You can configure HTTPS certificates for domain names connected to ECDN. ECDN supports configuration of existing certificates or certificates hosted or issued in the SSL Certificates Service Console.
Log in to the ECDN Console and click Certificate Management on the left sidebar to enter the list page where you can:
On the domain management page, click Configure Certificate to enter the management page and deploy a certificate in the following steps:
In the Domain Name drop-down list, select the domain name for which to configure a certificate.
The domain name should already have been connected to ECDN, and the domain name status should be activated. Certificates cannot be configured for deactivated or deploying domain names.
After selecting a domain name, you need to configure it with a certificate. ECDN supports configuration of private and Tencent Cloud-hosted certificates. You can choose an appropriate certificate based on your selected domain name. Directions for configuring these two types of certificates are detailed as below:
|Certificate Source Type||Configuration Steps||Remarks|
|Private certificate||You need to paste certificate content and private key content into the text box and add remarks for certificate identification.||The certificate content must be in PEM format. For more information, please see Private Certificate Configuration Guide.|
|Tencent Cloud-hosted certificate||You can select an appropriate Tencent Cloud-hosted certificate in the certificate drop-down list.||You can log in to the SSL Certificates Service Console to apply for a certificate free of charge or host a private certificate in Tencent Cloud.|
Click Deploy to submit the task. You can view the certificate deployment status on the Certificate Management page.
If your submitted certificate is associated with multiple acceleration domain names, you can manage their certificate configurations in a unified manner through batch deployment in the following steps:
You can select a multi-domain name certificate or wildcard certificate when using batch deployment. For detailed directions, please see Certificate Configuration Steps.
After a certificate is selected, the system will automatically associate the certificate domain name with an ECDN acceleration domain name. You can also filter domain name certificates by their deployment status to quickly select domain names that need to be configured with the certificate.
After the configuration is completed, click submit to submit it. You can go to the certificate management list to view the certificate configuration status.
- There should be no blank lines between the certificates.
- All certificates are in PEM format.
4. Private key description - Common private key extensions include ".pem" and ".key". Open a private key file in a text editor and you will see a certificate similar to the content as shown below. - A .pem private key begins with "-----BEGIN RSA PRIVATE KEY-----" and ends with "-----END RSA PRIVATE KEY-----". Every line in between contains 64 characters, while the last line may have less than 64 characters. !(https://main.qcloudimg.com/raw/e938403bef35cc8596b6da45f616549d.jpg) - If your private key begins with "-----BEGIN PRIVATE KEY-----" and ends with "-----END PRIVATE KEY-----", you are recommended to convert the format by using OpenSSL with the following command:
openssl rsa -in old_server_key.pem -out new_server_key.pem
### Completing certificate chain When configuring a private certificate, you may encounter a problem where the **certificate chain cannot be completed**. In this case, you can paste the CA-issued certificate (in PEM format) after the domain name certificate (in PEM format) to complete the certificate chain. You can also [submit a ticket](https://console.cloud.tencent.com/workorder/category) for assistance. !(https://main.qcloudimg.com/raw/2495c62c4cbc38848367c39b51ad9b04.png) ### Converting certificate format Currently, ECDN only supports certificates in PEM format. Certificates in other formats need to be converted to PEM format first. You are recommended to use OpenSSL to perform the conversion. The following shows how to convert several common formats to PEM. #### DER to PEM The DER format is generally used on Java platforms. - Certificate conversion
openssl x509 -inform der -in certificate.cer -out certificate.pem
- Private key conversion
openssl rsa -inform DER -outform PEM -in privatekey.der -out privatekey.pem
#### P7B to PEM The P7B format is generally used on Windows Server and Tomcat. - Certificate conversion
openssl pkcs7 -print_certs -in incertificat.p7b -out outcertificate.cer
Open `outcertificat.cer` with a text editor to view the content of the PEM certificate. - Private key conversion Private keys can generally be exported on IIS servers. #### PFX to PEM The PFX format is generally used on Windows Server. - Certificate conversion
openssl pkcs12 -in certname.pfx -nokeys -out cert.pem
- Private key conversion
openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes