- Product Introduction
- Purchase Guide
- Quick Start
- CLB Instances
- CLB Listeners
- Introduction
- Polling Methods
- Session Persistence
- Health Check
- Configuring an HTTP Listener
- Configuring an HTTPS Listener
- Configuring a UDP Listener
- Configuring a TCP Listener
- Configuring a TCP SSL Listener
- Certificate Configurations
- Layer-7 Domain Name Forwarding and URL Rules
- SNI Support for Binding Multiple Certificates to a CLB Instance
- Configuring Layer-7 Redirection
- Custom Configurations of CLB Instances
- Classic CLB
- Backend CVMs
- Monitoring and Alarm
- Log Management
- Cloud Access Management
- OPS Guidelines
- Best Practise
- API Documentation
- Introduction
- API Category
- Making API Requests
- Classic CLB APIs
- Cloud Load Balancer APIs
- AssociateTargetGroups
- AutoRewrite
- BatchDeregisterTargets
- CreateLoadBalancerSnatIps
- BatchModifyTargetWeight
- BatchRegisterTargets
- CreateListener
- CreateLoadBalancer
- CreateRule
- DeleteLoadBalancerListeners
- CreateTargetGroup
- DeleteLoadBalancerSnatIps
- DeleteListener
- DeleteLoadBalancer
- DeleteRewrite
- DeleteRule
- DeleteTargetGroups
- DeregisterTargetGroupInstances
- DescribeBlockIPList
- DeregisterTargets
- DescribeListeners
- DescribeLoadBalancers
- DescribeRewrite
- DescribeTargetGroupInstances
- DescribeTargetGroupList
- DescribeTargetGroups
- DescribeTargetHealth
- DescribeTargets
- DescribeTaskStatus
- DisassociateTargetGroups
- ManualRewrite
- ModifyBlockIPList
- ModifyDomain
- ModifyDomainAttributes
- ModifyListener
- ModifyLoadBalancerAttributes
- ModifyRule
- ModifyTargetGroupAttribute
- ModifyTargetGroupInstancesPort
- ModifyTargetGroupInstancesWeight
- ModifyTargetPort
- ModifyTargetWeight
- RegisterTargetGroupInstances
- RegisterTargets
- Other APIs
- Data Types
- Error Codes
- CLB API 2017
- SDK Documents
- FAQ
- More
- Announcements
- Service Level Agreement
- Product Updates
- Glossary
- Product Introduction
- Purchase Guide
- Quick Start
- CLB Instances
- CLB Listeners
- Introduction
- Polling Methods
- Session Persistence
- Health Check
- Configuring an HTTP Listener
- Configuring an HTTPS Listener
- Configuring a UDP Listener
- Configuring a TCP Listener
- Configuring a TCP SSL Listener
- Certificate Configurations
- Layer-7 Domain Name Forwarding and URL Rules
- SNI Support for Binding Multiple Certificates to a CLB Instance
- Configuring Layer-7 Redirection
- Custom Configurations of CLB Instances
- Classic CLB
- Backend CVMs
- Monitoring and Alarm
- Log Management
- Cloud Access Management
- OPS Guidelines
- Best Practise
- API Documentation
- Introduction
- API Category
- Making API Requests
- Classic CLB APIs
- Cloud Load Balancer APIs
- AssociateTargetGroups
- AutoRewrite
- BatchDeregisterTargets
- CreateLoadBalancerSnatIps
- BatchModifyTargetWeight
- BatchRegisterTargets
- CreateListener
- CreateLoadBalancer
- CreateRule
- DeleteLoadBalancerListeners
- CreateTargetGroup
- DeleteLoadBalancerSnatIps
- DeleteListener
- DeleteLoadBalancer
- DeleteRewrite
- DeleteRule
- DeleteTargetGroups
- DeregisterTargetGroupInstances
- DescribeBlockIPList
- DeregisterTargets
- DescribeListeners
- DescribeLoadBalancers
- DescribeRewrite
- DescribeTargetGroupInstances
- DescribeTargetGroupList
- DescribeTargetGroups
- DescribeTargetHealth
- DescribeTargets
- DescribeTaskStatus
- DisassociateTargetGroups
- ManualRewrite
- ModifyBlockIPList
- ModifyDomain
- ModifyDomainAttributes
- ModifyListener
- ModifyLoadBalancerAttributes
- ModifyRule
- ModifyTargetGroupAttribute
- ModifyTargetGroupInstancesPort
- ModifyTargetGroupInstancesWeight
- ModifyTargetPort
- ModifyTargetWeight
- RegisterTargetGroupInstances
- RegisterTargets
- Other APIs
- Data Types
- Error Codes
- CLB API 2017
- SDK Documents
- FAQ
- More
- Announcements
- Service Level Agreement
- Product Updates
- Glossary
SSL Certificate Format
1. Certificate format description
1.1. Certificate format requirements
- The certificate needs to be applied for should be in PEM format on Linux. CLB does not support certificates in other formats. For more information, please see Converting Certificates to PEM Format.
- If your certificate is issued by a root CA, the certificate is unique, and the configured website will be considered trustworthy by accessing devices such as browsers with no additional certificates required.
- If your certificate is issued by an intermediate CA, your certificate file will consist of multiple certificates. In this case, you need to combine the server certificates and intermediate certificates manually for uploading.
- If your certificate has a certificate chain, please convert it to PEM format and combine with the certificate content for uploading.
- The splicing rule follows that the server certificate content should be before the intermediate certificate content, with no blank lines in between.
You can check for applicable rules or instructions provided by the CA (if any) alongside the certificate.
1.2. Certificate format and certificate chain format
Below are examples of certificate and certificate chain formats. Please confirm that the formats are correct before the uploading:
Certificate issued by a root CA: PEM format on Linux, as shown below:
Certificate rules:- Your certificate should start with "——-BEGIN CERTIFICATE——-" and end with "——-END CERTIFICATE——-", which should be uploaded together.
- All lines must contain 64 characters, except for the the last line which can contain less than 64 characters.
Certificate chain from an intermediate CA:
——-BEGIN CERTIFICATE——-
——-END CERTIFICATE——-
——-BEGIN CERTIFICATE——-
——-END CERTIFICATE——-
——-BEGIN CERTIFICATE——-
——-END CERTIFICATE——-Certificate chain rules:
- No blank lines between certificates.
- All certificates should meet requirements in 1.1. Certificate format requirements.
2. RSA private key format requirements
Below is an example:
An RSA private key can include all private keys (RSA and DSA), public keys (RSA and DSA), and (x509) certificates. It stores data in Base64-encoded DER format and is wrapped by ASCII headers, making it suitable for transmission in text mode between systems.
RSA private key rules:
- Your certificate should start with "——-BEGIN RSA PRIVATE KEY——-" and end with "——-END RSA PRIVATE KEY——-", which should be uploaded together.
- All lines must contain 64 characters, except for the last line which can contain less than 64 characters.
If your private key does not start with "——-BEGIN PRIVATE KEY——-" or end with "——-END PRIVATE KEY——-", you can convert it in the following way:
openssl rsa -in old_server_key.pem -out new_server_key.pemYou can then upload the new_server_key.pem content together with the certificate.
3. Converting certificates to PEM format
Currently, CLB only supports certificates in PEM format. Certificates in other formats need to be converted to PEM format before they can be uploaded to CLB. We recommend you use OpenSSL to convert the format. The following shows how to convert several popular certificte formats to PEM.
3.1. DER to PEM
DER format is generally used on Java platforms.
Certificate conversion: openssl x509 -inform der -in certificate.cer -out certificate.pem
Private key conversion: openssl rsa -inform DER -outform PEM -in privatekey.der -out privatekey.pem
3.2. P7B to PEM
P7B format is generally used on Windows Server and Tomcat.
Certificate conversion: openssl pkcs7 -print_certs -in incertificat.p7b -out outcertificate.cer
You need to get the content of "——-BEGIN CERTIFICATE——-" and "——-END CERTIFICATE——-" in outcertificat.cer and upload it as certificate.
Private key conversion: Private keys can generally be exported on IIS servers.
3.3. PFX to PEM
PFX format is generally used on Windows Server.
Certificate conversion: openssl pkcs12 -in certname.pfx -nokeys -out cert.pem
Private key conversion: openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes
3.4. CER/CRT to PEM
You can convert certificates in CER/CRT formats to PEM by directly modifying their file extensions. For example, you can directly rename the "servertest.crt" certificate file to "servertest.pem".
Was this page helpful?