- Release Notes
- Announcements
- Price Change to DigiCert SSL Certificates
- TrustAsia Root Certificate Update
- Domain Validation Policy Update
- SSL Certificate Service Console
- Multi-Year SSL Certificate and Automatic Review
- Notice on Stopping the Issuance of 2-Year SSL Certificates by CAs Starting from September 1, 2020
- Announcement on Stop Using the Symantec SSL Certificate Name After 30 April 2020
- Notice on Certificate Revocation Due to Private Key Compromises
- Notice on Application Limits for DV SSL Certificates
- Notice on Adjustment of Free SSL Certificates Policy
- Let's Encrypt Root Certificate Expired on September 30, 2021
- Product Introduction
- Purchase Guide
- Getting Started
- Certificate Application
- Domain Ownership Validation
- Operation Guide
- Certificate Installation
- Installing an SSL Certificate on a Tencent Cloud Service
- Installation of International Standard Certificates
- Installing an SSL Certificate on an Nginx Server
- Installing an SSL Certificate on an Apache Server (Linux)
- Installing an SSL Certificate on an Apache Server (Windows)
- Installing an SSL Certificate (JKS Format) on a Tomcat Server (Linux)
- Installing an SSL Certificate (JKS Format) on a Tomcat Server
- Installing an SSL Certificate (PFX Format) on a Tomcat Server
- Installing an SSL Certificate on a GlassFish Server
- Installing an SSL Certificate on a JBoss Server
- Installing an SSL Certificate on a Jetty Server
- Installing an SSL Certificate on an IIS Server
- Installing a Certificate on WebLogic Servers
- Selecting an Installation Type for an SSL Certificate
- Certificate Management
- Instructions on SSL Certificate Auto-Renewal
- Certificate Hosting
- Uploading (Hosting) an SSL Certificate
- Reminding Reviewers to Review an SSL Certificate Application
- Revoking an SSL Certificate
- Deleting an SSL Certificate
- Reissuing an SSL Certificate
- Ignoring SSL Certificate Notifications
- Customizing SSL Certificate Expiration Notifications
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Certificate APIs
- CancelAuditCertificate
- ApplyCertificate
- CreateCertificate
- DescribeHostUpdateRecord
- DescribeHostUpdateRecordDetail
- ModifyCertificateResubmit
- UpdateCertificateInstance
- UpdateCertificateRecordRetry
- UpdateCertificateRecordRollback
- CreateCertificateBindResourceSyncTask
- DescribeCertificateBindResourceTaskDetail
- DescribeCertificateBindResourceTaskResult
- UploadConfirmLetter
- DescribeHostTeoInstanceList
- UploadCertificate
- SubmitCertificateInformation
- ReplaceCertificate
- ModifyCertificateProject
- ModifyCertificateAlias
- DownloadCertificate
- DescribeCertificates
- DescribeCertificateOperateLogs
- DescribeCertificateDetail
- DescribeCertificate
- DeleteCertificate
- CommitCertificateInformation
- CancelCertificateOrder
- CSR APIs
- Data Types
- Error Codes
- Practical Tutorial
- Automatic Solution for Implementing and Issuing Multi-Year Certificates and Binding Resources
- Apple ATS Server Configuration
- Quickly Applying for a Free SSL Certificate via DNSPod
- Enabling Tencent Cloud DDNS and Installing Free Certificates for Synology NAS
- Batch Applying for and Downloading Free Certificates Using Python-based API Calls
- Profile Management
- Troubleshooting
- Domain Validation Failed
- Domain Security Review Failed
- Website Inaccessible After an SSL Certificate is Deployed
- 404 Error After the SSL Certificate is Deployed on IIS
- “Your Connection is Not Secure” is Displayed After the SSL Certificate is Installed
- Message Indicating Parsing Failure Is Displayed When a Certificate Is Uploaded
- Automatic DNS Validation Failed for a Domain Hosted with www.west.cn
- Host Name Field Cannot Be Edited in IIS Manager When Type Is Set to https
- Message Indicating Intermediate Certificates Missing in Chain Is Displayed When a Free SSL Certificate Is Deployed on IIS
- FAQs
- SSL Certificate Selection
- SSL Certificate Application
- Quota of Free SSL Certificates
- How to Fill In the Domains Bound to an SSL Certificate During the Application?
- Wildcard SSL Certificates
- Why Does the Order Status Not Changed After a Notification Email Is Received from a CA?
- Can the TXT Records for Domain Name Resolution Configured in the Certificate Be Deleted?
- What Is CSR?
- How Do I Make a CSR File?
- What Is Private Key Password?
- Forgot Your Private Key Password?
- Can an SSL Certificate Be Revoked?
- What are the differences between RSA and ECC?
- What Should I Do If the Console Prompts That "The Certificate Is Bound to Tencent Cloud Resources and Cannot Be Revoked" When I Submit an SSL Certificate Revocation Application?
- What’s the Difference Between Certificate Reissue and Reapplication?
- Which SSL Certificate Types Are Supported for Mini Programs?
- SSL Certificate Management
- SSL Certificate Installation
- What Should I Do If the Host Name Field Is Uneditable in the IIS Manager?
- How Do I Enable Port 443 for a Server?
- Why Does the Website Prompt “Connection Is Untrusted"?
- How Do I Install OpenSSL?
- How Can I Set TLS Versions for SSL Certificates?
- How Can I Combine an SSL Certificate Chain?
- Can Tencent Cloud SSL Certificates Be Used for WebSocket?
- How Do I Enable the IIS Service?
- What Should I Do If I Am Prompted That HTTPS Is Not Secure After Reapplying for Deployment upon Expiration of the SSL Certificate?
- SSL Certificate Region
- SSL Certificate Review
- SSL Certificate Taking Effect
- Is the Original SSL Certificate Still Valid After the Server IP Address Is Changed?
- How Do I Check in a Browser Whether an SSL Certificate Has Taken Effect?
- What Should I Do If GlobalSign Certificates Are Not Supported in Windows 7?
- What Should I Do If the Issue of a Free SSL Certificate Takes Too Long or Failed?
- SSL Certificate Billing and Purchase
- SSL Certificate Validity Period
- Related Agreement
- Contact Us
- Glossary
- Release Notes
- Announcements
- Price Change to DigiCert SSL Certificates
- TrustAsia Root Certificate Update
- Domain Validation Policy Update
- SSL Certificate Service Console
- Multi-Year SSL Certificate and Automatic Review
- Notice on Stopping the Issuance of 2-Year SSL Certificates by CAs Starting from September 1, 2020
- Announcement on Stop Using the Symantec SSL Certificate Name After 30 April 2020
- Notice on Certificate Revocation Due to Private Key Compromises
- Notice on Application Limits for DV SSL Certificates
- Notice on Adjustment of Free SSL Certificates Policy
- Let's Encrypt Root Certificate Expired on September 30, 2021
- Product Introduction
- Purchase Guide
- Getting Started
- Certificate Application
- Domain Ownership Validation
- Operation Guide
- Certificate Installation
- Installing an SSL Certificate on a Tencent Cloud Service
- Installation of International Standard Certificates
- Installing an SSL Certificate on an Nginx Server
- Installing an SSL Certificate on an Apache Server (Linux)
- Installing an SSL Certificate on an Apache Server (Windows)
- Installing an SSL Certificate (JKS Format) on a Tomcat Server (Linux)
- Installing an SSL Certificate (JKS Format) on a Tomcat Server
- Installing an SSL Certificate (PFX Format) on a Tomcat Server
- Installing an SSL Certificate on a GlassFish Server
- Installing an SSL Certificate on a JBoss Server
- Installing an SSL Certificate on a Jetty Server
- Installing an SSL Certificate on an IIS Server
- Installing a Certificate on WebLogic Servers
- Selecting an Installation Type for an SSL Certificate
- Certificate Management
- Instructions on SSL Certificate Auto-Renewal
- Certificate Hosting
- Uploading (Hosting) an SSL Certificate
- Reminding Reviewers to Review an SSL Certificate Application
- Revoking an SSL Certificate
- Deleting an SSL Certificate
- Reissuing an SSL Certificate
- Ignoring SSL Certificate Notifications
- Customizing SSL Certificate Expiration Notifications
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Certificate APIs
- CancelAuditCertificate
- ApplyCertificate
- CreateCertificate
- DescribeHostUpdateRecord
- DescribeHostUpdateRecordDetail
- ModifyCertificateResubmit
- UpdateCertificateInstance
- UpdateCertificateRecordRetry
- UpdateCertificateRecordRollback
- CreateCertificateBindResourceSyncTask
- DescribeCertificateBindResourceTaskDetail
- DescribeCertificateBindResourceTaskResult
- UploadConfirmLetter
- DescribeHostTeoInstanceList
- UploadCertificate
- SubmitCertificateInformation
- ReplaceCertificate
- ModifyCertificateProject
- ModifyCertificateAlias
- DownloadCertificate
- DescribeCertificates
- DescribeCertificateOperateLogs
- DescribeCertificateDetail
- DescribeCertificate
- DeleteCertificate
- CommitCertificateInformation
- CancelCertificateOrder
- CSR APIs
- Data Types
- Error Codes
- Practical Tutorial
- Automatic Solution for Implementing and Issuing Multi-Year Certificates and Binding Resources
- Apple ATS Server Configuration
- Quickly Applying for a Free SSL Certificate via DNSPod
- Enabling Tencent Cloud DDNS and Installing Free Certificates for Synology NAS
- Batch Applying for and Downloading Free Certificates Using Python-based API Calls
- Profile Management
- Troubleshooting
- Domain Validation Failed
- Domain Security Review Failed
- Website Inaccessible After an SSL Certificate is Deployed
- 404 Error After the SSL Certificate is Deployed on IIS
- “Your Connection is Not Secure” is Displayed After the SSL Certificate is Installed
- Message Indicating Parsing Failure Is Displayed When a Certificate Is Uploaded
- Automatic DNS Validation Failed for a Domain Hosted with www.west.cn
- Host Name Field Cannot Be Edited in IIS Manager When Type Is Set to https
- Message Indicating Intermediate Certificates Missing in Chain Is Displayed When a Free SSL Certificate Is Deployed on IIS
- FAQs
- SSL Certificate Selection
- SSL Certificate Application
- Quota of Free SSL Certificates
- How to Fill In the Domains Bound to an SSL Certificate During the Application?
- Wildcard SSL Certificates
- Why Does the Order Status Not Changed After a Notification Email Is Received from a CA?
- Can the TXT Records for Domain Name Resolution Configured in the Certificate Be Deleted?
- What Is CSR?
- How Do I Make a CSR File?
- What Is Private Key Password?
- Forgot Your Private Key Password?
- Can an SSL Certificate Be Revoked?
- What are the differences between RSA and ECC?
- What Should I Do If the Console Prompts That "The Certificate Is Bound to Tencent Cloud Resources and Cannot Be Revoked" When I Submit an SSL Certificate Revocation Application?
- What’s the Difference Between Certificate Reissue and Reapplication?
- Which SSL Certificate Types Are Supported for Mini Programs?
- SSL Certificate Management
- SSL Certificate Installation
- What Should I Do If the Host Name Field Is Uneditable in the IIS Manager?
- How Do I Enable Port 443 for a Server?
- Why Does the Website Prompt “Connection Is Untrusted"?
- How Do I Install OpenSSL?
- How Can I Set TLS Versions for SSL Certificates?
- How Can I Combine an SSL Certificate Chain?
- Can Tencent Cloud SSL Certificates Be Used for WebSocket?
- How Do I Enable the IIS Service?
- What Should I Do If I Am Prompted That HTTPS Is Not Secure After Reapplying for Deployment upon Expiration of the SSL Certificate?
- SSL Certificate Region
- SSL Certificate Review
- SSL Certificate Taking Effect
- Is the Original SSL Certificate Still Valid After the Server IP Address Is Changed?
- How Do I Check in a Browser Whether an SSL Certificate Has Taken Effect?
- What Should I Do If GlobalSign Certificates Are Not Supported in Windows 7?
- What Should I Do If the Issue of a Free SSL Certificate Takes Too Long or Failed?
- SSL Certificate Billing and Purchase
- SSL Certificate Validity Period
- Related Agreement
- Contact Us
- Glossary
Note:
You need to configure cipher suites compliant with PFS specifications. The recommended configuration is:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4You need to enable the TLS1.2 protocol on the server. The recommended configuration is:
TLSv1 TLSv1.1 TLSv1.2Nginx certificate configuration
Update the
conf/nginx.conf file in the Nginx root directory as follows:server {ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;ssl_protocols TLSv1 TLSv1.1 TLSv1.2;}
Apache certificate configuration
Update the
conf/httpd.conf file in the Apache root directory as follows:<IfModule mod_ssl.c><VirtualHost *:443>SSLProtocol TLSv1 TLSv1.1 TLSv1.2SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4</VirtualHost></IfModule>
Tomcat certificate configuration
Update the
%TOMCAT_HOME%\\conf\\server.xml file as follows:<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"scheme="https" secure="true"SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4" />
IIS certificate configuration
Method 1
Windows Server 2008 and earlier versions do not support the TLS1.2 protocol. Therefore, SSL tools are disabled on those versions. To address this issue, enable the TLS1.2 protocol to meet the ATS requirements.
Taking Windows Server 2008 R2 as an example, there is no adjustment to protocols and cipher suites after the certificate is imported.
The cipher suites will support ATS requirements after the certificate is imported but the TLS1.2 protocol required for ATS is not enabled. You can use ssltools (click to download) to enable the TLS1.2 protocol, as shown below:
Select the 3 TLS protocols, and restart the system.
If PFS is not supported, select ECDHE and DHE in Cipher Suites.
Method 2
1. Choose Start -> Run. Enter
regedit.2. Find
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols, right-click it, and then choose New -> Item -> Create TLS 1.1, TLS 1.2.3. Right-click TLS 1.1 and TLS 1.2, and choose New -> Item -> Create Server, Client.
4. Create the following items (4 in total, DWORD 32-bit value) in the new servers and clients.
DisabledByDefault [Value = 0]
Enabled [Value = 1]
5. Restart the system.
6. Adjust the cipher suites: choose Start -> Run, and enter
gpedit.msc for the cipher suite adjustments after enabling the TLS1.2 protocol.Note:
Adjustments can be made through the Group Policy Editor if PFS is not supported by the cipher suites.
7. Double-click SSL Cipher Suite Order and enter information, as shown in the following figure:
Select
Enabled.Add the supported ECDHE cipher suites to the SSL cipher suites, separated by commas (,).
Enter the cipher suite information as follows:
a. Open a blank WordPad document.
b. Copy the list of available suites on the right in the figure below and paste it into the document.
c. Sort the suites in the correct order and delete any suites you do not want to use.
d. Type a comma at the end of each suite name (except for the last one). Make sure no space is entered.
e. Remove all the line breaks so that the cipher suite names are in a single, long line.
f. Copy the cipher suite line to the clipboard and paste it into the edit box. You can enter up to 1,023 characters.
8. After the cipher suite information is entered, the content in the window is updated, as shown in the following figure:
Yes
No
Was this page helpful?