All Products
Search

This Product

    Certificate Management Service:Download an SSL certificate

    Document Center

    Certificate Management Service:Download an SSL certificate

    Last Updated:Apr 28, 2025

    Different types of servers support different formats of SSL certificates. To facilitate certificate installation, Certificate Management Service provides certificate packages that are suitable for servers such as NGINX, Spring Boot, Apache Tomcat, Apache HTTPD, and Internet Information Services (IIS) servers. You can download and use the packages without the need to convert the formats of certificates.

    Prerequisites

    A certificate is issued by using the Certificate Management Service console. For more information, see Purchase an official certificate.

    Important

    • For data security purposes, you are not allowed to download the third-party certificates that you uploaded to Certificate Management Service.

    • If you do not know the type of your server, you must query the server type.

    Procedure

    1. Log on to the Certificate Management Service console.

    2. In the left-side navigation pane, choose Certificate Management > SSL Certificate Management.

    3. On the Official Certificate tab, select the certificate that you want to download and click Download below the certificate list.

      image

      Note

      The Download button appears only when the certificate is in the Issued, Pending Expiration, or Expired state.

    4. In the dialog box that appears, download the certificate based on your server type. Then, decompress the certificate package.

      If the certificate format supported by your server is not displayed in the format list, you can download a PEM certificate and then convert the certificate to the required format by using a conversion tool. For more information about how to convert certificate formats, see Convert the format of a certificate.

      Note

      • For more information about how to view the type of a server, see How do I view the type of a web server?

      • In most cases, a downloaded certificate package includes an intermediate certificate. If the intermediate certificate is untrusted when you install the certificate, contact your account manager.

      • If you use a certificate signing request (CSR) that is generated by using a tool such as OpenSSL or Keytool to apply for a certificate, the downloaded certificate package does not include a private key file. The private key file is managed on your on-premises computer.

      Certificate type

      Server type

      Certificate format

      Extracted certificate file

      Certificates that use internationally accepted algorithms

      Nginx

      PEM, which is a Base64-encoded format. You can directly view the content of a PEM certificate. In most cases, PEM certificates are used by applications or servers such as NGINX servers.

      • domain name.pem: a certificate file.

      • domain name.key: a private key file.

      Tomcat

      PFX, which is a binary format and is also known as PKCS#12. A PFX certificate contains a public key and a private key. In most cases, PFX certificates are used by servers such as Tomcat, IIS, and Exchange servers.

      • domain name.pfx: a certificate file in the PFX format.

      • pfx-password.txt: a password file.

      Note

      If you do not set the CSR Generation parameter to Automatic when you apply for a certificate, the certificate package that you download does not include the TXT password file.

      Apache

      CRT, which is a binary format. A CRT certificate contains a certificate file and the related metadata, including the issuer information, validity period, and subject. A CRT certificate does not contain a private key. In most cases, CRT certificates are used by Apache servers.

      • domain name_public.crt: a certificate file.

      • domain name_chain.crt: a certificate chain file.

      • domain name.key: a private key file.

      IIS

      PFX, which is a binary format and is also known as PKCS#12. A PFX certificate contains a public key and a private key. In most cases, PFX certificates are used by servers such as Tomcat, IIS, and Exchange servers.

      • domain name.pfx: a certificate file.

      • pfx-password.txt: a password file.

      JKS

      JKS, which is a keystore format dedicated to Java. In most cases, JKS certificates are used by Java-based applications and services, such as Tomcat and Jetty servers.

      A JKS certificate package contains the following files:

      • domain name.jks: a certificate file.

      • jks-password.txt: a password file.

      Other

      PEM, which is a Base64-encoded format. You can directly view the content of a PEM certificate. If the certificate format that you require is not displayed, you can select this server type.

      A PEM certificate is installed on a server of other types. A PEM certificate package contains the following files:

      • domain name.pem: a certificate file in the PEM format.

      • domain name.key: a private key file.

      Download Root Certificate

      CRT or CER. You must download and install root certificates on clients such as apps and IoT terminals because root certificates are not preconfigured in the clients. You can obtain a root certificate for a certificate brand based on the product documentation.

      N/A.

      SM2 certificates

      All servers

      PEM.

      In most cases, SM2 certificates are in the PEM format. Therefore, the files extracted from the certificate packages for different server types are the same. A certificate package contains the following files:

      • domain name_sm2_sign.pem and domain name_sm2_sign.key: a signature certificate and a private key.

      • domain name_sm2_enc.pem and domain name_sm2_enc.key: an encryption certificate and a private key.

    What to do next

    After you download a certificate to your computer, you can install the certificate on your web application server to implement HTTPS-encrypted communication.