provided free of charge with no additional fees - Free SSL certificates available for basic use (up to 50-100 certificates per account depending on service) - One-click HTTPS service is free of charge (up to 100 certificates per account) - Monthly free quotas for various services (e.g., 500 free requests for GRCQ, 1000 free requests for HTTPS acceleration) ### Billing Notes - GRCQ (Gateway Resource Computing Quota) is billed per request and outbound traffic - Automatic repeat purchase ensures continuous service without interruption when GRCQ runs low - Monitoring period starts on first enablement and continues without interruption until expiration - Refund is not available once monitoring is enabled - Certificate renewal and reissuance are free within the validity period for free-tier certificates