Manage Certificates

Last updated: 2019-09-26 11:47:56

PDF

You can configure HTTPS certificates for domain names connected to CDN.

Tencent Cloud will send you expiration reminders via SMS, email, and internal message 30 days, 15 days, and 7 days before the expiration of your certificate and on its expiration date. Currently, reminder recipients cannot be customized and reminders will only be sent to your account.

Certificates and Private Keys

The certificates provided by CAs include the following types, of which Nginx is used by CDN.

Go to the Nginx folder and open ".crt" (certificate) and ".key" (private key) files with a text editor to view the content of the certificate and private key in the PEM format.

Certificates

Common certificate extensions include ".pem", ".crt", and ".cer". Open a certificate file in a text editor and you can see a certificate similar to the content as shown in the figure below.
A “.pem” certificate begins with "-----BEGIN CERTIFICATE-----" and ends with "-----END CERTIFICATE-----". Every line in between contains 64 characters, while the last line may have less than 64 characters.

If your certificate is issued by an intermediate CA, your certificate file will consist of multiple certificates. In this case, you need to splice the server certificates and intermediate certificates manually for upload by putting the server certificate content before the intermediate certificate content without any blank lines in between. You can check applicable rules or instructions come with the certificate.

  • There should be no blank lines between the certificates.
  • All certificates are in PEM format.

The certificate chain from an intermediate CA is in this format:

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

Private Key

Common private key extensions include ".pem" and ".key". Open a private key file in a text editor and you can see a certificate similar to the content as shown in the figure below.
A “.pem” private key begins with "-----BEGIN RSA PRIVATE KEY-----" and ends with "-----END RSA PRIVATE KEY-----". Every line in between contains 64 characters, while the last line may have less than 64 characters.

If your private key begins with "-----BEGIN PRIVATE KEY-----" and ends with "-----END PRIVATE KEY-----", it is recommended to convert the format using OpenSSL with the following command:

openssl rsa -in old_server_key.pem -out new_server_key.pem

Configuring a Certificate

  1. Log in to the CDN Console and click Certificate Management under Advanced Tools on the left sidebar to go to the certificate management page.
  2. Click Configure Certificate to go to the certificate configuration page.

Selecting a Domain Name

In the Domain Name drop-down list, select the domain name for which to configure a certificate.
Certificate domain name

  • The domain name for which to configure the certificate should have been connected to CDN, and the domain name status should be deploying or activated. Certificates cannot be configured for closed domain names.
  • After CDN acceleration is enabled through COS or Cloud Image, certificates cannot be configured for the default domain names .file.myqcloud.com and .image.myqcloud.com.

Selecting a Certificate

Select Self-owned Certificate and paste certificate content and private key content into the text box. You can add remarks for certificate identification.
Select a certificate

  • The certificate must be in the PEM format; otherwise, see Converting Other Formats to PEM.
  • If your certificate has a certificate chain, please convert it to the PEM format and merge the certificate content for upload. In case of incomplete certificate chain, see Completing a Certificate Chain.

Origin-pull Methods

After the certificate is configured, you can select the origin-pull method that the CDN node used to obtain resource during origin-pull. CDN supports three origin-pull methods: HTTP, HTTPS, and protocol.

  • After HTTP origin-pull is successfully configured, requests from users to CDN nodes support HTTPS/HTTP, while origin-pull requests from CDN nodes are all HTTP requests.
  • For HTTPS origin-pull, a valid certificate needs to be deployed on your origin server; otherwise, origin-pull will fail. After successful configuration, origin-pull requests from CDN nodes are all HTTPS requests.
  • If protocol origin server is selected, a valid certificate needs to be deployed on your origin server; otherwise, origin-pull will fail. After successful configuration, if requests from users to CDN nodes are HTTP requests, origin-pull requests from CDN nodes will also be HTTP requests. The same is true for HTTPS.
  • If the HTTPS port on the origin server is not 443, the configuration will fail.
  • COS and FTP origin server domain names only support HTTP origin-pull.

Configuration Success

Click Submit to complete the configuration. You can see information of the successfully configured domain name and certificate on the Certificate Management page.
List of successfully configured certificates

Batch Configuration of Certificate

If you have a multi-domain certificate or wildcard certificate, applicable to multiple CDN accelerated domain names, you can configure it for multiple domain names in batches using batch configuration.

  1. Log in to the CDN Console and click Certificate Management under Advanced Tools on the left sidebar to go to the certificate management page.
  2. Click Batch Configuration to go to the batch management page.

Uploading a Certificate

Paste PEM-encoded certificate content and private key to corresponding text boxes. You can modify the remarks to identify the configured certificate and then click Next.
Batch

Associating a Domain Name and Selecting an Origin-pull Method

CDN can identify the accelerated domain names that can use the certificate you uploaded (the domain names should be deploying or activated). You can select the domain names to be associated and the origin-pull method.
Batch2

  • Up to 10 accelerated domain names can be selected at a time.
  • After HTTP origin-pull is successfully configured, requests from users to CDN nodes support HTTPS/HTTP, while origin-pull requests from CDN nodes are all HTTP requests.
  • If HTTPS origin server is selected, a valid certificate needs to be deployed on your origin server; otherwise, origin-pull will fail. After successful configuration, if requests from users to CDN nodes are HTTP requests, origin-pull requests from CDN nodes will also be HTTP requests. The same is true for HTTPS.
  • When multiple domain names are selected at a time, If the HTTPS port on an origin server is not 443, the configuration will fail.
  • If there are COS or FTP origin server domain names, only HTTP origin-pull is supported.

Submitting Configuration

Click Submit and CDN will configure the certificate for the selected domain name. It takes about 5 minutes for the configuration to take effect for each domain name. You can check the certificate configuration status on the Certificate Management page.

  • If the configuration failed, you can click Edit on the right of the domain name to configure the certificate again.
  • If there is any domain name already configured with a certificate among the domain names configured in batches, the original certificate of that domain name will be overwritten; if the overwrite fails, the certificate status of that domain name will change to update failed. In this case, the original certificate remains valid. You can click Edit on the right of the domain name to overwrite it again.

Editing a Certificate

You can click Edit on the right of the domain name to update a successfully configured certificate.
Edit a certificate
Click Submit to update the certificate or change the origin-pull method. This process features seamless overwriting and therefore will not cause any disruption to your business.

Deleting a Certificate

Click Delete on the right of the domain name to delete the deployed certificate from CDN.
Delete a certificate

Completing a Certificate Chain

When configuring a self-owned certificate, you may encounter a problem where the certificate chain cannot be completed.
In this case, you can paste the content in the CA-issued certificate (in the PEM format) to the end of the domain name certificate (in the PEM format) to complete the certificate chain, or you can submit a ticket to contact us.

Converting Other Formats to PEM

Currently, CDN only supports certificates in the PEM format. Certificates in other formats need to be converted to the PEM format first. It’s recommended to do so using OpenSSL. The following shows how to convert several common formats to PEM.

DER to PEM

The DER format is generally used on Java platforms.
Certificate conversion:

openssl x509 -inform der -in certificate.cer -out certificate.pem`

Private key conversion:

openssl rsa -inform DER -outform PEM -in privatekey.der -out privatekey.pem

P7B to PEM

The P7B format is generally used on Windows Server and Tomcat.
Certificate conversion:

openssl pkcs7 -print_certs -in incertificat.p7b -out outcertificate.cer

Open outcertificat.cer with a text editor to view the content of the PEM certificate.
Private key conversion: Private keys can generally be exported on IIS servers.

PFX to PEM

The PFX format is generally used on Windows Server.
Certificate conversion:

openssl pkcs12 -in certname.pfx -nokeys -out cert.pem

Private key conversion:

openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes