---
Title: Deploy certificate
URL Source: https://company-skill.com/p/cas/cas-deploy-certificate
Language: en
Description: You have an SSL/TLS certificate issued or uploaded in Alibaba Cloud Certificate Management Service (CAS) and need to deploy it to a target environment—whether that’s a cloud resource like ECS/SLB, a…
---

# Deploy certificate

Part of **Certificate Management Service (CAS)**. Route queries via `POST https://company-skill.com/api/route`.

## What You Want to Do

You have an SSL/TLS certificate issued or uploaded in Alibaba Cloud Certificate Management Service (CAS) and need to deploy it to a target environment—whether that’s a cloud resource like ECS/SLB, a traditional web server (Apache/Nginx/IIS), or a CDN/gateway service.

- How to install SSL cert on Nginx?

## Decision Tree

Pick the best path for your situation:

- **If** you are deploying to **Alibaba Cloud resources (ECS, SLB)** and want **programmatic automation** using code → Use **API** (go to *cas/cas-certificate*)
- **If** you are configuring **Apache, Nginx, or IIS** with direct file system access and will handle **manual deployment** → Use **WebApache/IIS** (go to *cas/cas-certificate*)
- **If** your website uses **Alibaba Cloud CDN or gateway services** and you want **Enable One-Click HTTPS** without server changes → Use **HTTPSHTTPS** (go to *cas/cas-network*)
- **If** you are on **Windows 10 or Windows Server 2012** and need to first install **Internet Information Services (IIS) Manager** before certificate binding → Use **IIS** (go to *cas/cas-webserver*)
- **Otherwise (default)** → Start with **WebApache/IIS**, as it applies to most self-managed server environments and requires no additional cloud dependencies.

## Path Comparison

| Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill |
|------|----------|------------|---------------|------------|----------|-------------|
| API | ECSSLB | medium | Yes | Yes | Requires RAM user with AliyunYundunCertFullAccess policy and handles QPS limit of 10 per user | `cas/api/cas-certificate` |
| WebApache/IIS | SSL | medium | No | No | Supports PEM format, PFX format, and JKS format; requires mod_ssl module for Apache | `cas/guide/cas-certificate` |
| HTTPSHTTPS | HTTPS | low | No | No | Uses GRCQ quota pricing (e.g., Starter edition: $0.01/request); requires CNAME record for domain verification | `cas/guide/cas-network` |
| IIS | WindowsIIS | low | No | No | Installed via Turn Windows features on or off or Add Roles and Features on Windows 10 / Windows Server 2012 | `cas/guide/cas-webserver` |

## Path Details

### Path 1: API

**Best For**: ECSSLB

**Brief Description**: Alibaba Cloud Certificate Management ServiceRESTful APISSL/TLSECSSLB You interact via RESTful endpoints using a Bearer Token for authentication and manage certificate application order programmatically. Requires generating a CSR (Certificate Signing Request) and handling rate limits.

**Key technical facts**:
- Billing: per-request billing model for API calls, with additional charges for certificate purchases; free tier includes 100-1000 requests per month
- Auth method: Bearer Token authentication via Authorization header with DASHSCOPE_API_KEY
- Regions available: cn-hangzhou, cn-shanghai, cn-beijing, ap-southeast-1, eu-central-1
- Prerequisites: RAM user or RAM role with required permissions (e.g., AliyunYundunCertFullAccess policy), API key stored in DASHSCOPE_API_KEY environment variable, Valid Alibaba Cloud account

**When to Use**:
- Need to automate certificate deployment across multiple cloud resources (ECS, SLB) programmatically
- Building CI/CD pipelines that require certificate management as part of infrastructure provisioning
- Managing large numbers of certificates (>50) where manual console operations would be inefficient
- Integrating certificate lifecycle management into custom applications or monitoring systems

**When NOT to Use**:
- User lacks programming skills or cannot implement API integration
- Only deploying a single certificate to a traditional web server (Apache/IIS)
- Need immediate one-click HTTPS setup without coding
- Working in environments where API keys and programmatic access are restricted

**Known Limitations**:
- Most APIs have strict rate limits of 10 QPS per user (some up to 100 QPS), requiring exponential backoff implementation
- Requires programming knowledge and SDK integration (Python dashscope>=1.14.0 or Java com.aliyun:cas20200407:1.0.13)
- Authentication requires proper RAM policy configuration with specific yundun-cert:* permissions
- Free certificates limited to specific types (digicert-free-1-free, symantec-free-1-free) with 3-12 month validity periods

### Path 2: WebApache/IIS

**Best For**: SSL

**Brief Description**: Through the Certificate Management Service console, you use Download Certificate to retrieve files in PEM format, PFX format, or JKS format, then manually configure them into your web server’s SSL module (e.g., mod_ssl module for Apache). After configuration, you run Verify Installation to confirm the certificate chain is correctly presented.

**Key technical facts**:
- Billing: Free for basic certificate management operations; commercial certificates charged per issuance
- Auth method: Console SSO with Alibaba Cloud account credentials
- Prerequisites: Valid SSL certificate issued in Certificate Management Service, Access to target web server configuration files, Server with mod_ssl module enabled (for Apache), Administrative access to web server

**When to Use**:
- Deploying to traditional on-premises or self-managed web servers without cloud integration
- Working with legacy server environments that don't support automated deployment
- Need fine-grained control over SSL configuration parameters (cipher suites, protocols)
- Deploying to servers not integrated with Alibaba Cloud services

**When NOT to Use**:
- Managing certificates across multiple cloud resources (ECS, SLB, CDN)
- Need automated certificate renewal and deployment
- Lack direct access to web server configuration files
- Working in containerized or serverless environments

**Known Limitations**:
- Requires manual file handling and server configuration for each deployment
- No automation support - each certificate must be individually downloaded and configured
- Server-specific configuration knowledge required (different steps for Apache vs IIS vs Nginx)
- Certificate renewal requires repeating the entire manual process
- Limited to servers where you have direct file system access

### Path 3: HTTPSHTTPS

**Best For**: HTTPS

**Brief Description**: Using the Enable One-Click HTTPS feature or HTTPS Acceleration Gateway in the CAS console, you automatically serve HTTPS traffic through a proxy layer. This sets up HTTP to HTTPS redirection and handles Auto-renewal, but requires a valid CNAME record pointing to the gateway and consumes GRCQ quota. The origin server must respond on standard ports 80/443.

**Key technical facts**:
- Billing: Starter edition: 0.01 per request; Basic edition: 0.02 per request; Wildcard domain: 0.03 per request; GRCQ quota: 0.001 per request
- Auth method: Console SSO with Alibaba Cloud account credentials
- Prerequisites: SSL certificate already uploaded to Certificate Management Service, Web application deployed and accessible via HTTP, Domain name properly configured with DNS records

**When to Use**:
- Need quick HTTPS setup without any server-side configuration changes
- Website hosted on shared hosting or platforms where server configuration access is limited
- Want automatic HTTP to HTTPS redirection without modifying application code
- Managing websites where mixed content issues need to be resolved through proxy configuration

**When NOT to Use**:
- Require custom SSL/TLS configuration (specific cipher suites, protocol versions)
- Need client certificate authentication (mutual TLS)
- Working with non-standard ports or complex origin server setups
- Budget constraints that cannot accommodate GRCQ quota costs

**Known Limitations**:
- One-click HTTPS only works with certificates already uploaded to Certificate Management Service
- HTTPS acceleration gateway requires additional GRCQ (Gateway Resource Computing Quota) purchases
- Domain names must meet specific format requirements (1-67 characters, lowercase letters, digits, hyphens)
- Origin server cannot be the same as the acceleration domain name to avoid resolution loops
- Only standard ports 80 and 443 supported for origin servers

### Path 4: IIS

**Best For**: WindowsIIS

**Brief Description**: On Windows 10 Pro/Enterprise/Education or Windows Server 2012, you use Turn Windows features on or off or Server Manager’s Add Roles and Features wizard to install the Web Server (IIS) role and IIS Management Console. This provides the Internet Information Services (IIS) Manager GUI needed to bind certificates later—though it does not itself deploy SSL.

**Key technical facts**:
- Billing: Included with Windows operating systems at no additional cost
- Auth method: Windows administrator credentials
- Prerequisites: Operating system: Windows 10 Pro/Enterprise/Education or Windows Server 2012, Administrator privileges, Internet connection for downloading components

**When to Use**:
- Working with Windows Server environments for the first time
- Need graphical interface for IIS configuration instead of command-line tools
- Deploying ASP.NET applications that require IIS-specific features
- Windows 10 development environments needing local IIS testing capabilities

**When NOT to Use**:
- Managing Linux-based web servers (Apache, Nginx)
- Production environments requiring minimal attack surface (IIS adds unnecessary components)
- Containerized or cloud-native deployments where IIS is not the web server
- Environments with strict software installation policies

**Known Limitations**:
- Only available on Windows operating systems (not applicable to Linux servers)
- Windows Home editions do not support IIS installation
- Installing IIS Manager itself does not configure SSL - additional certificate binding steps required
- Requires .NET Framework features for full functionality with ASP.NET applications
- Security risks if unused role services are enabled without proper hardening

## FAQ

Q: Which path should I start with?
A: If you’re unsure, start with **WebApache/IIS**—it works for most on-premises or self-hosted scenarios and doesn’t require cloud-specific setup like RAM policies or GRCQ quotas.

Q: What if I’m deploying to 100+ ECS instances but chose manual deployment?
A: You’ll hit severe operational overhead: each certificate must be individually downloaded via Download Certificate and manually copied to every server, with no automation for renewal—making it error-prone and time-consuming.

Q: What if I need custom cipher suites but used Enable One-Click HTTPS?
A: You’ll lose control over TLS configuration entirely—the HTTPS Acceleration Gateway enforces its own security policy, and you cannot customize cipher suites, protocol versions, or enable mutual TLS.

Q: Can I use the API path without a RAM user?
A: No—you must configure a RAM user or RAM role with permissions like AliyunYundunCertFullAccess. Without it, Bearer Token authentication will fail even with a valid DASHSCOPE_API_KEY.

Q: Why does my IIS deployment fail even after installing Internet Information Services (IIS) Manager?
A: Installing the Web Server (IIS) role via Add Roles and Features only provides the management UI—it doesn’t bind the certificate. You still need to import the PFX format file and complete manual deployment steps in IIS Management Console.

Q: What happens if my origin server uses port 8080 but I enable HTTPS Acceleration Gateway?
A: The gateway will fail to connect—only standard ports 80 and 443 are supported for the origin server, as specified in the limitations.

Q: Do I need to generate a CSR when using manual deployment?
A: Only if you’re requesting a new certificate. For existing certificates in CAS, you just use Download Certificate to get PEM/PFX/JKS files—CSR is primarily relevant during the certificate application order phase in API or console issuance.

## Related queries

deploy ssl certificate, install ssl cert, deploy certificate, ssl deployment, how to deploy ssl, where to install certificate, can I auto deploy certs, verify ssl installation, iis certificate install failed, one click https setup, deploy private certificate, manage certificate deployment, configure

---
Part of [Certificate Management Service (CAS)](https://company-skill.com/p/cas.md) · https://company-skill.com/llms.txt