DocsICP FilingConsole
官方文档
首页

Create an SSL certificate

更新时间:
复制 MD 格式
产品详情
我的收藏

After purchasing a certificate, you must create one and bind it to a domain name. Selecting Quick Issue when you create the certificate automatically submits your application to the Certificate Authority (CA), simplifying the issuance process.

Important

SSL Certificate Management V2.0 automatically creates a certificate in the pending application state after purchase. You do not need to create a certificate. This document applies only to SSL Certificates Service (new purchases for V1.0 are discontinued).

Prerequisites

You have purchased a paid certificate or a personal test certificate.

Note

If you specified a domain name when you purchased the paid certificate, the system automatically creates the certificate. The process is as follows:

Workflow

image

Procedure

Create an individual test certificate

Note

Individual Test Certificates are Domain Validated (DV) certificates.

Log on to the Certificate Management Service console. In the left-side navigation pane, choose Certificate Management. On the Individual Test Certificate (Formerly Free Certificate) tab, click Create Certificate.

Step 1: Configure basic information

Follow the instructions to configure the basic parameters. If you do not select Quick Issue, the certificate enters the Pending Application state after you provide the required information and click OK. You will need to submit an application to the Certificate Authority (CA) later.

  • Certificate Type

    • Individual Test Certificate (Free): A free certificate that is valid for three months.

    • Individual Test Certificate (Pro): A paid certificate.

  • Remaining Certificate Quota/Total

    Displays the number of certificates you can create and the total quota available for the selected certificate type. If your certificate quota is insufficient, see What do I do if my certificate quota is insufficient when I create a certificate?.

  • Domain Name

    • Domain name limits: You can apply for a personal test certificate only for a single domain name. You cannot apply for a personal test certificate for a public IP address, a domain name with a special suffix, a wildcard domain name, or a hybrid domain name. To apply for a certificate for one of these, you must purchase a commercial certificate.

      Which special suffixes are not supported for personal test certificates?

      .edu, .gov, .org, .jp, .pay, .bank, .live, .nuclear, and .ru.

    • Length limits: The total length of a single domain name cannot exceed 253 characters. The length of each label in the domain name, which is the part separated by a period (.), cannot exceed 63 characters.

    • Chinese domain names: If you want to secure a Chinese domain name, you must convert it to Punycode as prompted in the console before you can apply for a certificate. You can also use a transcoding tool to convert the domain name. For more information, see Chinese domain name conversion.

      Note

      vTrus-branded certificates do not support Chinese domain names.

    • Complimentary domain name: If your domain name is eligible, Alibaba Cloud provides a complimentary domain name.

  • Validity Period (Years)

    • If the certificate type is Individual Test Certificate (Free), the value is fixed at 1 and cannot be changed.

    • If the certificate type is Individual Test Certificate (Pro), you must configure the validity period. Due to ongoing reductions in certificate validity periods, multiple certificates may be issued during the service period. For more information, see Changes in certificate validity periods.

  • Quick Issue

    If you select Quick Issue, you must provide application details. After the certificate is created, the system automatically submits the certificate application to the CA. You must then complete domain name ownership verification.

Step 2 (Optional): Provide application details (Quick Issue workflow)

If you select Quick Issue, provide the details required for review by the CA. After you provide the required information and click Submit for Review, the certificate status changes to Validating Application. You must then complete domain name ownership verification. The parameters are described as follows:

  • Domain Verification Method

    Select a verification method based on your account status:

    Note

    • Certificate purchase account: The Alibaba Cloud account used to purchase the target SSL certificate in the Certificate Management Service console.

    • DNS resolution account: The Alibaba Cloud account used to configure DNS resolution for the target domain name in Alibaba Cloud DNS.

    The purchase and DNS accounts are different

    • Manual DNS Verification (recommended): Log on to your DNS service platform and add a CNAME or TXT DNS record.

    • File Verification: Log on to your web server, and create and upload the required validation file to the specified directory.

      Important

      Wildcard domain names do not support file validation.

    The purchase and DNS account are the same

    The system uses the Automatic DNS Verification method. Alibaba Cloud automatically adds a DNS record for the domain name in Alibaba Cloud DNS to verify domain ownership. No manual operation is required.

  • Contact

    Select a contact for this certificate application. The contact information includes an email address and a mobile number. To create or modify a contact, click Create Contact or Edit, or go to Contact Management.

  • Location

    Select the city or region where the applicant is located.

  • Encryption Algorithm

    Option

    Security

    Compatibility

    Performance

    Recommendation

    RSA_2048

    Medium

    Widest

    Middle

    Recommended for general use and suitable for most web applications.

    RSA_3072

    High

    Good

    Lower

    Suitable for scenarios with high security requirements, such as finance and payments.

    RSA_4096

    Very High

    Fair

    Low

    Recommended only for top-secret or extremely high-security scenarios.

    ECC_256

    High

    Good

    Very High

    Suitable for mobile applications, high-concurrency systems, and IoT devices.

    SM2

    High

    Specific

    High

    Applicable only to scenarios that require compliance with Chinese cryptographic standards, such as government, state-owned enterprises, and finance.

    • RSA: An asymmetric key encryption algorithm based on the difficulty of factoring large integers. It is the most widely used and has excellent compatibility. Longer keys provide higher security but increase performance overhead.

    • ECC: An asymmetric key encryption algorithm based on the difficulty of the elliptic curve discrete logarithm problem. It achieves the same level of security as RSA with shorter keys, offers higher computational efficiency, and is suitable for resource-constrained environments such as mobile devices and IoT.

    • SM2: A Chinese domestic elliptic curve algorithm released by the State Cryptography Administration of China. It is part of the Chinese national cryptographic standard. Its security is comparable to ECC and is suitable for government, finance, and other scenarios with domestic compliance requirements.

    Note

    Currently, only some brands and types of certificates support the ECC and SM2 algorithms. For more information, see SSL certificate selection.

  • CSR Generation

    A Certificate Signing Request (CSR) is an application file submitted to a CA when you apply for an SSL certificate. It contains your domain name, organization information, and public key. You must securely store the corresponding private key.

    Automatic (recommended)

    Alibaba Cloud automatically creates a CSR and a private key for you. After the certificate is issued, you can directly download the complete file that contains the private key.

    Manual Entry

    You can use tools such as OpenSSL or Keytool to manually generate a CSR and a private key file, which you must store securely. Then, copy the CSR content into the CSR File configuration item. For more information about how to create a CSR and a private key file, see How to create a CSR file.

    Important

    • Securely store your private key. If you lose the private key, the certificate becomes unusable because the key is unrecoverable. You would need to generate a new key pair and request a certificate reissuance.

    • If you apply for a Chinese cryptographic algorithm certificate and select Manual Entry for the CSR, the private key is not stored in Alibaba Cloud. The private key is required to decrypt the obtained certificate. You must contact the party that generated the private key to assist with decryption. This does not apply to Wosign-branded certificates.

    • The encryption algorithm of the CSR must match the Key Algorithm selected above. If you are unsure of the encryption algorithm used by your CSR, you can use the View CSR tool to check it. For more information, see View CSR Details.

    • Certificates issued using this method do not support one-click deployment to other Alibaba Cloud products.

    Select an Existing CSR

    From the CSRs created or uploaded in the Certificate Management Service console, select the CSR that matches the Domains to Bind. For more information about how to create and upload a CSR, see Create a CSR.

  • CSR File

    This parameter is required only when CSR Generation is set to Manual or Select Existing CSR. Enter the content of your CSR file.

Create a commercial certificate

Log on to the Certificate Management Service console. In the left-side navigation pane, choose Certificate Management. On the Commercial Certificates tab, click Create Certificate.

Step 1: Configure basic information

Follow the instructions to configure the basic parameters. If you do not select Quick Issue, the certificate enters the Pending Application state after you provide the required information and click OK. You will need to submit an application to the Certificate Authority (CA) later.

  • Certificate Type

    The system displays the types of certificates that you have purchased and can create. This can include single domain, multi-domain, and wildcard types. You can select a type only if you have purchased the corresponding certificate resources.

  • Certificate Specifications

    Displays the certificate specifications you have purchased and their available quantities. If the required specification is not available, first purchase a commercial certificate.

  • Domain Name

    • Domain name requirements

      • Type matching: The domain type that you enter (single, multi-domain, or wildcard) must match your purchased certificate.

      • Length limits: The total length must not exceed 253 characters. Each label (a segment separated by the . character) must not exceed 63 characters.

    • Special format requirements

      • Wildcard: Must start with *, such as *.example.com.

      • Chinese domain name: If you use a Chinese domain name, you must convert it to Punycode as prompted in the console. You can also use a conversion tool. For more information, see Chinese Domain Name Conversion.

        Note

        vTrus-branded certificates do not support Chinese domain names.

      • IP addresses: Supported only by some OV single-domain certificates (Brands: GlobalSign and GeoTrust, vTrus, and CFCA).

    • Suffix restrictions: Only GlobalSign-branded certificates support attaching to domain names with the .ru suffix.

    • Complimentary domain name: If your domain name is eligible, Alibaba Cloud provides a complimentary domain name.

  • Validity Period (Years)

    Select the service duration for your certificate. Because certificate validity periods are decreasing, multiple certificates may be issued during the service period. For more information, see Changes in certificate validity periods.

  • Quick Issue

    If you select Quick Issue, you must provide application details. After the certificate is created, the system automatically submits the certificate application to the CA. You must then complete domain name ownership verification. You do not need to submit the application again.

Step 2 (Optional): Provide application details (Quick Issue workflow)

If you select Quick Issue, provide the details that the CA requires for review. The required information varies by certificate type (DV, OV, or EV). After you provide this information and click Submit for Review, the certificate status changes to Validating Application, and you must then complete domain name ownership verification.

Certificate application information

DV certificates

  • Domain Verification Method

    Note

    • Certificate purchase account: The Alibaba Cloud account used to purchase the target SSL certificate in the Certificate Management Service console.

    • DNS resolution account: The Alibaba Cloud account used to configure DNS resolution for the target domain name in Alibaba Cloud DNS.

    The purchase and DNS accounts are different

    • Manual DNS Verification (recommended): Log on to your DNS service platform and add a CNAME or TXT DNS record.

    • File Verification: Log on to your web server, and create and upload the required validation file to the specified directory.

      Important

      Wildcard domain names do not support file validation.

    The purchase and DNS account are the same

    The system uses the Automatic DNS Verification method. Alibaba Cloud automatically adds a DNS record for the domain name in Alibaba Cloud DNS to verify domain ownership. No manual operation is required.

  • Contact

    Select a contact for this certificate application. The contact information includes an email address and a mobile number. To create or modify a contact, click Create Contact or Edit, or go to Contact Management.

  • Location

    Select the city or region where the applicant is located.

  • Encryption Algorithm

    Option

    Security

    Compatibility

    Performance

    Recommendation

    RSA_2048

    Medium

    Widest

    Middle

    Recommended for general use and suitable for most web applications.

    RSA_3072

    High

    Good

    Lower

    Suitable for scenarios with high security requirements, such as finance and payments.

    RSA_4096

    Very High

    Fair

    Low

    Recommended only for top-secret or extremely high-security scenarios.

    ECC_256

    High

    Good

    Very High

    Suitable for mobile applications, high-concurrency systems, and IoT devices.

    SM2

    High

    Specific

    High

    Applicable only to scenarios that require compliance with Chinese cryptographic standards, such as government, state-owned enterprises, and finance.

    • RSA: An asymmetric key encryption algorithm based on the difficulty of factoring large integers. It is the most widely used and has excellent compatibility. Longer keys provide higher security but increase performance overhead.

    • ECC: An asymmetric key encryption algorithm based on the difficulty of the elliptic curve discrete logarithm problem. It achieves the same level of security as RSA with shorter keys, offers higher computational efficiency, and is suitable for resource-constrained environments such as mobile devices and IoT.

    • SM2: A Chinese domestic elliptic curve algorithm released by the State Cryptography Administration of China. It is part of the Chinese national cryptographic standard. Its security is comparable to ECC and is suitable for government, finance, and other scenarios with domestic compliance requirements.

    Note

    Currently, only some brands and types of certificates support the ECC and SM2 algorithms. For more information, see SSL certificate selection.

  • CSR Generation

    A Certificate Signing Request (CSR) is an application file submitted to a CA when you apply for an SSL certificate. It contains your domain name, organization information, and public key. You must securely store the corresponding private key.

    Automatic (recommended)

    Alibaba Cloud automatically creates a CSR and a private key for you. After the certificate is issued, you can directly download the complete file that contains the private key.

    Manual Entry

    You can use tools such as OpenSSL or Keytool to manually generate a CSR and a private key file, which you must store securely. Then, copy the CSR content into the CSR File configuration item. For more information about how to create a CSR and a private key file, see How to create a CSR file.

    Important

    • Securely store your private key. If you lose the private key, the certificate becomes unusable because the key is unrecoverable. You would need to generate a new key pair and request a certificate reissuance.

    • If you apply for a Chinese cryptographic algorithm certificate and select Manual Entry for the CSR, the private key is not stored in Alibaba Cloud. The private key is required to decrypt the obtained certificate. You must contact the party that generated the private key to assist with decryption. This does not apply to Wosign-branded certificates.

    • The encryption algorithm of the CSR must match the Key Algorithm selected above. If you are unsure of the encryption algorithm used by your CSR, you can use the View CSR tool to check it. For more information, see View CSR Details.

    • Certificates issued using this method do not support one-click deployment to other Alibaba Cloud products.

    Select an Existing CSR

    From the CSRs created or uploaded in the Certificate Management Service console, select the CSR that matches the Domains to Bind. For more information about how to create and upload a CSR, see Create a CSR.

  • CSR File

    This parameter is required only when CSR Generation is set to Manual or Select Existing CSR. Enter the content of your CSR file.

OV certificates

  • Contact

    Select the contact for this certificate application. The contact information includes an email address and a mobile phone number. To create or modify a contact, click Create Contact or Edit, or go to Contact Management.

    Important

    After the CA receives the certificate application, it sends a validation email to the contact's email address or communicates with the contact using their mobile phone number (only in the Chinese mainland) for the review. Make sure that the contact information is accurate and valid.

  • Company

    Select the company information for this certificate application, including the name, phone number, and address. To create or modify company information, click Create Company Profile or Edit, or go to Company Information Management.

    Important

    When you apply for an OV certificate for a .gov domain name, the organization name in the domain's WHOIS information must exactly match the company name.

  • Business License

    After you select a Company, the system automatically identifies the business license picture uploaded for the company. If you did not upload a business license picture when you created the company, the business license picture is empty. To ensure a quick review by the CA, we recommend that you upload the company's business license picture.

  • Encryption Algorithm

    Option

    Security

    Compatibility

    Performance

    Recommendation

    RSA_2048

    Medium

    Widest

    Middle

    Recommended for general use and suitable for most web applications.

    RSA_3072

    High

    Good

    Lower

    Suitable for scenarios with high security requirements, such as finance and payments.

    RSA_4096

    Very High

    Fair

    Low

    Recommended only for top-secret or extremely high-security scenarios.

    ECC_256

    High

    Good

    Very High

    Suitable for mobile applications, high-concurrency systems, and IoT devices.

    SM2

    High

    Specific

    High

    Applicable only to scenarios that require compliance with Chinese cryptographic standards, such as government, state-owned enterprises, and finance.

    • RSA: An asymmetric key encryption algorithm based on the difficulty of factoring large integers. It is the most widely used and has excellent compatibility. Longer keys provide higher security but increase performance overhead.

    • ECC: An asymmetric key encryption algorithm based on the difficulty of the elliptic curve discrete logarithm problem. It achieves the same level of security as RSA with shorter keys, offers higher computational efficiency, and is suitable for resource-constrained environments such as mobile devices and IoT.

    • SM2: A Chinese domestic elliptic curve algorithm released by the State Cryptography Administration of China. It is part of the Chinese national cryptographic standard. Its security is comparable to ECC and is suitable for government, finance, and other scenarios with domestic compliance requirements.

    Note

    Currently, only some brands and types of certificates support the ECC and SM2 algorithms. For more information, see SSL certificate selection.

  • CSR Generation

    A Certificate Signing Request (CSR) is an application file submitted to a CA when you apply for an SSL certificate. It contains your domain name, organization information, and public key. You must securely store the corresponding private key.

    Automatic (recommended)

    Alibaba Cloud automatically creates a CSR and a private key for you. After the certificate is issued, you can directly download the complete file that contains the private key.

    Manual Entry

    You can use tools such as OpenSSL or Keytool to manually generate a CSR and a private key file, which you must store securely. Then, copy the CSR content into the CSR File configuration item. For more information about how to create a CSR and a private key file, see How to create a CSR file.

    Important

    • Securely store your private key. If you lose the private key, the certificate becomes unusable because the key is unrecoverable. You would need to generate a new key pair and request a certificate reissuance.

    • If you apply for a Chinese cryptographic algorithm certificate and select Manual Entry for the CSR, the private key is not stored in Alibaba Cloud. The private key is required to decrypt the obtained certificate. You must contact the party that generated the private key to assist with decryption. This does not apply to Wosign-branded certificates.

    • The encryption algorithm of the CSR must match the Key Algorithm selected above. If you are unsure of the encryption algorithm used by your CSR, you can use the View CSR tool to check it. For more information, see View CSR Details.

    • Certificates issued using this method do not support one-click deployment to other Alibaba Cloud products.

    Select an Existing CSR

    From the CSRs created or uploaded in the Certificate Management Service console, select the CSR that matches the Domains to Bind. For more information about how to create and upload a CSR, see Create a CSR.

  • CSR File

    This parameter is required only when CSR Generation is set to Manual or Select Existing CSR. Enter the content of your CSR file.

EV certificates

  • Contact

    Select the contact for this certificate application. The contact information includes an email address and a mobile phone number. To create or modify a contact, click Create Contact or Edit, or go to Contact Management.

    Important

    After the CA receives the certificate application, it sends a validation email to the contact's email address or communicates with the contact using their mobile phone number (only in the Chinese mainland) for the review. Make sure that the contact information is accurate and valid.

  • Company

    Select the company information for this certificate application, including the name, phone number, and address. To create or modify company information, click Create Company Profile or Edit, or go to Company Information Management.

    Important

    When you apply for an OV certificate for a .gov domain name, the organization name in the domain's WHOIS information must exactly match the company name.

  • Business License

    After you select a Company, the system automatically identifies the business license picture uploaded for the company. If you did not upload a business license picture when you created the company, the business license picture is empty. To ensure a quick review by the CA, we recommend that you upload the company's business license picture.

  • Encryption Algorithm

    Option

    Security

    Compatibility

    Performance

    Recommendation

    RSA_2048

    Medium

    Widest

    Middle

    Recommended for general use and suitable for most web applications.

    RSA_3072

    High

    Good

    Lower

    Suitable for scenarios with high security requirements, such as finance and payments.

    RSA_4096

    Very High

    Fair

    Low

    Recommended only for top-secret or extremely high-security scenarios.

    ECC_256

    High

    Good

    Very High

    Suitable for mobile applications, high-concurrency systems, and IoT devices.

    SM2

    High

    Specific

    High

    Applicable only to scenarios that require compliance with Chinese cryptographic standards, such as government, state-owned enterprises, and finance.

    • RSA: An asymmetric key encryption algorithm based on the difficulty of factoring large integers. It is the most widely used and has excellent compatibility. Longer keys provide higher security but increase performance overhead.

    • ECC: An asymmetric key encryption algorithm based on the difficulty of the elliptic curve discrete logarithm problem. It achieves the same level of security as RSA with shorter keys, offers higher computational efficiency, and is suitable for resource-constrained environments such as mobile devices and IoT.

    • SM2: A Chinese domestic elliptic curve algorithm released by the State Cryptography Administration of China. It is part of the Chinese national cryptographic standard. Its security is comparable to ECC and is suitable for government, finance, and other scenarios with domestic compliance requirements.

    Note

    Currently, only some brands and types of certificates support the ECC and SM2 algorithms. For more information, see SSL certificate selection.

  • CSR Generation

    A Certificate Signing Request (CSR) is an application file submitted to a CA when you apply for an SSL certificate. It contains your domain name, organization information, and public key. You must securely store the corresponding private key.

    Automatic (recommended)

    Alibaba Cloud automatically creates a CSR and a private key for you. After the certificate is issued, you can directly download the complete file that contains the private key.

    Manual Entry

    You can use tools such as OpenSSL or Keytool to manually generate a CSR and a private key file, which you must store securely. Then, copy the CSR content into the CSR File configuration item. For more information about how to create a CSR and a private key file, see How to create a CSR file.

    Important

    • Securely store your private key. If you lose the private key, the certificate becomes unusable because the key is unrecoverable. You would need to generate a new key pair and request a certificate reissuance.

    • If you apply for a Chinese cryptographic algorithm certificate and select Manual Entry for the CSR, the private key is not stored in Alibaba Cloud. The private key is required to decrypt the obtained certificate. You must contact the party that generated the private key to assist with decryption. This does not apply to Wosign-branded certificates.

    • The encryption algorithm of the CSR must match the Key Algorithm selected above. If you are unsure of the encryption algorithm used by your CSR, you can use the View CSR tool to check it. For more information, see View CSR Details.

    • Certificates issued using this method do not support one-click deployment to other Alibaba Cloud products.

    Select an Existing CSR

    From the CSRs created or uploaded in the Certificate Management Service console, select the CSR that matches the Domains to Bind. For more information about how to create and upload a CSR, see Create a CSR.

  • CSR File

    This parameter is required only when CSR Generation is set to Manual or Select Existing CSR. Enter the content of your CSR file.

  • Permit for Opening a Bank Account

    This information is required only when applying for a GeoTrust or DigiCert-branded certificate. Upload a clear scanned copy of the company's bank account opening permit.

    Note

    The scanned copy must be in PNG or JPEG format and its size cannot exceed 500 KB.

  • Configuration items specific to CFCA brand certificates

    • Application Form

      Follow these steps:

      1. Click Download Template to download the form template to your local computer.

      2. Open the form template and edit the content as required.

      3. Print the edited form and stamp it with your official company seal as instructed in the template.

      4. Scan the stamped form and save it to your local computer.

      5. Click Upload File to upload the scanned form from your local computer.

    • Lawyer Certificate

      Save a scan of the lawyer's certificate to your local computer. Then, click Upload File to upload the file.

    • Lawyer's Letter

      Follow these steps:

      1. Click Download Template to download the lawyer's letter template to your local computer.

      2. Open the lawyer's letter template and edit the content as required.

      3. Print the edited lawyer's letter and attach a copy of the lawyer's certificate or other documents that prove the lawyer's qualifications, as instructed in the template.

      4. Scan the lawyer's letter and its attachments, and save them to your local computer.

      5. Click Upload File to upload the scanned files from your local computer.

    • Agent Identity Card or Passport

      Save a scan of the agent's ID card or passport to your computer. Then, click Upload File to upload it.

    Note

    The scans of the application form, lawyer's certificate, lawyer's letter, agent's ID card, and agent's passport must be in PNG or JPEG format. The size of each scanned copy cannot exceed 500 KB.

Advanced settings

Use the Advanced Settings to configure the Notification service for the certificate lifecycle.

  • Notification Status: Enabled by default.

  • Notification Method: You can configure Email Address, Text Message, Internal Message, and DingTalk/WeCom/Feishu.

  • Notification Content: You can configure three types of reminder messages: Business Notification, Alert Notification, and Product Change Notification.

  • Expiration Notification Frequency: Configure a reminder frequency policy. Options include: Only Once, Every Day, Every 3 Days, Every 5 Days, and Every 7 Days.

  • Expiration Deadline Notification: Configure how many days in advance to send reminders. Options include: 15 Days Before Expiration, 30 Days Before Expiration, 60 Days Before Expiration, and 90 Days Before Expiration.

Important

The service period for the message reminder feature matches the validity period of the certificate. The service ends automatically when the certificate expires.

Next steps

Scenario 1: You selected Quick Issue.

After the certificate is created, the system automatically submits a certificate application to a CA. To track the application, hover over the Status icon in the Status column and click View Progress in the tooltip. The Certificate Progress panel shows the review progress. You must then complete the domain name ownership verification.

image

Scenario 2: You did not select Quick Issue.

After a certificate is created, it appears in the certificate list with the status Pending Application. You must submit the certificate application to a CA for review. The CA issues the certificate only after your application is approved. For more information, see Submit an Application to a CA.

image

Complimentary domains for SSL certificates

When you purchase certain certificates, a complimentary domain is automatically included to cover both the www and non-www versions of your site. The rules vary by brand and certificate type.

Conditions

GlobalSign

  • DV: Domain validation must use DNS validation.

  • OV: No special restrictions.

  • EV: The domain must be an apex domain.

DigiCert

  • DV: Domain validation must use DNS validation.

  • OV, EV: The domain must be an apex domain.

Alibaba Cloud

The domain must be a www subdomain (for example, www.aliyun.com).

This offer is not reciprocal. Securing an apex domain (such as aliyun.com) or a wildcard domain (such as *.aliyun.com) does not include the www subdomain.

Purchase a certificate

Go to the SSL Certificate Management V2.0 page, click Commercial Certificates > Purchase Certificate, and select one of the following methods to purchase a certificate:

  • Purchase by Domain Name (Domain Name): This option is for when you have already determined the domain name.

  • Purchase by Quantity (Certificate Instance Purchase): This method is suitable if you need to purchase certificates in bulk, pre-purchase certificate resources, or have not yet determined the domain names. Because you do not need to provide a domain name during the purchase, you must manually associate a domain name with each certificate and submit an application after the purchase is complete.

Purchase by domain name

Purchase process
image
Step 1: Purchase options

On the purchase page, configure the certificate by using the following information.

  • Purchase Method

    Select Domain Name.

  • Domain Name

    Enter the domain name for the certificate. The system automatically suggests supported certificate types and brands. To enter multiple domains, type each one and press Enter. A domain name can be up to 253 characters long, and each label cannot exceed 63 characters. You can add up to 250 domain names. The following domain types are supported:

    • Single Domain: An SSL certificate is attached to a primary domain name, a subdomain, or a public IP address (IPv4). Examples: aliyun.com, abc.example.com, and 1.1.X.X.

    • Wildcard Domain: A wildcard certificate is used to protect a primary domain name and all its first-level subdomains.

      • Matching rules: Matches only subdomains at the same level. It cannot match subdomains across multiple levels. For example, a certificate for *.aliyun.com can match demo.aliyun.com, but cannot match guide.demo.aliyun.com.

      • Limits: By default, a certificate supports only one wildcard domain name. To include multiple wildcard domain names in a single certificate, see Merge certificate requests.

    • Hybrid Domain: A single certificate is issued to protect multiple domains, which can be a combination of Single Domain and Wildcard Domain. We recommend that the number of domains does not exceed 200.

  • Certificate Type

    The available certificate types vary depending on the domain type. For more information, see SSL certificate selection guide.

    • DV Certificate

      • Use cases: Personal websites and enterprise test environments.

      • Average issuance time: 1 to 15 minutes.

      • Supported domain types: Wildcard Domain, Single Domain, and Hybrid Domain.

    • OV Certificate

      • Use cases: Government organizations, small and medium-sized enterprises, and educational institutions.

      • Average issuance time: 5 calendar days.

      • Supported domain types: Wildcard Domain, Single Domain, and Hybrid Domain.

    • EV Certificate

      • Use cases: Large enterprises, financial institutions, and e-commerce sites that handle transactions and sensitive data.

      • Average issuance time: 5 calendar days.

      • Supported domain types: Single Domain, Hybrid Domain.

  • Certificate Brand

    • International brands: DigiCert, GeoTrust, GlobalSign, and Rapid. These support international standards (RSA/ECC).

    • Chinese domestic brands: vTrus, CFCA, and WoSign. These support international standards (RSA) and Chinese domestic standards (SM2).

    For more information, see SSL certificate selection guide.

    Note

    Only certificates from the GlobalSign brand support binding to domains with the .ru suffix.

  • Expert Services

    • Not Required: Do not purchase any technical support services.

    • Assistance Application: Provides assistance to expedite the issuance of SSL certificates during service hours (9:00–16:00) on business days.

    • Deployment: Helps you deploy RSA or ECC algorithm certificates during service hours (9:00 to 18:00) on business days.

    • Assistance Application + Deployment: Provides end-to-end assistance to help you quickly complete the certificate application, issuance, and deployment process. Support is available on non-working days from 9:00 to 20:00.

    • Deployment (SM Certificate): This service helps you deploy Shang Mi (SM2) algorithm certificates during business hours (9:00–18:00 on workdays) to resolve complex deployment and configuration issues. This option is available only when the certificate type is a Chinese brand certificate, such as CFCA, vTrus, or Wosign.

  • Automated Management

    When you enable this service, the system automatically renews your certificate before it expires. It will consume a credit from your existing hosting plan if one is available; otherwise, a new credit will be automatically purchased. This service automates new certificate applications, DNS record additions, and certificate updates on your cloud products.

  • Resource Group and Tag Key

    Associate an Alibaba Cloud Resource Group and a Tag Key with the certificate for easier future management and search.

Step 2: Select Duration

On the right side of the purchase page, confirm the order information and select the Duration.

Important

A Duration may include multiple certificates with different validity periods. For more information, see Description of validity period changes.

Step 3: Payment

Read and agree to the Certificate Management Service Terms of Service and the Technical Support Agreement for Certificate Management Service, click Buy Now, and complete the payment. After the purchase is complete, you can view the purchased SSL certificate orders on the Order and Refund Management page.

Step 4: View certificate

After the purchase is complete, the certificate is displayed in SSL Certificate Management V2.0 with a status of Pending Application.

Next steps

  • Submit a certificate request:

    If a certificate has the Pending Application status, you must submit a request to a certification authority (CA). A certificate is issued after the CA approves the request.

  • Complete domain ownership validation:

    For certificates in the Validating Application status, you must complete domain ownership validation based on the certificate type.

  • Modify certificate application information:

    If you need to modify the certificate information after purchase, you can perform the Cancel Application operation, and then make the modifications.purchase or

Purchase by quantity

Purchase process
image
Step 1: Purchase options

On the purchase page, configure the certificate by using the following information.

  • Purchase Method:

    Select Certificate Instance Purchase.

  • Certificate Quantity:

    The maximum number of certificates you can purchase at one time is 100.

  • Domain Type:

    • Single Domain: An SSL certificate is attached to a primary domain name, a subdomain, or a public IP address (IPv4). Examples: aliyun.com, abc.example.com, and 1.1.X.X.

    • Wildcard Domain: A wildcard certificate is used to protect a primary domain name and all its first-level subdomains.

      • Matching rules: Matches only subdomains at the same level. It cannot match subdomains across multiple levels. For example, a certificate for *.aliyun.com can match demo.aliyun.com, but cannot match guide.demo.aliyun.com.

      • Limits: By default, a certificate supports only one wildcard domain name. To include multiple wildcard domain names in a single certificate, see Merge certificate requests.

    • Multiple Domains: Used to attach multiple single domain names at the same time. You can attach up to five single domain names. Only single domain names are supported. Wildcard domain names are not supported.

  • When Domain Type is set to Multiple Domains, you must enter Single Domains and Wildcard Domains.

    Important

    If you purchase multiple certificates, each certificate will support the number of domains that you enter in this field. The SSL Certificate Management V2.0 version currently does not support adding more domains to a certificate. Please confirm the number of domains when you make the purchase.

  • Certificate Type:

    The available certificate types vary depending on the domain type. For more information, see SSL certificate selection guide.

    • DV Certificate

      • Use cases: Personal websites and enterprise test environments.

      • Average issuance time: 1 to 15 minutes.

      • Supported domain types: Wildcard Domain, Single Domain.

    • OV Certificate

      • Use cases: Government organizations, small and medium-sized enterprises, and educational institutions.

      • Average issuance time: 5 calendar days.

      • Supported domain types: Wildcard Domain, Single Domain, and Multiple Domains.

    • EV Certificate

      • Use cases: Large enterprises, financial institutions, and e-commerce sites that handle transactions and sensitive data.

      • Average issuance time: 5 calendar days.

      • Supported domain types: Single Domain, Multiple Domains.

  • Certificate Brand:

    • International brands: DigiCert, GeoTrust, GlobalSign, and Rapid. These support international standards (RSA/ECC).

    • Chinese domestic brands: vTrus, CFCA, and WoSign. These support international standards (RSA) and Chinese domestic standards (SM2).

    For more information, see SSL certificate selection guide.

  • Automated Management:

    When you enable this service, the system automatically renews your certificate before it expires. It will consume a credit from your existing hosting plan if one is available; otherwise, a new credit will be automatically purchased. This service automates new certificate applications, DNS record additions, and certificate updates on your cloud products.

  • Expert Services

    • Not Required: Do not purchase any technical support services.

    • Assistance Application: Provides assistance to expedite the issuance of SSL certificates during service hours (9:00–16:00) on business days.

    • Deployment: Helps you deploy RSA or ECC algorithm certificates during service hours (9:00 to 18:00) on business days.

    • Assistance Application + Deployment: Provides end-to-end assistance to help you quickly complete the certificate application, issuance, and deployment process. Support is available on non-working days from 9:00 to 20:00.

    • Deployment (SM Certificate): This service helps you deploy Shang Mi (SM2) algorithm certificates during business hours (9:00–18:00 on workdays) to resolve complex deployment and configuration issues. This option is available only when the certificate type is a Chinese brand certificate, such as CFCA, vTrus, or Wosign.

  • Resource Group and Tag Key:

    Associate a certificate with an Alibaba Cloud Resource Group and a Tag Key for easier management and searching.

Step 2: Select Duration

On the right side of the purchase page, confirm the order information and select the Duration.

Important

A Duration may include multiple certificates with different validity periods. For more information, see Description of validity period changes.

Step 3: Payment

Read and agree to the Certificate Management Service Terms of Service and the Technical Support Agreement for Certificate Management Service, click Buy Now, and complete the payment. After the purchase is complete, you can view the purchased SSL certificate orders on the Order and Refund Management page.

Step 4: View certificate

On the SSL Certificate Management V2.0 page, you can view your purchased certificates.

Next steps

  • Submit a certificate request:

    If a certificate has the Pending Application status, you must submit a request to a certification authority (CA). A certificate is issued after the CA approves the request.

  • Complete domain ownership validation:

    For certificates in the Validating Application status, you must complete domain ownership validation based on the certificate type.

  • Modify certificate application information:

    If you need to modify the certificate information after purchase, you can perform the Cancel Application operation and then make the changes.

Complimentary rules

  • Single Domain certificate: The matching apex domain or www subdomain is automatically included.

    • Certificate for yourdomain.comwww.yourdomain.com added for free

    • Certificate for www.yourdomain.comyourdomain.com added for free

  • Wildcard certificate: The corresponding apex domain is automatically included.

    • Certificate for *.yourdomain.comyourdomain.com added for free

  • Multi-Domain certificate: The free domain offer applies only to the first domain listed in your certificate request. Example: If the first domain is www.domain-a.com, the system adds domain-a.com for free. No complimentary domain is added for the second domain, domain-b.com.

FAQ

Insufficient certificate quota

If you receive a notification that your quota is insufficient when creating a certificate, first check your certificate type. Then, consult the following tables for causes and solutions.

  • Type 1: Individual Test Certificate (Formerly Free Certificate)

    Cause

    Solution

    First-time use or quota not claimed in the current calendar year

    You must manually claim the free quota for each calendar year. Go to the Claim Free Certificate Quota page.

    Annual quota is exhausted

    Each user who has completed identity verification can claim a maximum of 20 free certificates per calendar year.

    Important

    Quota is cleared at the start of a new year

    Alibaba Cloud clears the unused free quota for all users at the end of each calendar year (December 31). You must reclaim the quota at the start of the new year.

  • Type 2: Individual Test Certificate (Pro)

    Cause

    Solution

    Quota is occupied by certificates in the "Pending Application" state

    Check your certificate list for unneeded certificates in the "Pending Application" state. Click "Cancel Application". The quota is returned immediately after cancellation.

    Important

    The quota is not returned if a certificate is revoked or deleted.

    All purchased quota is used or occupied

    To purchase additional certificate quota, go to the Purchase a paid certificate page.

Chinese (IDN) domain names

When you apply for a certificate for a Chinese (IDN) domain name, you must convert it to Punycode. You can follow the prompts in the console or use a conversion tool. For more information, see Chinese Domain Name Conversion.

Previous:Purchase certificate application assistance and deployment servicesNext:Issue certificates