Certificate Management

Last updated: 2020-02-24 12:22:51

PDF

You can configure CDN certificates for domain names that have been connected to HTTPS. CDN supports the configuration of your existing certificate, or Tencent Cloud SSL Certificates Service management A certificate hosted or issued in the console.

Tencent Cloud will send expiration reminders to user accounts in the form of text messages, e-mails and internal message 30 days, 15 days, 7 days before Expire and the day of Expire. SSL Certificates Service's custom alarm receiver is now supported. You can enter the Message subscription Configure.

Certificates and Private Keys

If you want to configure an existing certificate for your domain name, please know the following first.

If you configure Tencent Cloud SSL Certificates Service management For the certificate hosted or issued in the console, you can skip this section and refer to the following article directly. Configure a Certificate Process.

The certificates provided by CAs include the following types, of which Nginx Is used by CDN.

Go to the Nginx folder and open ".crt" (certificate) and ".key" (private key) files with a text editor to view the content of the certificate and private key in PEM format.

Certificates

Common certificate extensions include ".pem", ".crt", and ".cer". Open a certificate file in a text editor and you can see a certificate similar to the content as shown in the figure below.
A ".pem" certificate begins with "- BEGIN CERTIFICATE-" and ends with "- END CERTIFICATE-". Every line in between contains 64 characters, while the last line may have less than 64 characters.

If your certificate is issued by an intermediate CA, your certificate file will consist of multiple certificates. In this case, you need to splice the server certificates and intermediate certificates manually for upload by putting the server certificate content before the intermediate certificate content without any blank lines in between. Please refer to the rules or instructions that came with the certificate.

  • There should be no blank lines between the certificates.
  • All certificates are in PEM format.

A certificate chain from an intermediate CA comes in this format:

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

Private Key

Common private key extensions include ".pem" and ".key". Open a private key file in a text editor and you will see a certificate similar to the content as shown in the figure below.
A ".pem" private key begins with "- BEGIN RSA PRIVATE KEY-" and ends with "- END RSA PRIVATE KEY-". Every line in between contains 64 characters, while the last line may have less than 64 characters.

If your private key begins with "- BEGIN PRIVATE KEY-" and ends with "- END PRIVATE KEY-", we recommend converting the format using OpenSSL with the following command:

openssl rsa -in old_server_key.pem -out new_server_key.pem


Configure Certificate

  1. Log in to the CDN Console And click Certificate On the left sidebar to go to the certificate management page.
  2. Click Configure Certificate To go to the certificate configuration page.

Select a Domain Name

Select the domain that you want to configure the certificate for from the Domain Drop-down list.
Certificate domain name

  • The domain name should already have CDN service enabled, and the domain name status should be Deploying Or Activated . Certificates cannot be configured for Closed Domain names.
  • After CDN acceleration is enabled through COS Or Cloud Image , certificates cannot be configured for the default domain names .file.myqcloud.com And .image.myqcloud.com .

Selecting a Certificate

You can choose to use your own certificate or Tencent Cloud escrow certificate.

Proprietary Certificate

select Self-owned Certificate And paste the certificate and private key into the text box. You can add remarks for certificate identification.
Select a certificate

  • The certificate must be in PEM format; if not, see Converting Other Formats to PEM .
  • If your certificate has a certificate chain, please convert it to PEM format and merge it with the certificate content for upload. In case of incomplete certificate chain, see Completing a Certificate Chain .

Tencent Cloud Hosting Certificate

You can log in SSL Certificates Service management Console, apply for a third-party certificate provided free of charge by Asia Integrity, or trust the existing certificate to Tencent Cloud.
Select "Tencent Cloud hosted Certificate" to see the list of certificates available for this domain name. Select the certificate you want to use from the certificate list, which is displayed in the format "Certificate ID".
List of successfully configured certificates

Origin-pull Methods

After the certificate is configured, you can select the origin-pull method that the CDN node used to obtain resources from the origin server. CDN supports three origin-pull methods: HTTP , HTTPS , and Protocol .

  • After HTTP Origin-pull is successfully configured, requests from users to CDN nodes support HTTPS/HTTP, while origin-pull requests from CDN nodes are all HTTP requests.
  • If Protocol Origin-pull is selected, a valid certificate needs to be deployed on your origin server; otherwise, origin-pull will fail. After successful configuration, if requests from users to CDN nodes are HTTP requests, origin-pull requests from CDN nodes will also be HTTP requests. The same is true for HTTPS.
  • If the HTTPS port on the origin server is not 443, the configuration will fail.
  • COS and FTP origin server domain names only support HTTP origin-pull.

Configuration Success

Click Trending To complete the configuration. The successfully configured domain name and certificate information will be displayed on the Certificate Management Page。
List of successfully configured certificates

Batch Configuration of Certificate

If you have a multi-domain certificate or wildcard certificate that is applicable to multiple CDN accelerated domain names, you can configure it for multiple domain names in batches using batch configuration.

  1. Log in to the CDN Console And click Certificate On the left sidebar to go to the certificate management page.
  2. Click Batch Configuration To go to the batch management page.

Uploading a Certificate

Paste the PEM-encoded certificate and private key to the corresponding text boxes. You can modify the remarks to identify the configured certificate and then click Next .
batch

Associating a Domain Name and Selecting an Origin-pull Method

CDN can identify the accelerated domain names that can use the certificate you uploaded (the domain names should be in Deploying Or Activated Status). You can select the domain names to be associated and the origin-pull method.
2

  • Up to 10 accelerated domain names can be selected at a time.
  • After HTTP Origin-pull is successfully configured, requests from users to CDN nodes support HTTPS/HTTP, while origin-pull requests from CDN nodes are all HTTP requests.
  • If Protocol Origin-pull is selected, a valid certificate needs to be deployed on your origin server; otherwise, origin-pull will fail. After successful configuration, if requests from users to CDN nodes are HTTP requests, origin-pull requests from CDN nodes will also be HTTP requests. The same is true for HTTPS.
  • When multiple domain names are selected at a time, If the HTTPS port on an origin server is not 443, the configuration will fail.
  • If there are COS or FTP origin server domain names, only HTTP origin-pull is supported.

Submitting Configuration

Click Trending And CDN will configure the certificate for the selected domain name. It takes about 5 minutes for the configuration to take effect for each domain name. You can check the certificate configuration status on the Certificate Management Page。

  • If the configuration failed, you can click Edit On the right of the domain name to configure the certificate again.
  • If there is any domain name already configured with a certificate among the domain names configured in batches, the original certificate of that domain name will be overwritten; if the overwrite fails, the certificate status of that domain name will change to Update failed . In this case, the original certificate remains valid. You can click Edit On the right of the domain name to overwrite it again.

Edit Certificate
You can click Edit On the right of the domain name to update a successfully configured certificate.
Edit a certificate
You can switch between your own certificate and Tencent Cloud hosted certificate, and re-select Origin-pull method. Click "submit" to complete the deployment. The deployment process is seamless and will not affect your business usage.

Deleting a Certificate

Click .setRegion(region) On the right of the domain name to delete the deployed certificate from CDN.
Delete a certificate

Completing a Certificate Chain

When configuring a self-owned certificate, you may encounter an issue where the Certificate chain cannot be completed .
In this case, you can paste the CA-issued certificate (in PEM format) after the domain name certificate (in PEM format) to complete the certificate chain, or you can submit a ticket.

Converting Other Formats to PEM

Currently, CDN only supports certificates in PEM format. Certificates in other formats need to be converted to PEM format first. We recommend using OpenSSL to perform the conversion. Below shows how to convert several common formats to PEM.

DER to PEM

The DER format is generally used on Java platforms.
Certificate conversion:

openssl x509 -inform der -in certificate.cer -out certificate.pem`

Private key conversion:

openssl rsa -inform DER -outform PEM -in privatekey.der -out privatekey.pem

P7B to PEM

The P7B format is generally used on Windows Server and Tomcat.
Certificate conversion:

openssl pkcs7 -print_certs -in incertificat.p7b -out outcertificate.cer

Open outcertificat.cer with a text editor to view the content of the PEM certificate.
Private key conversion: Private keys can generally be exported on IIS servers.

PFX to PEM

The PFX format is generally used on Windows Server.
Certificate conversion:

openssl pkcs12 -in certname.pfx -nokeys -out cert.pem

Private key conversion:

openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes