---
Title: Manage certificates
URL Source: https://company-skill.com/p/airec/airec-manage-certificates
Language: en
Description: You need to configure HTTPS/TLS encryption for your AIRec service by either using certificates issued by Alibaba Cloud’s platform or integrating your enterprise’s internal Certificate Authority (CA).…
---

# Manage certificates

Part of **AIRec**. Route queries via `POST https://company-skill.com/api/route`.

## What You Want to Do

You need to configure HTTPS/TLS encryption for your AIRec service by either using certificates issued by Alibaba Cloud’s platform or integrating your enterprise’s internal Certificate Authority (CA). This involves mapping certificates to services via the `certificate_info.xlsx` file and ensuring proper domain validation.

- Can I use my own CA for AIRec?

## Decision Tree

Pick the best path for your situation:

- **If** you do **not** have a self-owned CA system and only need basic HTTPS encryption using purchased or self-signed certs → Use **HTTPS** (go to *airec/airec-security*)
- **If** your organization mandates use of an internal **self-owned CA system** for compliance, or you need structured domain lists from **Apsara Stack Deployment Planner** (e.g., via **san_domains file**) → Use **CA** (go to *airec/airec-cert*)
- **Otherwise (default)** → Start with **HTTPS**, as it offers a simpler console-based workflow for most users without existing PKI infrastructure.

## Path Comparison

| Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill |
|------|----------|------------|---------------|------------|----------|-------------|
| HTTPS | HTTPS | low | No | No | Supports Standard SSL (¥0.5), Wildcard SSL (¥1.5), Enterprise SSL (¥5.0); free tier includes 10 certificates | `airec/guide/airec-security` |
| CA | PKICA | high | No | No | Free — no additional charges; requires completed planning in Apsara Stack Deployment Planner | `airec/guide/airec-cert` |

## Path Details

### Path 1: HTTPS

**Best For**: HTTPS

**Brief Description**: This path uses the AIRec console under **Security > Certificates** to create certificates by specifying a **Domain Name**, selecting a **Certificate Type** (Standard SSL, Wildcard SSL, or Enterprise SSL), and clicking **Create Certificate**. After successful verification, you must manually edit the **certificate_info.xlsx** file locally to map certificates to services before deployment.

**Key technical facts**:
- Billing: Certificates are billed upon creation. Unused certificates do not incur additional charges. Standard SSL: 0.5 /, Wildcard SSL: 1.5 /, Enterprise SSL: 5.0 /. Free tier includes 10 certificates.

**When to Use**:
- User prefers built-in certificate generation or upload via web UI without external CA integration
- Project uses self-signed or purchased certificates for both internal and external domains (Scenario 1)
- Team lacks existing PKI infrastructure and wants platform-managed certificate workflow

**When NOT to Use**:
- Enterprise already has a self-owned CA system and mandates its use for certificate lifecycle management
- Internal and external domains require different certificate sources (e.g., internal self-signed, external HSM-issued) — requires Scenario 2 handling better covered by airec-cert path
- Automation or API-driven certificate provisioning is required (this path is UI/console-based)

**Known Limitations**:
- Domain name cannot be modified after certificate creation request is submitted
- Private key must be in unencrypted PEM format
- Deployment configuration requires manual editing of certificate_info.xlsx locally, not directly in console
- Renewal is not automatic
- Single users are limited to 100 certificates

### Path 2: CA

**Best For**: PKICA

**Brief Description**: This path relies on outputs from **Apsara Stack Deployment Planner**, specifically the **HTTPS Certificate Requirement Table** accessed via **Manage Cloud > Display Version List > Server Software List**. You use the **san_domains file** generated during planning to identify required domains, then issue certificates offline using your **self-owned CA system**. The **certificate_info.xlsx** file is used to map these externally issued certs to AIRec services.

**Key technical facts**:
- Billing: Free — no additional charges; included with Apsara Stack Deployment Planner access

**When to Use**:
- Enterprise has an existing PKI and mandates use of its own CA for compliance or security policy
- Project involves mixed certificate sources (e.g., internal domain self-signed, external domain HSM-issued) requiring explicit mapping per certificate_info.xlsx (Scenario 2)
- Need structured, planner-driven domain list (including SANs) from Apsara Stack Deployment Planner output

**When NOT to Use**:
- User wants to generate or upload certificates directly in AIRec console without external CA involvement
- No access to or familiarity with Apsara Stack Deployment Planner
- Project uses only self-signed or purchased certificates uniformly (Scenario 1) — simpler via airec-security path

**Known Limitations**:
- Requires completed deployment planning in Apsara Stack Deployment Planner before starting
- Certificate issuance and verification are offline processes — no direct console UI for CA operations
- Must use customer's self-owned CA — public CAs or Alibaba Cloud’s internal CA are not supported in this workflow
- Permissions required on cloud instance and project in Apsara Stack Deployment Planner to access HTTPS Certificate Requirement Table

## FAQ

Q: Which path should I start with?
A: If you don’t have a corporate PKI or **self-owned CA system**, start with **HTTPS**. It supports common certificate types like **Standard SSL** and **Wildcard SSL** via a simple console flow under **Security > Certificates**.

Q: What if I need to use my company’s internal CA but chose the airec-security path?
A: You’ll hit a hard limitation: the **airec-security** path does not support integration with external CAs. You cannot bind certificates issued by your **self-owned CA system**, and you’ll lack the structured domain list from **Apsara Stack Deployment Planner** needed for accurate mapping.

Q: What if I try to automate certificate deployment using the airec-security path?
A: You’ll be blocked — this path requires manual editing of **certificate_info.xlsx** and has no API or CLI support. Automation-friendly workflows are not available; consider that neither path currently supports automation, but **airec-cert** at least allows scripted CA issuance offline.

Q: Can I modify the Domain Name after submitting a certificate request in airec-security?
A: No — the **Domain Name** cannot be changed once the **Create Certificate** request is submitted. This is a hard limitation of the console workflow.

Q: Do I need Apsara Stack Deployment Planner for the airec-cert path?
A: Yes — you must complete deployment planning and access the **HTTPS Certificate Requirement Table** via **Manage Cloud > Display Version List** to obtain the **san_domains file**. Without it, you won’t know which domains require certificates.

Q: Are there cost differences between the two paths?
A: Yes — **airec-security** charges for **Standard SSL** (¥0.5), **Wildcard SSL** (¥1.5), and **Enterprise SSL** (¥5.0) upon creation, while **airec-cert** is free since it uses your own CA and leverages existing **Apsara Stack Deployment Planner** access.

## Related queries

manage https certificate, configure https for airec, deploy ssl certificate to airec, upload tls cert to airec, how to add https to airec, airec custom ssl, airec certificate management, set up https on airec, enable ssl on airec, airec security certificate, use own ca with airec, airec self-signed

---
Part of [AIRec](https://company-skill.com/p/airec.md) · https://company-skill.com/llms.txt