Updated on 2025-09-26 GMT+08:00

Certificate Hosting

Scenarios

If you want to access a bucket using a user-defined domain name over HTTPS, you need to configure an HTTPS certificate for the domain name. In HTTPS, digital certificates are essential for securing communication, preserving data integrity, and verifying identity.

  • Identity authentication uses a certificate to verify that a server is who it claims to be. This in turn helps defend against man-in-the-middle (MITM) attacks and protects users from connecting to a forged phishing website. In certain scenarios (for example, internal enterprise systems), HTTPS mutual authentication can be implemented using digital certificates. In this setup, the client is also required to present a certificate for the server to verify its identity, thereby further enhancing security.
  • Data encryption protects the confidentiality of communications by setting up an encrypted channel between the client and the server. This ensures that the transmitted data (such as passwords, credit card information, and chat content) remains secure. Even if the data is intercepted, it cannot be read.
  • Data integrity protects data from being tampered with. During HTTPS transmission, a hash function (for example, SHA-256) is used to create a message digest and this digest is then encrypted using a session key. This ensures that data is not tampered with or replaced during transmission.

Functions

OBS supports international certificates. You can configure an HTTPS certificate when you configure a user-defined domain name. For details, see Configuring a User-Defined Domain Name. You can also configure an HTTPS certificate after you configure a user-defined domain name. For details, see Configuring an HTTPS Certificate for a User-Defined Domain Name.

Constraints

  • HTTPS certificate hosting is only available for user-defined domain names.
  • The availability of certificate hosting in regions is subject to User-Defined Domain Name Binding in Function Overview.
  • Only common certificates are supported. Chinese cryptographic certificates are not supported.
  • When HTTPS certificates are required, a maximum of 100 user-defined domain names can be configured for each bucket.

Certificate Format

A certificate consists of two parts: the certificate file and the private key.

The certificate file must meet the following requirements:

The certificate file must contain information such as the public key and signature. The file name must end with .pem or .crt.

  • The certificate file is prefixed with -----BEGIN CERTIFICATE----- and postfixed with -----END CERTIFICATE-----.
  • The certificate file cannot contain blank lines. Each line must contain exactly 64 characters, except for the last line, which can contain fewer.

Example:

-----BEGIN CERTIFICATE-----
MIIDIjCCAougAwIBAgIJALV96mEtVF4EMA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNV
BAYTAnh4MQswCQYDVQQIEwJ4eDELMAkGA1UEBxMCeHgxCzAJBgNVBAoTAnh4MQsw
CQYDVQQLEwJ4eDELMAkGA1UEAxMCeHgxGjAYBgkqhkiG9w0BCQEWC3h4eEAxNjMu
Y29tMB4XDTE3MTExMzAyMjYxM1oXDTIwMTExMjAyMjYxM1owajELMAkGA1UEBhMC
eHgxCzAJBgNVBAgTAnh4MQswCQYDVQQHEwJ4eDELMAkGA1UEChMCeHgxCzAJBgNV
BAsTAnh4MQswCQYDVQQDEwJ4eDEaMBgGCSqGSIb3DQEJARYLeHh4QDE2My5jb20w
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMU832iM+d3FILgTWmpZBUoYcIWV
cAAYE7FsZ9LNerOyjJpyi256oypdBvGs9JAUBN5WaFk81UQx29wAyNixX+bKa0DB
WpUDqr84V1f9vdQc75v9WoujcnlKszzpV6qePPC7igJJpu4QOI362BrWzJCYQbg4
Uzo1KYBhLFxl0TovAgMBAAGjgc8wgcwwHQYDVR0OBBYEFMbTvDyvE2KsRy9zPq/J
WOjovG+WMIGcBgNVHSMEgZQwgZGAFMbTvDyvE2KsRy9zPq/JWOjovG+WoW6kbDBq
MQswCQYDVQQGEwJ4eDELMAkGA1UECBMCeHgxCzAJBgNVBAcTAnh4MQswCQYDVQQK
EwJ4eDELMAkGA1UECxMCeHgxCzAJBgNVBAMTAnh4MRowGAYJKoZIhvcNAQkBFgt4
eHhAMTYzLmNvbYIJALV96mEtVF4EMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
BQADgYEAASkC/1iwiALa2RU3YCxqZFEEsZZvQxikrDkDbFeoa6Tk49Fnb1f7FCW6
PTtY3HPWl5ygsMsSy0Fi3xp3jmuIwzJhcQ3tcK5gC99HWp6Kw37RL8WoB8GWFU0Q
4tHLOjBIxkZROPRhH+zMIrqUexv6fsb3NWKhnlfh1Mj5wQE4Ldo=
-----END CERTIFICATE-----

The private key must meet the following requirements:

The private key must have the .key extension and must not have a password. The format of the private key is as follows:

  • The private key is a PEM encoded file.
    • The private key is prefixed with -----BEGIN RSA PRIVATE KEY----- and postfixed with -----END RSA PRIVATE KEY-----.
  • The private key cannot contain blank lines. Each line must contain exactly 64 characters, except for the last line, which can contain fewer.

Example:

-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDFPN9ojPndxSC4E1pqWQVKGHCFlXAAGBOxbGfSzXqzsoyacotu
eqMqXQbxrPSQFATeVmhZPNVEMdvcAMjYsV/mymtAwVqVA6q/OFdX/b3UHO+b/VqL
o3J5SrM86Veqnjzwu4oCSabuEDiN+tga1syQmEG4OFM6NSmAYSxcZdE6LwIDAQAB
AoGBAJvLzJCyIsCJcKHWL6onbSUtDtyFwPViD1QrVAtQYabF14g8CGUZG/9fgheu
TXPtTDcvu7cZdUArvgYW3I9F9IBb2lmF3a44xfiAKdDhzr4DK/vQhvHPuuTeZA41
r2zp8Cu+Bp40pSxmoAOK3B0/peZAka01Ju7c7ZChDWrxleHZAkEA/6dcaWHotfGS
eW5YLbSms3f0m0GH38nRl7oxyCW6yMIDkFHURVMBKW1OhrcuGo8u0nTMi5IH9gRg
5bH8XcujlQJBAMWBQgzCHyoSeryD3TFieXIFzgDBw6Ve5hyMjUtjvgdVKoxRPvpO
kclc39QHP6Dm2wrXXHEej+9RILxBZCVQNbMCQQC42i+Ut0nHvPuXN/UkXzomDHde
h1ySsOAO4H+8Y6OSI87l3HUrByCQ7stX1z3L0HofjHqV9Koy9emGTFLZEzSdAkB7
Ei6cUKKmztkYe3rr+RcATEmwAw3tEJOHmrW5ErApVZKr2TzLMQZ7WZpIPzQRCYnY
2ZZLDuZWFFG3vW+wKKktAkAaQ5GNzbwkRLpXF1FZFuNF7erxypzstbUmU/31b7tS
i5LmxTGKL/xRYtZEHjya4Ikkkgt40q1MrUsgIYbFYMf2
-----END RSA PRIVATE KEY-----

Configuring an HTTPS Certificate for a User-Defined Domain Name

You can only use OBS Console or APIs to configure HTTPS certificates for user-defined domain names.

Follow-up Operations

After you configure an HTTPS certificate for a user-defined domain name, you can access an OBS bucket using https plus the user-defined domain name.