Alibaba Cloud OSS
How to automatically deploy SSL certificates to an Alibaba Cloud OSS bucket.
Overview
AutoSSL can automatically upload SSL certificate files to an Alibaba Cloud Object Storage Service (OSS) bucket. Each certificate is archived under a versioned archive path and also updated under a latest/ path for easy discovery by downstream consumers (e.g., Nginx, Caddy, or custom scripts that pull certificates from OSS).
For instructions on how to manage and run this deployment, please refer to the Deployment Management section.
Configuration Parameters
When you add or edit this deployment target in the AutoSSL console, you will need to configure the following parameters:
| Parameter | Description | Example |
|---|---|---|
| Region | The Alibaba Cloud region where the OSS bucket is located. | cn-hangzhou |
| Bucket Name | The name of the OSS bucket to upload certificate files to. | my-ssl-certs |
| Object Key Prefix | (Optional) A prefix for organizing certificate files in the bucket. If set, files will be uploaded under this prefix. Trailing slash is optional. | certs/example.com/ |
How it Works
When AutoSSL deploys a certificate to an OSS bucket (e.g., my-ssl-certs in cn-hangzhou with prefix certs/example.com/), it performs the following steps:
-
Certificate Preparation:
- Splits the full certificate chain into individual PEM files:
cert.pem(leaf certificate),privkey.pem(private key, PKCS#8 encoded),chain.pem(intermediate chain), andfullchain.pem(full chain). - Generates a
README.mdfile with certificate metadata and a link to https://autossl.dev for traceability. - Parses the certificate
notBeforedate and SHA1 fingerprint to generate an archive directory name (format:YYYY-MM-DD_<first 8 chars of SHA1>).
- Splits the full certificate chain into individual PEM files:
-
File Upload:
- Uploads certificate files (four PEM files and README.md) to two paths in the bucket:
- Archive path —
certs/example.com/2026-05-30_e5f6a7b8/cert.pem(andprivkey.pem,chain.pem,fullchain.pem,README.md). This path is unique per certificate issuance and is never overwritten. - Latest path —
certs/example.com/latest/cert.pem(andprivkey.pem,chain.pem,fullchain.pem,README.md). This path always reflects the most recently uploaded certificate.
- Archive path —
- Uploads certificate files (four PEM files and README.md) to two paths in the bucket:
The latest/ path allows downstream services to always fetch the current
certificate from a fixed OSS key. Historical certificates remain accessible
under their versioned archive directories.
Example Bucket Structure
After multiple certificate renewals, your bucket structure will look like this:
certs/example.com/
├── 2026-03-01_a1b2c3d4/
│ ├── cert.pem
│ ├── privkey.pem
│ ├── chain.pem
│ ├── fullchain.pem
│ └── README.md
├── 2026-05-30_e5f6a7b8/
│ ├── cert.pem
│ ├── privkey.pem
│ ├── chain.pem
│ ├── fullchain.pem
│ └── README.md
└── latest/
├── cert.pem
├── privkey.pem
├── chain.pem
├── fullchain.pem
└── README.mdPrivate Key Format
privkey.pem is encoded in PKCS#8 format (-----BEGIN PRIVATE KEY-----). This format is widely supported by modern web servers and tools (Nginx, Caddy, Traefik, OpenSSL 1.1+, etc.).
If your environment requires PKCS#1 format (e.g. -----BEGIN RSA PRIVATE KEY----- for RSA keys), convert it locally before use:
openssl rsa -in privkey.pem -out privkey-pkcs1.pemAccess Key Requirement
To interact with the OSS API, this provider requires an Alibaba Cloud Access Key.
Required Permissions
The Access Key must belong to a RAM user with permissions to upload objects to the target OSS bucket.
You need to attach a RAM policy to your user with at least the following action on the target bucket prefix:
oss:PutObject
Example minimal RAM policy:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "oss:PutObject",
"Resource": ["acs:oss:*:*:my-ssl-certs/certs/example.com/*"]
}
]
}For more information on how to manage RAM permissions, please refer to the Alibaba Cloud RAM documentation.