--- Title: Certificate Management Service (CAS) URL Source: https://company-skill.com/p/cas Language: en Last-Modified: 2026-06-14T06:19:05.206825+00:00 Description: Certificate Management Service (CAS) provides comprehensive capabilities for managing SSL/TLS certificates across public, private, and compliance use cases. It supports certificate lifecycle operation --- # Certificate Management Service (CAS) > Certificate Management Service (CAS) provides comprehensive capabilities for managing SSL/TLS certificates across public, private, and compliance use cases. It supports certificate lifecycle operations including creation, deployment, renewal, revocation, and monitoring via API, console, and troubleshooting resources. ## Featured GEO article Alibaba Cloud Certificate Management Service (CAS) is a centralized platform for requesting, deploying, and administering public and private SSL/TLS certificates across cloud and on-premises environments. It provides both console-based wizards and programmatic APIs to automate certificate issuance, enforce domain validation, and integrate security into CI/CD pipelines. The service supports DV, OV, and EV certificate types, private certificate authorities, and direct deployment to major web servers and cloud resources. ## Key facts - Supported certificate types include DV, OV, and EV, with RSA keys requiring ≥2048-bit or ECC alternatives. - API operations are rate-limited to 10 QPS per user, with a free tier offering 100–1000 requests per month. - Console deployment supports PEM, PFX, and JKS certificate formats for Apache, Nginx, IIS, and Tomcat. - Programmatic access requires Bearer Token authentication and RAM permissions such as yundun-cert:CreateCertificateWithCsrRequest or AliyunYundunCertFullAccess. - Available API regions include cn-hangzhou, cn-shanghai, cn-beijing, ap-southeast-1, and eu-central-1. - Private certificate management via the console is optimized for ≤20 test certificates per year, while API integration scales to >100 certificates per month. - Private CA issuance requires a configured VPC, and compliance-related certificates may mandate a USBKey hardware token. ## How to apply for an SSL/TLS certificate You can request a new certificate by choosing between the console’s guided wizards for manual issuance or the OpenAPI for automated, code-driven workflows. 1. Determine your workflow: select the console path for one-off requests or the API path for CI/CD integration. 2. Prepare your credentials: ensure you have a valid Alibaba Cloud account, SSO access for the console, or a Bearer Token and RAM permissions for API calls. 3. Generate or provide a CSR: if using the API, supply a CSR file with RSA ≥2048-bit or ECC keys; the console handles CSR generation automatically. 4. Select certificate type and validation: choose DV for automated domain verification, or OV/EV for business validation via the Standard Apply wizard. 5. Complete domain verification: follow the DNS TXT record instructions or use the Quick Apply wizard for instant DV issuance. 6. Finalize the order: submit the application and monitor issuance status through the console dashboard or API response. ## How to deploy SSL to servers or cloud resources You can install issued certificates on target environments by selecting the deployment method that matches your infrastructure, whether it is a cloud service, a self-managed web server, or a CDN gateway. 1. Identify your target environment: choose API for ECS or SLB automation, manual configuration for Apache/Nginx/IIS, or one-click HTTPS for CDN/gateway services. 2. Prepare the certificate files: download the certificate in PEM, PFX, or JKS format depending on your server requirements. 3. Configure the web server: for Apache, ensure the mod_ssl module is enabled; for IIS, use the Internet Information Services Manager to bind the certificate. 4. Apply cloud-specific deployment: use the console’s one-click deployment to attach certificates directly to Alibaba Cloud resources without manual file transfers. 5. Verify the installation: restart the web service or gateway, then test the HTTPS connection to confirm successful certificate binding and secure handshake. ## How to manage private CA and private certificates You can establish and administer an internal PKI hierarchy by using the console for low-volume management or the OpenAPI for high-scale, automated certificate issuance. 1. Provision your private CA: purchase a private CA instance and configure it within your designated VPC. 2. Choose your management interface: use the console for ≤20 test certificates annually, or switch to the API for workflows requiring >100 certificates per month. 3. Issue private certificates: generate CSRs, sign them with your private CA, and distribute them for internal services like mTLS or service mesh architectures. 4. Handle compliance requirements: attach a USBKey hardware token if your organization mandates hardware-backed cryptographic operations. 5. Maintain the lifecycle: use the console or API to renew, deploy, or revoke private certificates as internal infrastructure changes or security policies update. ## How to troubleshoot SSL/TLS issues You can resolve certificate errors, validation failures, and handshake problems by systematically diagnosing the configuration, trust chain, and network settings. 1. Identify the error type: distinguish between browser warnings, OCSP/CRL validation failures, and server restart errors. 2. Verify certificate deployment: ensure the correct PEM, PFX, or JKS file is bound to the server and that the full trust chain is included. 3. Check domain and DNS configuration: confirm that CNAME or DNS TXT records match the certificate’s subject alternative names and that no domain conflicts exist in proxy HTTPS setups. 4. Validate TLS settings: review cipher suites, TLS versions, and mutual TLS configurations to ensure compatibility with client browsers and Apple ATS requirements. 5. Test and monitor: use diagnostic tools to simulate handshakes, check for duplicate domain bindings, and verify that the server correctly serves the updated certificate. ## Frequently Asked Questions **Q: how do I apply for an ssl/tls** A: Submit a certificate signing request through the Alibaba Cloud console using Quick Apply or Standard Apply wizards, or automate the process via the OpenAPI by providing a CSR with RSA ≥2048-bit or ECC keys and authenticating with a Bearer Token. **Q: what's the best way to apply ssl** A: Use the console’s guided interface for single, manual certificate requests, and switch to the API path when integrating issuance into CI/CD pipelines or automating renewal workflows. **Q: how do I deploy ssl to servers or cloud resources** A: Download the certificate in PEM, PFX, or JKS format and bind it to your target environment using manual server configuration, the console’s one-click deployment for Alibaba Cloud resources, or automated API calls for ECS and SLB. **Q: what's the best way to deploy ssl** A: Rely on the console’s one-click HTTPS deployment for cloud gateways and CDN services, and use direct file system configuration with mod_ssl or IIS Manager for self-managed Apache, Nginx, or Windows servers. **Q: how do I manage private ca and private certificates** A: Create a private CA instance within a VPC, then use the console for low-volume issuance or the OpenAPI for high-scale automation to issue, renew, deploy, and revoke internal certificates for mTLS and service mesh environments. **Q: what's the best way to manage private ca** A: Start with the graphical console if you are issuing fewer than 20 test certificates per year, and migrate to programmatic API management once your workflow requires cryptographic automation or exceeds 100 certificates monthly. **Q: how do I troubleshoot ssl/tls issues** A: Diagnose the specific failure by verifying the certificate trust chain, checking DNS TXT or CNAME records for domain validation, reviewing TLS version and cipher suite compatibility, and resolving any proxy HTTPS domain conflicts. **Q: what's the best way to ssl error** A: Isolate the error by confirming correct certificate binding on the server, validating OCSP/CRL responses, ensuring no duplicate domain bindings exist, and testing the handshake with updated cipher suite configurations. ## Key terms DV is a domain-validated certificate type that verifies ownership of a domain through automated DNS or file checks. OV is an organization-validated certificate type that requires business documentation and manual verification before issuance. EV is an extended-validation certificate type that enforces the strictest identity verification standards for high-assurance websites. CSR is a certificate signing request file containing public key and organizational information submitted to a certificate authority for signing. VPC is a virtual private cloud network environment required for provisioning and managing private certificate authorities within Alibaba Cloud. USBKey is a hardware security token used to store cryptographic keys and enforce compliance requirements for private certificate issuance. ## Sources The authoritative source for this information is the official Alibaba Cloud Certificate Management Service (CAS) documentation. Certificate Management Service (CAS) is available as agent-callable skills via DaaS. Route any question to the best skill with `POST https://company-skill.com/api/route` `{"query": "...", "product": "cas"}`. ## What you can do ### [Apply certificate](https://company-skill.com/p/cas/cas-apply-certificate.md) ## What You Want to Do You want to obtain a trusted SSL/TLS certificate from Alibaba Cloud’s Certificate Management Service (CAS), either for securing a website, API, or application. This involves submitting a certificate signing request (CSR) or using a guided interface, followed by domain validation. **Typical User Questions**: - How do I request a new SSL certificate? - Can I apply for a public certificate via API? ## Decision Tree Pick the best path for your situation: - **If** you need to integrate certificate issuance into CI/CD or automate renewal → Use APICSR (go to *cas/cas-certificate*) - **If** you are applying for a single certificate and prefer a graphical interface with no code → Use SSL (go to *cas/cas-certificate*) - **If** you already have a CSR file with RSA ≥2048-bit or ECC key → Use APICSR - **Otherwise (default)** → SSL — it’s simpler for one-off requests and includes built-in guidance like **Quick Apply** and **Standard Apply** ## Path Comparison | Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill | |------|----------|------------|---------------|------------|----------|-------------| | APICSR | CI/CD | medium | Yes | Yes | Requires Bearer Token auth and RAM permission yundun-cert:CreateCertificateWithCsrRequest | `cas/api/cas-certificate` | | SSL | low | No | No | Offers **Quick Apply** and **Standard Apply** wizards in web UI | `cas/guide/cas-certificate` | ## Path Details ### Path 1: APICSR **Best For**: CI/CD **Brief Description**: Use Certificate Management Service OpenAPI to programmatically submit SSL/TLS certificate applications with a custom CSR. This method supports automation and integrates with scripts or deployment pipelines. Key operations require **CSR** files and authentication via **Bearer Token**. **Key technical facts**: - Billing: API100-1000/digicert-free-1-free3-12 - Auth method: Bearer TokenHeader: Authorization: Bearer $DASHSCOPE_API_KEY - Regions available: cn-hangzhou, cn-shanghai, cn-beijing, ap-southeast-1, eu-central-1 - Prerequisites: RAMyundun-cert:CreateCertificateWithCsrRequestDASHSCOPE_API_KEYDVDNS **Known Limitations**: - API10 QPS - CreateCertificateWithCsrRequest APICSRRSAECCRSA2048 - digicert-free-1-free3 - DNS TXT ### Path 2: SSL **Brief Description**: Apply for SSL/TLS certificates through the Alibaba Cloud Console using interactive wizards such as **Quick Apply** (for fast DV certificate issuance) and **Standard Apply** (for OV/EV with business validation). The process includes form-based input, domain verification, and one-click deployment to Alibaba Cloud services. **Key technical facts**: - Billing: DV/OV/EV7 - Auth method: SSO - Prerequisites: OV.gov ## FAQ Q: Which path should I start with? A: Start with SSL if you're applying for one certificate and aren’t automating. It offers **Quick Apply** for fast DV certs and **Standard Apply** for business validation, with no coding needed. Q: What if I need to issue 50 certificates monthly but used the console? A: You’ll face significant manual effort—each certificate requires individual form filling and domain verification. The console doesn’t support bulk or scheduled issuance, making it impractical for high-volume use. Q: What if I don’t have a CSR but chose the API path? A: The API (CreateCertificateWithCsrRequest) strictly requires a valid **CSR** with RSA ≥2048-bit or ECC key. Without one, the request fails—you must generate it beforehand. Q: Can I use the API without setting up RAM permissions? A: No. The API requires the RAM permission `yundun-cert:CreateCertificateWithCsrRequest`. Without it, even with a valid **Bearer Token**, the call will be denied. Q: Does the console support free certificates? A: Yes—it offers free personal test certificates (up to 20 per year), but these are limited to single domains and short validity, similar to the `digicert-free-1-free` type in the API. Q: If I need to deploy certificates directly to SLB or ECS, which path is better? A: The console provides one-click **Deploy** actions to Alibaba Cloud services like SLB and ECS after issuance. The API requires separate deployment steps via other service APIs. ### [Deploy certificate](https://company-skill.com/p/cas/cas-deploy-certificate.md) ## What You Want to Do You have an SSL/TLS certificate issued or uploaded in Alibaba Cloud Certificate Management Service (CAS) and need to deploy it to a target environment—whether that’s a cloud resource like ECS/SLB, a traditional web server (Apache/Nginx/IIS), or a CDN/gateway service. - How to install SSL cert on Nginx? ## Decision Tree Pick the best path for your situation: - **If** you are deploying to **Alibaba Cloud resources (ECS, SLB)** and want **programmatic automation** using code → Use **API** (go to *cas/cas-certificate*) - **If** you are configuring **Apache, Nginx, or IIS** with direct file system access and will handle **manual deployment** → Use **WebApache/IIS** (go to *cas/cas-certificate*) - **If** your website uses **Alibaba Cloud CDN or gateway services** and you want **Enable One-Click HTTPS** without server changes → Use **HTTPSHTTPS** (go to *cas/cas-network*) - **If** you are on **Windows 10 or Windows Server 2012** and need to first install **Internet Information Services (IIS) Manager** before certificate binding → Use **IIS** (go to *cas/cas-webserver*) - **Otherwise (default)** → Start with **WebApache/IIS**, as it applies to most self-managed server environments and requires no additional cloud dependencies. ## Path Comparison | Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill | |------|----------|------------|---------------|------------|----------|-------------| | API | ECSSLB | medium | Yes | Yes | Requires RAM user with AliyunYundunCertFullAccess policy and handles QPS limit of 10 per user | `cas/api/cas-certificate` | | WebApache/IIS | SSL | medium | No | No | Supports PEM format, PFX format, and JKS format; requires mod_ssl module for Apache | `cas/guide/cas-certificate` | | HTTPSHTTPS | HTTPS | low | No | No | Uses GRCQ quota pricing (e.g., Starter edition: $0.01/request); requires CNAME record for domain verification | `cas/guide/cas-network` | | IIS | WindowsIIS | low | No | No | Installed via Turn Windows features on or off or Add Roles and Features on Windows 10 / Windows Server 2012 | `cas/guide/cas-webserver` | ## Path Details ### Path 1: API **Best For**: ECSSLB **Brief Description**: Alibaba Cloud Certificate Management ServiceRESTful APISSL/TLSECSSLB You interact via RESTful endpoints using a Bearer Token for authentication and manage certificate application order programmatically. Requires generating a CSR (Certificate Signing Request) and handling rate limits. **Key technical facts**: - Billing: per-request billing model for API calls, with additional charges for certificate purchases; free tier includes 100-1000 requests per month - Auth method: Bearer Token authentication via Authorization header with DASHSCOPE_API_KEY - Regions available: cn-hangzhou, cn-shanghai, cn-beijing, ap-southeast-1, eu-central-1 - Prerequisites: RAM user or RAM role with required permissions (e.g., AliyunYundunCertFullAccess policy), API key stored in DASHSCOPE_API_KEY environment variable, Valid Alibaba Cloud account **When to Use**: - Need to automate certificate deployment across multiple cloud resources (ECS, SLB) programmatically - Building CI/CD pipelines that require certificate management as part of infrastructure provisioning - Managing large numbers of certificates (>50) where manual console operations would be inefficient - Integrating certificate lifecycle management into custom applications or monitoring systems **When NOT to Use**: - User lacks programming skills or cannot implement API integration - Only deploying a single certificate to a traditional web server (Apache/IIS) - Need immediate one-click HTTPS setup without coding - Working in environments where API keys and programmatic access are restricted **Known Limitations**: - Most APIs have strict rate limits of 10 QPS per user (some up to 100 QPS), requiring exponential backoff implementation - Requires programming knowledge and SDK integration (Python dashscope>=1.14.0 or Java com.aliyun:cas20200407:1.0.13) - Authentication requires proper RAM policy configuration with specific yundun-cert:* permissions - Free certificates limited to specific types (digicert-free-1-free, symantec-free-1-free) with 3-12 month validity periods ### Path 2: WebApache/IIS **Best For**: SSL **Brief Description**: Through the Certificate Management Service console, you use Download Certificate to retrieve files in PEM format, PFX format, or JKS format, then manually configure them into your web server’s SSL module (e.g., mod_ssl module for Apache). After configuration, you run Verify Installation to confirm the certificate chain is correctly presented. **Key technical facts**: - Billing: Free for basic certificate management operations; commercial certificates charged per issuance - Auth method: Console SSO with Alibaba Cloud account credentials - Prerequisites: Valid SSL certificate issued in Certificate Management Service, Access to target web server configuration files, Server with mod_ssl module enabled (for Apache), Administrative access to web server **When to Use**: - Deploying to traditional on-premises or self-managed web servers without cloud integration - Working with legacy server environments that don't support automated deployment - Need fine-grained control over SSL configuration parameters (cipher suites, protocols) - Deploying to servers not integrated with Alibaba Cloud services **When NOT to Use**: - Managing certificates across multiple cloud resources (ECS, SLB, CDN) - Need automated certificate renewal and deployment - Lack direct access to web server configuration files - Working in containerized or serverless environments **Known Limitations**: - Requires manual file handling and server configuration for each deployment - No automation support - each certificate must be individually downloaded and configured - Server-specific configuration knowledge required (different steps for Apache vs IIS vs Nginx) - Certificate renewal requires repeating the entire manual process - Limited to servers where you have direct file system access ### Path 3: HTTPSHTTPS **Best For**: HTTPS **Brief Description**: Using the Enable One-Click HTTPS feature or HTTPS Acceleration Gateway in the CAS console, you automatically serve HTTPS traffic through a proxy layer. This sets up HTTP to HTTPS redirection and handles Auto-renewal, but requires a valid CNAME record pointing to the gateway and consumes GRCQ quota. The origin server must respond on standard ports 80/443. **Key technical facts**: - Billing: Starter edition: 0.01 per request; Basic edition: 0.02 per request; Wildcard domain: 0.03 per request; GRCQ quota: 0.001 per request - Auth method: Console SSO with Alibaba Cloud account credentials - Prerequisites: SSL certificate already uploaded to Certificate Management Service, Web application deployed and accessible via HTTP, Domain name properly configured with DNS records **When to Use**: - Need quick HTTPS setup without any server-side configuration changes - Website hosted on shared hosting or platforms where server configuration access is limited - Want automatic HTTP to HTTPS redirection without modifying application code - Managing websites where mixed content issues need to be resolved through proxy configuration **When NOT to Use**: - Require custom SSL/TLS configuration (specific cipher suites, protocol versions) - Need client certificate authentication (mutual TLS) - Working with non-standard ports or complex origin server setups - Budget constraints that cannot accommodate GRCQ quota costs **Known Limitations**: - One-click HTTPS only works with certificates already uploaded to Certificate Management Service - HTTPS acceleration gateway requires additional GRCQ (Gateway Resource Computing Quota) purchases - Domain names must meet specific format requirements (1-67 characters, lowercase letters, digits, hyphens) - Origin server cannot be the same as the acceleration domain name to avoid resolution loops - Only standard ports 80 and 443 supported for origin servers ### Path 4: IIS **Best For**: WindowsIIS **Brief Description**: On Windows 10 Pro/Enterprise/Education or Windows Server 2012, you use Turn Windows features on or off or Server Manager’s Add Roles and Features wizard to install the Web Server (IIS) role and IIS Management Console. This provides the Internet Information Services (IIS) Manager GUI needed to bind certificates later—though it does not itself deploy SSL. **Key technical facts**: - Billing: Included with Windows operating systems at no additional cost - Auth method: Windows administrator credentials - Prerequisites: Operating system: Windows 10 Pro/Enterprise/Education or Windows Server 2012, Administrator privileges, Internet connection for downloading components **When to Use**: - Working with Windows Server environments for the first time - Need graphical interface for IIS configuration instead of command-line tools - Deploying ASP.NET applications that require IIS-specific features - Windows 10 development environments needing local IIS testing capabilities **When NOT to Use**: - Managing Linux-based web servers (Apache, Nginx) - Production environments requiring minimal attack surface (IIS adds unnecessary components) - Containerized or cloud-native deployments where IIS is not the web server - Environments with strict software installation policies **Known Limitations**: - Only available on Windows operating systems (not applicable to Linux servers) - Windows Home editions do not support IIS installation - Installing IIS Manager itself does not configure SSL - additional certificate binding steps required - Requires .NET Framework features for full functionality with ASP.NET applications - Security risks if unused role services are enabled without proper hardening ## FAQ Q: Which path should I start with? A: If you’re unsure, start with **WebApache/IIS**—it works for most on-premises or self-hosted scenarios and doesn’t require cloud-specific setup like RAM policies or GRCQ quotas. Q: What if I’m deploying to 100+ ECS instances but chose manual deployment? A: You’ll hit severe operational overhead: each certificate must be individually downloaded via Download Certificate and manually copied to every server, with no automation for renewal—making it error-prone and time-consuming. Q: What if I need custom cipher suites but used Enable One-Click HTTPS? A: You’ll lose control over TLS configuration entirely—the HTTPS Acceleration Gateway enforces its own security policy, and you cannot customize cipher suites, protocol versions, or enable mutual TLS. Q: Can I use the API path without a RAM user? A: No—you must configure a RAM user or RAM role with permissions like AliyunYundunCertFullAccess. Without it, Bearer Token authentication will fail even with a valid DASHSCOPE_API_KEY. Q: Why does my IIS deployment fail even after installing Internet Information Services (IIS) Manager? A: Installing the Web Server (IIS) role via Add Roles and Features only provides the management UI—it doesn’t bind the certificate. You still need to import the PFX format file and complete manual deployment steps in IIS Management Console. Q: What happens if my origin server uses port 8080 but I enable HTTPS Acceleration Gateway? A: The gateway will fail to connect—only standard ports 80 and 443 are supported for the origin server, as specified in the limitations. Q: Do I need to generate a CSR when using manual deployment? A: Only if you’re requesting a new certificate. For existing certificates in CAS, you just use Download Certificate to get PEM/PFX/JKS files—CSR is primarily relevant during the certificate application order phase in API or console issuance. ### [Manage certificates](https://company-skill.com/p/cas/cas-manage-certificates.md) ## What You Want to Do You want to create and manage your own private Certificate Authority (CA), issue private certificates for internal services (e.g., mTLS, service mesh), and control their lifecycle—including deployment, revocation, and renewal—within your Alibaba Cloud environment. **Typical User Questions**: - Can I issue internal certificates with my own CA? - How to set up a private PKI hierarchy? ## Decision Tree Pick the best path for your situation: - **If** you need to integrate certificate management into CI/CD pipelines or programmatically issue >100 certificates/month → Use APICA (go to *cas/cas-certificate*) - **If** you are managing ≤20 test certificates per year and prefer a graphical interface → Use CA (go to *cas/cas-certificate*) - **If** your workflow requires cryptographic operations like signing or encryption via code → Use APICA (go to *cas/cas-certificate*) - **Otherwise (default)** → Start with **CA** if you're new to private PKI or only managing a few certificates; switch to the API path once automation or scale becomes necessary. ## Path Comparison | Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill | |------|----------|------------|---------------|------------|----------|-------------| | APICA | PKI | high | Yes | Yes | 100–1000 | `cas/api/cas-certificate` | | CA | medium | No | No | 20 | `cas/guide/cas-certificate` | ## Path Details ### Path 1: APICA **Best For**: PKI **Brief Description**: Certificate Management Service OpenAPI provides RESTful interfaces to manage private CA certificates, client certificates, and certificate repositories. It supports creating CSRs, issuing certificates, and performing cryptographic operations like encryption and signing. Authentication uses **Bearer Token**, and SDKs are available for Python (`dashscope>=1.14.0`) and Java (`com.aliyun:cas20200407:1.0.13`). **Key technical facts**: - Billing: API100-1000/ - Auth method: Bearer TokenHeader: Authorization: Bearer $DASHSCOPE_API_KEY - Regions available: cn-hangzhou, cn-shanghai, cn-beijing, ap-southeast-1, eu-central-1 ### Path 2: CA **Brief Description**: The Certificate Management Service console offers a web UI to manage private CA certificates. Key actions include **Apply for Certificate**, **Deploy Certificate**, **Manage Private Certificates**, **Issue Private Certificate**, and **Revoke Private Certificate**. It requires an active Alibaba Cloud account, a purchased private CA, and a configured **VPC**. Compliance-related certificates may require a **USBKey** hardware token. **Key technical facts**: - Billing: - Auth method: SSO - Prerequisites: , CA, VPC ## FAQ Q: Which path should I start with? A: If you're experimenting or managing fewer than 20 certificates per year, start with the console (**CA**). If you're building production systems (e.g., service mesh with mTLS), start with the API. Q: What if I need to issue 500 internal certificates monthly but used the console? A: You’ll hit the free-tier limit (100 certificates/month for free users) and be unable to issue more without upgrading—but even then, the console doesn’t support bulk automation, making manual management impractical. Q: What if I chose the API path but don’t have RAM permissions configured? A: Your **Bearer Token**-authenticated requests will fail with access denied errors, as the API requires RAM users/roles with the `AliyunYundunCertFullAccess` policy. Q: Can I use SM2 certificates with USBKey in the API path? A: The fact cards don’t specify USBKey support for the API path. Since USBKey is only mentioned in the console limitations, assume hardware-bound SM2 certificates require the console. For pure software-based SM2, the API supports it. Q: Does the console work outside a VPC? A: No—**VPC** is listed as a prerequisite for the console path. Private CA certificates are intended for internal services, so they must be managed within a VPC. Q: What happens if I try to automate certificate renewal using the console? A: You’ll fail—**** is a stated limitation. Renewals must be done manually one-by-one in the UI. Q: Are there regional restrictions for either path? A: The API is available in `cn-hangzhou`, `cn-shanghai`, `cn-beijing`, `ap-southeast-1`, and `eu-central-1`. The console’s regions aren’t specified in the facts—assume it follows general CAS availability, but verify in the detail skill. ### [Troubleshoot issues](https://company-skill.com/p/cas/cas-troubleshoot-issues.md) ## What You Want to Do You're encountering an SSL/TLS certificate error and need to identify whether the root cause lies in certificate lifecycle management, server/browser configuration, or service-layer conflicts. The solution depends entirely on where and how the error manifests. **Typical User Questions**: - ChromeNET::ERR_CERT_AUTHORITY_INVALID - Why does Firefox say my site is not secure? - How to fix Java 'unable to find valid certification path'? - Apache after SSL install ## Decision Tree Pick the best path for your situation: - **If** your error message includes **"Activation failed"**, **"ConfigurationPushFailed"**, **"CA_Security_Audit_Failed"**, or involves **domain validation**, **DNS validation**, or **free certificate quota** limits → Use (go to *cas/cas-certificate*) - **If** you see browser-specific errors like **"NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED"**, **"ERR_SSL_VERSION_OR_CIPHER_MISMATCH"**, **"SEC_ERROR_UNKNOWN_ISSUER"**, or server errors such as **"AH00526 syntax error"**, **"ngx_http_ssl_module"** missing, or Java’s **"unable to find valid certification path"** → Use (go to *cas/cas-network*) - **If** you receive **"This domain name is already in use"** when enabling **Website Proxy HTTPS**, and your domain uses **Web Application Firewall**, **Anti-DDoS Pro**, **Anti-DDoS Premium**, or **CDN** → Use HTTPS (go to *cas/cas-website*) - **Otherwise (default)** → Start with ****, as most visible SSL issues manifest at the client or web server layer. ## Path Comparison | Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill | |------|----------|------------|---------------|------------|----------|-------------| | Console / Dashboard | medium | No | No | Free DV certificates do not support .edu, .gov, .org, .jp, .pay, .bank, .live, .nuclear domains | `cas/troubleshooting/cas-certificate` | | SSLTLS | medium | No | No | Chrome 53 has a known bug triggering NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED falsely | `cas/troubleshooting/cas-network` | | HTTPS | HTTPS | low | No | No | Domains already protected by WAF, Anti-DDoS, or CDN cannot enable Website Proxy HTTPS | `cas/troubleshooting/cas-website` | ## Path Details ### Path 1: Console / Dashboard **Brief Description**: This path addresses issues during certificate issuance and management in Alibaba Cloud Certificate Management Service (CAS), including failures during purchase, domain validation, or renewal. It requires a RAM user with the **AliyunYundunCertFullAccess** policy and handles errors like **InvalidValidationMethod** or **CA_Security_Audit_Failed** due to sensitive domain keywords. **Key technical facts**: - Auth method: RAM user with AliyunYundunCertFullAccess policy **When NOT to Use**: - Chrome ERR_SSL_VERSION_OR_CIPHER_MISMATCH ### Path 2: Console / Dashboard **Best For**: SSLTLS **Brief Description**: This path resolves SSL/TLS integration issues with web servers (Apache, Nginx, IIS) and client compatibility problems in browsers or Java applications. It covers missing modules like **ngx_http_ssl_module** in Nginx or **socache_shmcb_module** in Apache, and trust chain issues causing **"unable to find valid certification path"** in Java. **Key technical facts**: - Prerequisites: WindowsIIS, LinuxrootsudoApache/Nginx **When to Use**: - ChromeNET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED - Nginxunknown directive "ssl" **Known Limitations**: - Chrome 53bugNET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED - Apache SSLsocache_shmcb_module ### Path 3: HTTPS **Best For**: HTTPS **Brief Description**: This path handles conflicts when attempting to enable the **Website Proxy HTTPS** feature on domains already protected by Alibaba Cloud **Web Application Firewall**, **Anti-DDoS Pro**, **Anti-DDoS Premium**, or **CDN** services. The system blocks this to prevent **conflicting HTTPS termination** points. **Key technical facts**: - Prerequisites: WAFAnti-DDoSCDN **When to Use**: - HTTPS"This domain name is already in use" - WAFAnti-DDoSCDNCASHTTPS **When NOT to Use**: - Chrome ERR_SSL_VERSION_OR_CIPHER_MISMATCH ## FAQ Q: Which path should I start with? A: If you’re seeing a browser warning or server startup failure, begin with ****. If the error occurs during certificate purchase or renewal in the CAS console, use ****. Only use **HTTPS** if you explicitly tried enabling that feature and got “This domain name is already in use”. Q: What if I have a domain like `mybank.live` but used the generic certificate path? A: You’ll likely hit **CA_Security_Audit_Failed** because domains containing sensitive words like **bank** or **live** trigger manual review or rejection, even if other paths might seem applicable. Q: If I’m using CDN and try to enable Website Proxy HTTPS, what happens? A: The system blocks it with **"This domain name is already in use"** because **CDN** is a **security protection service** or **acceleration service** that already terminates HTTPS, creating **conflicting HTTPS termination**. Q: What if I chose the network path but my real issue is free certificate quota exhaustion? A: You’ll waste time debugging Nginx or browser settings while the actual problem is that you’ve exceeded the **free certificate quota** (20 certificates), which only the **** path addresses. Q: Can I use DNS validation for a wildcard certificate if I’m on the network troubleshooting path? A: No — **DNS validation**, but this constraint is only documented in the **** path. Using the wrong path may lead you to attempt an unsupported validation method. Q: Why does Firefox show “not secure” when Chrome works fine? A: Firefox enforces stricter **TLS 1.2 cipher suite** requirements and may reject weak chains that Chrome accepts. This is a classic case for the **** path. Q: Does the website proxy path apply if I use Anti-DDoS Premium? A: Yes — **Anti-DDoS Premium** (like **Anti-DDoS Pro** and **Web Application Firewall**) is considered a **security protection service**, so enabling **Website Proxy HTTPS** will fail with a domain conflict error. ## Frequently asked questions ### Should I use the API or the console? Use the **console** for one-off tasks, visual workflows, or initial setup. Use the **API** for automation, integration into CI/CD, or managing large volumes of certificates. ### How do I get started with private CA? Begin with the **"Manage private CA and private certificates"** intent skill. You’ll need to purchase a Private CA instance first via the console or API. ### Why is my certificate not trusted in browsers? This is typically a chain or deployment issue. Check the **troubleshooting** skill for "certificate not trusted" or "incomplete chain" scenarios. ### Can I automate certificate renewal? Yes—use the **API** to monitor expiration and trigger renewal, or enable auto-renewal in the **console** for eligible certificates. ### Where do I find my certificate after issuance? In the **console**, go to Certificates > SSL Certificates. Via **API**, use `DescribeCertificates` or `QueryCertificate`. ### How do I apply for an SSL/TLS certificate? You can request new public or private certificates through the console or the API. The console provides visual workflows for initial setup, while the API supports automation and large-scale management. ### How do I deploy an SSL certificate to servers or cloud resources? You can install certificates on supported platforms like ECS, Apache, Nginx, IIS, RDS, and Tomcat using the provided deployment workflows. Follow the network security guide to configure HTTPS and TLS versions for your specific web server or cloud service. ### How do I manage a private CA and private certificates? You can create and administer internal CAs and issue private certificates by using the dedicated management intent skill. You must first purchase a Private CA instance through the console or API before managing your certificates. ### How do I troubleshoot SSL/TLS certificate issues or errors? You can resolve common problems like browser warnings, handshake failures, and validation errors by following the troubleshooting intent skill. This resource also covers diagnosing browser compatibility, server restart errors, and OCSP or CRL issues. ## Cross-product integrations - [Auto-Scaling Production Stack with RAG Search](https://company-skill.com/p/_combos/auto-scaling-production-stack-with-rag-search-be1c2d.md) (alinux + ecs + terraform + oss + rds) - [CI/CD-Automated Enterprise Stack with Search and Compliance](https://company-skill.com/p/_combos/ci-cd-automated-enterprise-stack-with-search-and-82a935.md) (ecs + terraform + oss + rds + alinux) - [CI/CD-Automated RAG-Enabled Secure Production Stack](https://company-skill.com/p/_combos/ci-cd-automated-rag-enabled-secure-production-st-30e7b2.md) (ecs + terraform + oss + alinux + rds) - [CI/CD-Automated Secure Web Stack Deployment](https://company-skill.com/p/_combos/ci-cd-automated-secure-web-stack-deployment-4c5f3c.md) (ecs + terraform + oss) - [CI/CD Terraform Full-Stack with Security Hardening](https://company-skill.com/p/_combos/ci-cd-terraform-full-stack-with-security-hardeni-a12154.md) (ecs + terraform + alinux + oss + rds) - [Cloud Migration with AI Search and Recommendations](https://company-skill.com/p/_combos/cloud-migration-with-ai-search-and-recommendatio-f00279.md) (bailian + es + rds + oceanbase + oss) - [Complete Production Resilience Stack](https://company-skill.com/p/_combos/complete-production-resilience-stack-fc83d7.md) (alinux + ecs + oceanbase + rds + terraform) - [Complete Production Stack: Deploy, Harden, Protect, Monitor](https://company-skill.com/p/_combos/complete-production-stack-deploy-harden-protect--268739.md) (alinux + ecs + terraform + oceanbase + rds) ## Use with an AI agent ```bash curl -s https://company-skill.com/api/route \ -H 'Content-Type: application/json' \ -d '{"query": "...", "product": "cas"}' ``` MCP server: https://company-skill.com/api/mcp/cas.py --- Machine-readable: https://company-skill.com/llms.txt · https://company-skill.com/sitemap.xml