Alibaba Cloud applies for a free SSL certificate (https) from Cloud Shield

Because the project needs to use https service, I learned that Alibaba Cloud can apply for it for free.

Our prerequisites: 1. Have an Alibaba Cloud server account.

2. The domain name you applied for is hosted on Alibaba Cloud's cloud resolution service

With these two prerequisites, the application will be much more convenient and quick.

1. Log in to Alibaba Cloud-->Security (Cloud Shield)-->Certificate Service Note: Thanks to the commenter for the tip, the latest way to find and apply for a certificate has been corrected. You have to click backwards, symantec---single domain name----free type

2. Choose to purchase a certificate

3. Select "Free DV SSL" in the configuration list. The certificate provider brand is: "Symantec"

Note: Free digital certificates can only protect one subdomain at most, and do not support wildcards. A Cloud account can only issue 20 free certificates at most.

4. Payment (0 yuan)

5. After payment, you will see a record with the status of "To be completed". Don't think that you can just wait for Alibaba Cloud to review it at this time. In fact, there is still information to fill in.

6. Select Complete and fill in the corresponding information. Just fill in the information truthfully. Including: domain name, name, email address, etc. Because my domain name is hosted on Alibaba Cloud Resolution Service, my authentication method is DNS resolution authentication.

There are two situations at this time. The first one is that the domain name bound to the certificate is checked in the [Alibaba Cloud's Cloud Resolution] product, and the authorization system automatically adds a record to complete the domain name authorization verification:

1) Checked Send cname. After filling in the form, it will be in the "pending review" status and you just need to wait.

2) You will receive an email from Alibaba Cloud in about an hour. The email address you filled in previously is the email address you entered. The email is as follows:

3) Email content: The host record and record value sent to you. This should be the certification review done by Alibaba Cloud.

4). Log in to your Alibaba Cloud domain name hosting account, find the domain name for which you applied for the certificate and add the following information. Be careful not to fill in the host record and record value in reverse.

5) Wait for 10 minutes. During this process, the Alibaba Cloud system will detect this cname. If it is detected, it is successful. At this time, the status of your domain name certificate record is "Issued"

There are two situations at this time. The second one: do not check or the cloud push Alibaba Cloud-Cloud Resolution result fails:

1). Uncheck or push Alibaba Cloud-Cloud Parsing result fails

2). After submission, click on the progress or details to view the application information:

3) After seeing the recorded value information, you need to configure the following rules in your management account.

Record type: TXT Record value: must be consistent with the record value of the application details.

4) After configuration, return to the account where you applied for the certificate, find the configuration check in the download progress details, and click it to be prompted that the DNS configuration is correct. Please wait patiently. This means that the domain name validity has been successfully verified...

5) Wait for about an hour and you will see the review status "I have issued it".

7. Download this certificate and select the corresponding application server. We use tomcat. After downloading, a compressed file containing four files is obtained.

8. Install the certificate. I chose the PFX installation method:

1. Certificate format conversion

Create a cert directory under the Tomcat installation directory and copy all downloaded files to the cert directory. If you created the CSR file yourself when applying for the certificate, the attachment only contains the 214014471160602.pem file, and you also need to copy the private key file to the cert directory and name it 214014471160602.key; if the CSR is created by the system, please go directly to step 2.

Go to the cert directory and execute the following command to complete the PFX format conversion command. Here you need to set the PFX certificate password, please remember it:

openssl pkcs12 -export -out 214014471160602.pfx -inkey 214014471160602.key -in 214014471160602.pem

2. PFX certificate installation

Find the file server.xml in the directory where Tomcat is installed. The default path is usually in the conf folder. Find the <Connection port="8443" tag and add the following attributes:

keystoreFile="cert/214014471160602.pfx"
keystoreType="PKCS12"
#For the certificate password here, please refer to the password file in the attachment or the password set in step 1 keystorePass="certificate password"

The complete configuration is as follows, where the port attribute is modified according to the actual situation:

<Connector port="8443"
 protocol="HTTP/1.1"
 SSLEnabled="true"
 scheme="https"
 secure="true"
 keystoreFile="cert/214014471160602.pfx"
 keystoreType="PKCS12"
 keystorePass="certificate password"
 clientAuth="false"
 ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
 SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
 SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4"/>

13. Restart tomcat14. Access through https and you are done.

September 29, 2017: Supplement

This free certificate does not support SSLProtocol=TLSv1.

Scenario: When okHttpClient of Android version below 5.0 initiates an https request, a connect closed peer error occurs. No solution has been found yet.

This is the end of this article about applying for a free SSL certificate (https) from Alibaba Cloud. For more information about applying for a free SSL from Alibaba Cloud, please search for previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope you will support 123WORDPRESS.COM in the future!