Enable HTTPS for a website by using a commercial SSL certificate - Certificate Management Service

commercial SSL certificates include various types and brands suitable for websites of different scales, such as e-commerce sites, small and large enterprises, and individual users. Commercial certificates also include wildcard, multi-domain, and hybrid certificates to meet different business requirements, such as protecting multiple subdomains or different domain names. This topic describes how to purchase, request, issue, and install a commercial certificate.

Process overview

Deploying a commercial SSL certificate on your server involves three steps:

Purchase a commercial SSL certificate. You must purchase a commercial SSL certificate.
Apply for an SSL certificate. You must fill in the certificate information and submit it for review before the certificate can be issued.
Deploy the SSL certificate. After the certificate is issued, you can deploy it to your web server or a cloud product.

Prerequisites

If you plan to deploy an SSL Certificate on a website in the Chinese mainland, you must complete an ICP filing as required by the Ministry of Industry and Information Technology (MIIT). Otherwise, your website will be inaccessible. For more information, see What is ICP filing.

Step 1: Purchase a commercial SSL certificate

Log on to the Certificate Management Service console.
In the left-side navigation pane, choose Certificate Management > SSL Certificate Management.

On the Official Certificate tab, click Buy Now to go to the purchase page. Select the certificate specifications as described in the following table. Then, click Buy Now and complete the payment.

Parameter	Description
Domain Name Type	Select Single Domain Name. This means one SSL certificate can be attached to one primary domain name, one subdomain, or one public IP address (IPv4). Examples: example.com, 1.1.X.X.
Brand	Select Alibaba Cloud. Alibaba Cloud is Alibaba Cloud's own SSL certificate brand. Alibaba Cloud brand certificates are more cost-effective than other brands.
Certificate Type	The default value is DV SSL, which is a domain validated certificate. It is suitable for personal websites, app services, informational websites, and test websites for enterprises or individuals.
Quantity	The default value is 1. You cannot increase this value. This means you are purchasing one certificate.
Service Period	Set the service period for the SSL certificate to 1 Year. This means the order includes one certificate that is valid for one year.

Note

For more information about the configurations for purchasing a commercial certificate, see Purchase a commercial certificate.

Step 2: Apply for an SSL certificate

After you purchase the certificate, return to the Commercial Certificates tab. In the Actions column, click Apply For Certificate.

In the Apply For Certificate panel, configure the parameters as described in the following table and click Submit For Review.

Configuration Item	Description
Domain Name To Bind	Enter your website's domain name. For example, `example.com`.
Domain Name Validation Method	Select a method to verify the identity of the domain name registrant. In this example, the domain name `example.com` is not resolved by the current account (it is resolved by a third party or another Alibaba Cloud account). Therefore, you can only select Manual DNS Validation or File Validation. After you submit the application for review, you must complete the domain validation as instructed on the page. Otherwise, the certificate cannot be issued. If the Alibaba Cloud DNS service for the domain name is under the same Alibaba Cloud account, Automatic DNS Verification is automatically selected. After you submit the application for review, the system automatically completes the domain validation. You do not need to perform any manual configurations. Simply wait for the certificate to be issued.
Contact	From the drop-down list, click Create Contact to create a contact for this certificate application. If you have already created a contact, you can select an existing one. Make sure the contact information is accurate and valid.
Location	Select your city or region.
Key Algorithm	Select RSA as the encryption algorithm for the SSL certificate. The RSA algorithm is a widely used asymmetric key encryption algorithm with good compatibility.
CSR Generation Method	Select System-generated. This means Certificate Service automatically generates a CSR file using the encryption algorithm you specified for Key Algorithm. A Certificate Signing Request (CSR) file is a request file for an SSL certificate. It contains server and organization information and must be submitted to a certificate authority (CA) for review.

Note

For more information about the parameter limits and configurations for applying for a certificate, see Apply for a certificate.

Optional: If you selected Manual DNS Validation or File Validation as the domain ownership validation method, you can follow the on-screen instructions to complete the validation. For more information and examples of domain ownership validation, see Domain ownership validation.
If you selected Automatic DNS Validation, you do not need to perform any extra operations. You can wait for the certificate to be issued. A DV certificate is typically issued in 1 to 15 minutes. After the certificate is issued, the status appears as shown in the following figure:

Step 3: Deploy the SSL certificate

Deploy the certificate to a web server

The following section uses Nginx 1.14.2 on a CentOS 8.0 64-bit operating system as an example. The deployment operations may vary depending on the operating system or web server version. If you have questions, contact your business manager for assistance. For information about how to deploy an SSL certificate to other web servers, such as Apache, Tomcat, and IIS, see Method 1: Log on to the server to deploy the certificate (supports international and Chinese SM-compliant SSL certificates).

Log on to the Certificate Management Service console.
In the left-side navigation pane, choose Certificate Management > SSL Certificate Management.
On the Commercial Certificates tab, find the target certificate. In the Actions column, click More, and then select the Download tab.
In the Actions column for Nginx Server Type, click Download.

Decompress the downloaded SSL certificate package.

The following table describes the files that you can extract from the package. The files vary based on the certificate signing request (CSR) generation method that you use when you submit the certificate application.

RSA certificate: <Certificate ID_Domain name bound to the certificate>.pem and <Certificate ID_Domain name bound to the certificate>.key
SM2 certificate:
- Signing certificate: <Domain name bound to the certificate>_sm2_sign.pem and <Domain name bound to the certificate>_sm2_sign.key
- Encryption certificate: <Domain name bound to the certificate>_sm2_enc.pem and <Domain name bound to the certificate>_sm2_enc.key

An SM certificate uses an algorithm that is developed and approved by the State Cryptography Administration of China and is used to implement HTTPS localization and ensure compliance during the use of SM algorithms. If you install only an SM certificate on your web application server, your website can be accessed only by browsers that support SM algorithms, such as the MeSince and Haitai browsers. In most cases, enterprises use both SM2 certificates and RSA certificates to ensure that their websites are compatible with various browsers.

CSR Generation Method	Files included in the certificate package
Automatic or Select Existing CSR	Certificate file (PEM format): Nginx supports installing files in PEM format. A PEM certificate file is a Base64-encoded text file that includes the complete certificate chain. After decompression, the file is named `Certificate ID_Domain Name to Bind`. Private key file (KEY format): By default, it is named after the domain name to bind.
Manual	If you specify a CSR that is created in the Certificate Management Service console, the certificate file that is extracted from the downloaded certificate package is the same as the certificate file that is obtained in scenarios when you set the CSR Generation parameter to Automatic. If you specify a CSR that is not created in the Certificate Management Service console, only the PEM certificate file can be extracted from the downloaded certificate package. The password file or private key file cannot be extracted. You can use the certificate toolkit to convert your certificate file, password file, or private key file to the required format. For more information about how to convert certificate formats, see Convert the format of a certificate.

Log on to the server, go to the terminal, and run the following command to create a directory for certificates in the Nginx conf directory.

# Go to the default Nginx configuration file directory. This is the default directory when Nginx is installed by compiling it manually. If you have modified the default installation directory or used another installation method, adjust the path as needed.
cd /usr/local/nginx/conf  
# Create a certificate directory named cert.
mkdir cert

Upload the certificate file and the private key file to the certificate directory (/usr/local/nginx/conf/cert) on the Nginx server.
Note
You can upload the file by using the file upload feature of a remote logon tool, such as PuTTY, XShell, and WinSCP. For more information about how to upload a file to an Alibaba Cloud Elastic Compute Service (ECS) instance, see Use Remote Desktop Connection or Windows App to transfer files to a Windows instance or Upload a file to a Linux instance.

Edit the Nginx configuration file nginx.conf and modify the certificate-related configurations.

Run the following command to open the configuration file.
```
sudo vim /usr/local/nginx/conf/nginx.conf
```
Note
If you do not know the location of nginx.conf, you can run nginx -t to view the configuration file path.
In nginx.conf, locate the HTTPS server property configuration.
Note
If the server block shown in the figure does not exist in nginx.conf or the file referenced by the include directive, you must add it manually.

Remove the comment symbol (#) from the beginning of the lines and modify them as shown in the following example.

server {
     # The default access port for HTTPS is 443.
     # If the default access port for HTTPS is not configured here, Nginx may fail to start.
     listen 443 ssl;
     
     # Enter the domain name bound to the certificate
     server_name <YOURDOMAIN>;
 
     # Enter the absolute path of the certificate file
     ssl_certificate cert/<cert-file-name>.pem;
     # Enter the absolute path of the certificate's private key file
     ssl_certificate_key cert/<cert-file-name>.key;
 
     ssl_session_cache shared:SSL:1m;
     ssl_session_timeout 5m;
	 
     # Customize the TLS protocol type and cipher suite (the following is an example configuration, evaluate to configure it)
     # The higher the TLS version, the more secure the HTTPS communication, but higher TLS versions have poorer browser compatibility compared to lower versions.
     ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
     ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;

     # Prioritizes the server-side cipher suite. Enabled by default.
     ssl_prefer_server_ciphers on;
 
 
    location / {
           root html;
           index index.html index.htm;
    }
}

Optional: Set HTTP requests to automatically redirect to HTTPS.
If you want all HTTP requests to automatically redirect to the HTTPS page, you can use the rewrite directive.
Important
In the nginx.conf file, locate the http server configuration code block and add the redirection code.
If you cannot find the preceding code block, you can add the following snippet after the server {} code block in the nginx.conf file. After you configure automatic redirection from HTTP to HTTPS, the nginx.conf file will contain two server {} code blocks.
```
server {
    listen 80;
    # Enter the domain name bound to the certificate
    server_name <YOURDOMAIN>;
    # Redirect all HTTP requests to HTTPS using the rewrite directive.
    rewrite ^(.*)$ https://$host$1;
    location / {
        index index.html index.htm;
    }
}
```
The configuration effect is shown in the following figure:

Run the following command to restart the Nginx service.
```
# Go to the Nginx service executable directory.
cd /usr/local/nginx/sbin
# Reload the configuration file.
./nginx -s reload
```
Note
- Error: the "ssl" parameter requires ngx_http_ssl_module: You must recompile Nginx and add the --with-http_ssl_module configuration during compilation and installation.
- Error "/cert/3970497_demo.aliyundoc.com.pem":BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/cert/3970497_demo.aliyundoc.com.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file): You need to remove the leading / from the relative path of the certificate. For example, remove the leading / from /cert/cert-file-name.pem and use the correct relative path cert/cert-file-name.pem.

Verify the deployment

After you install a certificate, you can access the domain name that is bound to the certificate to verify whether the certificate is installed.

https://yourdomain   # Replace yourdomain with the domain name that is bound to your certificate.

If a icon appears in the browser's address bar, the certificate is successfully installed.
Starting from Chrome 117, the HTTPS icon in the address bar is changed to a icon. You can click this icon. If a symbol appears, as shown in the example, the certificate is successfully installed.

Deploy the certificate to a cloud product

After the SSL certificate is successfully issued, you can deploy it to your web server or an Alibaba Cloud product. This section uses Alibaba Cloud CDN as an example to show you how to deploy the certificate to a cloud product. For more information about how to deploy a certificate to other cloud products or to a web server, see Deploy an SSL certificate.

Log on to the Certificate Management Service console.
In the left-side navigation pane, choose Certificate Management > SSL Certificate Management.
On the Commercial Certificates tab, find the certificate that you issued. In the Actions column, click Deploy.
On the Select Resource wizard page, select CDN and the corresponding resources. Then, click Preview and Submit.
The system automatically detects and pulls all resources from your cloud products. If you cannot find the target resource in the corresponding cloud product, check the Total Resources area to confirm whether the resource synchronization is complete. If the resources are still being synchronized (grayed out as shown in the figure), you must wait for the synchronization to finish. The time required for resource synchronization depends on the number of resources in your current cloud product.
In the Task Preview panel, confirm the certificate instance and cloud product resource information. If the information is correct, click Submit.
The preview page shows the number of certificates that match the cloud product and the number of deployments that will be consumed. If the number of matched certificates is 0, the selected certificate does not match the cloud product resource, which will cause the deployment to fail. In this case, you must carefully check the selected certificate.

Verify the deployment

Log on to the Alibaba Cloud CDN console.
In the left-side navigation pane, click Domain Names.
On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column.
In the left-side navigation tree of the domain name, click HTTPS.
View the deployed SSL certificate information, including its status and validity period. If the status of the HTTPS Certificate is Enabled, the certificate is successfully deployed.

Note

If you have just completed the certificate deployment, you may need to wait for the CDN cache to update before you can view the latest certificate information.

References

If the SSL certificate does not take effect after installation, see Troubleshoot certificate deployment issues based on browser error messages.
For more information about how to manually deploy a certificate to a web application server, such as Nginx or Apache, see Method 1: Log on to the server to deploy the certificate (supports international and Chinese SM-compliant SSL certificates).