Deploy a certificate to an Alibaba Cloud ECS instance - Certificate Management Service

This topic describes how to create a deployment task to automatically deploy an issued certificate to an Alibaba Cloud Elastic Compute Service (ECS) instance. A deployment task is used to complete the automatic update of a certificate for an ECS instance. This frees you from complex operations and prevents potential errors that may occur when you manually download or upload a certificate.

Limits

Supported ECS instances:
- ECS instances of the 8th generation instance families based on the x86 architecture, including ecs.g8i, ecs.hfg8i, ecs.hfc8i, ecs.c8i, ecs.hfr8i, ecs.r8i, ecs.g8a, ecs.c8a, ecs.r8a, ecs.g8ae, ecs.c8ae, and ecs.r8ae.
- Alibaba Cloud Linux 3.x and Ubuntu 22.04 UEFI images.
Supported certificates: Rivest-Shamir-Adleman (RSA) certificates.
Supported web application servers:
- Alibaba Cloud Linux 3.x images: Only NGINX web servers are supported. The version of NGINX servers must be 1.18.0-2.1.al8 and later and earlier than 1.20.1-1.0.5.al8. The NGINX server must be installed by using YUM.
- Ubuntu 22.04 UEFI images: Only NGINX web servers are supported, which must be installed by using apt.
You can use a deployment task to deploy only one SSL certificate to an ECS instance. To deploy multiple SSL certificates, create multiple deployment tasks.

Prerequisites

An ECS instance is purchased. For more information, see Create an instance on the Custom Launch tab.
When you purchase an ECS instance, make sure that you select Trusted System in the Image section.
The first time you deploy a certificate to an ECS instance, you must make sure that the NGINX web server on the ECS instance is configured. For more information, see the Procedure section of this topic.
A single-domain SSL certificate is issued.
Important
- If you deploy an uploaded certificate, you must purchase a deployment quota.
- If you deploy an official certificate, the deployment quota is not consumed.
- For more information about official SSL certificates issued by Alibaba Cloud, see Purchase SSL certificates and Apply for a certificate.
- For information about how to upload an SSL certificate issued from a third-party service provider to the Certificate Management Service console and share the SSL certificate across different Alibaba Cloud accounts, see Upload and share an SSL certificate.

Procedure

Log on to the Certificate Management Service console.
In the left-side navigation pane, choose Deployment and Resource Management > Deployment to Cloud Servers.
1. On the Deployment to Cloud Servers page, click Create Task and perform the following steps:
  1. In the Configure Basic Information step, configure the Task Name parameter and click Next.
  2. In the Select Certificate step, select a certificate type and the certificate that you want to deploy. Then, click Next.
    You can select an official certificate or an uploaded certificate.
    Note
    If you deploy an uploaded certificate, the deployment quota is consumed.
    You can deploy only one SSL certificate to an ECS instance in each deployment task. If you want to deploy multiple SSL certificates, create multiple deployment tasks.
  3. In the Select Resource step, select an ECS instance that is available for quick deployment and click Next.
    The system automatically matches all the ECS instances within the current Alibaba Cloud account that meet the conditions described in the Limits and Prerequisites sections of this topic. You can search for the desired ECS instance by selecting Quick Deployment/Manual Deployment from the All Types drop-down list.
On the Quick Deployment tab, check whether the certificate deployment environment is available. If yes, select Confirm that the preceding operations are complete and click Continue to Deploy.
If you deploy a certificate to an ECS instance for the first time, you must modify the NGINX configuration file. For more information, see Configure the web application servers supported for quick deployment.
In the message that appears, click OK.
Warning
Restarting the web application server may affect your business. We recommend that you deploy the certificate during off-peak hours.
- You can run the following command to manually restart the NGINX server:
```
systemctl restart nginx.service
```
- After the NGINX server is restarted, run a curl command in the following format to check whether the SSL certificate is installed on the NGINX server: curl -v https://<Domain name to which the certificate is bound>.