Purchase a commercial certificate

更新时间:
复制 MD 格式

Purchase an SSL certificate on the Certificate Service console, then submit an application for a certificate authority (CA) to review and issue.

Choose a certificate

Use the guidance below to select the right certificate type, specification, brand, and service duration before purchasing.

Certificate type

TypeProtectsNotes
Single DomainOne domain name, subdomain, or public IPv4 address. Examples: aliyun.com, abc.example.com, 1.1.X.XCannot protect subdomains unless purchased separately. A certificate for www.yourdomain.com automatically includes yourdomain.com, and vice versa.
Wildcard DomainAn apex domain and all its first-level subdomains. Example: *.aliyun.com covers demo.aliyun.comMatches only one subdomain level — *.aliyun.com does not cover guide.demo.aliyun.com. By default, supports only one wildcard domain per certificate. To include multiple wildcard domains, see Merge certificate requests.
Multi-DomainUp to 5 individual domain names with one certificateWildcard domain names are not supported. The complimentary domain offer applies only to the first domain listed.
When you purchase certain certificates, the system automatically includes a complimentary domain. For details, see Complimentary domains.

Certificate specification

Choose based on your security requirements:

  • DV (Domain Validated): Verifies domain ownership only — the fastest and lowest-cost option, typically issued within 1 to 15 minutes. Best for personal websites, brochure sites, or test environments.

  • OV (Organization Validated): Verifies both domain ownership and organizational identity. Displays the organization name in the certificate details. Typically issued within 5 calendar days. Best for government entities, small- to medium-sized enterprises, or educational institutions. OV_PRO SSL offers higher encryption than OV SSL.

  • EV (Extended Validation): Requires the most rigorous identity verification and displays the organization's full legal name. Best for large enterprises, financial institutions, and e-commerce sites that handle transactions and sensitive user data. Typically issued within 5 calendar days. EV_PRO SSL offers higher encryption than EV SSL.

Brand

BrandBest for
DigiCert, GeoTrust, RapidSSL, CFCA, vTrus, and WoSignMaximum global trust and brand recognition
GlobalSignReliable international coverage
Alibaba CloudCost-effective option

For a full comparison, see Selection guide.

Important

DigiCert does not issue certificates for domains with special suffixes such as .edu, .gov, .org, .jp, .pay, .bank, .live, .nuclear, or .ru.

Service duration

For multi-year plans, the system automatically requests a renewal certificate before the current one expires:

DurationCertificates includedHosting serviceRenewal trigger
1 year1 certificate (1-year validity)Not includedN/A
2 years2 certificates (each 1-year validity)1 includedWhen the active certificate has fewer than 30 days remaining
3 years3 certificates (each 1-year validity)2 includedWhen the active certificate has fewer than 30 days remaining

Purchase a certificate

image

Step 1: Configure certificate

Go to the SSL Certificate Management page, click Commercial Certificates > Purchase Certificate, and fill in the parameters:

ParameterDescription
Domain TypeSelect Single Domain, Wildcard Domain, or Multiple Domains. See Certificate type.
BrandSelect DigiCert, GlobalSign, or Alibaba Cloud. See Brand.
Certificate SpecificationsSelect the validation level: DV SSL, OV SSL, OV_PRO SSL, EV SSL, or EV_PRO SSL. Available options vary by domain type.
Domain NamesThe number of domain names to protect. Set this only when Domain Type is Multiple Domains.
QuantityFixed at 1.
Service DurationSelect 1 Year, 2 Years, or 3 Years. See Service duration.
Important

For purchase questions, contact an expert by filling out the form on the product page.

Step 2: Confirm and pay

Click Buy Now, read and agree to the Terms of Service, then click Pay. After purchase, find the order on the Order Refund Management page.

Step 3: View the purchased certificate

After purchase, the certificate appears in Certificates with the status Pending Application.

image

What's next

Submit an application to the CA for review and issuance. The CA reviews the application and issues the certificate after approval.

Complimentary domains for SSL certificates

When you purchase certain certificates, a complimentary domain is automatically included to cover both the www and non-www versions of your site. The rules vary by brand and certificate type.

Conditions

GlobalSign

  • DV: Domain validation must use DNS validation.

  • OV: No special restrictions.

  • EV: The domain must be an apex domain.

DigiCert

  • DV: Domain validation must use DNS validation.

  • OV, EV: The domain must be an apex domain.

Alibaba Cloud

The domain must be a www subdomain (for example, www.aliyun.com).

This offer is not reciprocal. Securing an apex domain (such as aliyun.com) or a wildcard domain (such as *.aliyun.com) does not include the www subdomain.

Purchase a certificate

Go to the SSL Certificate Management V2.0 page, click Commercial Certificates > Purchase Certificate, and select one of the following methods to purchase a certificate:

  • Purchase by Domain Name (Domain Name): This option is for when you have already determined the domain name.

  • Purchase by Quantity (Certificate Instance Purchase): This method is suitable if you need to purchase certificates in bulk, pre-purchase certificate resources, or have not yet determined the domain names. Because you do not need to provide a domain name during the purchase, you must manually associate a domain name with each certificate and submit an application after the purchase is complete.

Purchase by domain name

Purchase process

image

Step 1: Purchase options

On the purchase page, configure the certificate by using the following information.

  • Purchase Method

    Select Domain Name.

  • Domain Name

    Enter the domain name for the certificate. The system automatically suggests supported certificate types and brands. To enter multiple domains, type each one and press Enter. A domain name can be up to 253 characters long, and each label cannot exceed 63 characters. You can add up to 250 domain names. The following domain types are supported:

    • Single Domain: An SSL certificate is attached to a primary domain name, a subdomain, or a public IP address (IPv4). Examples: aliyun.com, abc.example.com, and 1.1.X.X.

    • Wildcard Domain: A wildcard certificate is used to protect a primary domain name and all its first-level subdomains.

      • Matching rules: Matches only subdomains at the same level. It cannot match subdomains across multiple levels. For example, a certificate for *.aliyun.com can match demo.aliyun.com, but cannot match guide.demo.aliyun.com.

      • Limits: By default, a certificate supports only one wildcard domain name. To include multiple wildcard domain names in a single certificate, see Merge certificate requests.

    • Hybrid Domain: A single certificate is issued to protect multiple domains, which can be a combination of Single Domain and Wildcard Domain. We recommend that the number of domains does not exceed 200.

  • Certificate Type

    The available certificate types vary depending on the domain type. For more information, see SSL certificate selection guide.

    • DV Certificate

      • Use cases: Personal websites and enterprise test environments.

      • Average issuance time: 1 to 15 minutes.

      • Supported domain types: Wildcard Domain, Single Domain, and Hybrid Domain.

    • OV Certificate

      • Use cases: Government organizations, small and medium-sized enterprises, and educational institutions.

      • Average issuance time: 5 calendar days.

      • Supported domain types: Wildcard Domain, Single Domain, and Hybrid Domain.

    • EV Certificate

      • Use cases: Large enterprises, financial institutions, and e-commerce sites that handle transactions and sensitive data.

      • Average issuance time: 5 calendar days.

      • Supported domain types: Single Domain, Hybrid Domain.

  • Certificate Brand

    • International brands: DigiCert, GeoTrust, GlobalSign, and Rapid. These support international standards (RSA/ECC).

    • Chinese domestic brands: vTrus, CFCA, and WoSign. These support international standards (RSA) and Chinese domestic standards (SM2).

    For more information, see SSL certificate selection guide.

    Note

    Only certificates from the GlobalSign brand support binding to domains with the .ru suffix.

  • Expert Services

    • Not Required: Do not purchase any technical support services.

    • Assistance Application: Provides assistance to expedite the issuance of SSL certificates during service hours (9:00–16:00) on business days.

    • Deployment: Helps you deploy RSA or ECC algorithm certificates during service hours (9:00 to 18:00) on business days.

    • Assistance Application + Deployment: Provides end-to-end assistance to help you quickly complete the certificate application, issuance, and deployment process. Support is available on non-working days from 9:00 to 20:00.

    • Deployment (SM Certificate): This service helps you deploy Shang Mi (SM2) algorithm certificates during business hours (9:00–18:00 on workdays) to resolve complex deployment and configuration issues. This option is available only when the certificate type is a Chinese brand certificate, such as CFCA, vTrus, or Wosign.

  • Automated Management

    When you enable this service, the system automatically renews your certificate before it expires. It will consume a credit from your existing hosting plan if one is available; otherwise, a new credit will be automatically purchased. This service automates new certificate applications, DNS record additions, and certificate updates on your cloud products.

  • Resource Group and Tag Key

    Associate an Alibaba Cloud Resource Group and a Tag Key with the certificate for easier future management and search.

Step 2: Select Duration

On the right side of the purchase page, confirm the order information and select the Duration.

Important

A Duration may include multiple certificates with different validity periods. For more information, see Description of validity period changes.

Step 3: Payment

Read and agree to the Certificate Management Service Terms of Service and the Technical Support Agreement for Certificate Management Service, click Buy Now, and complete the payment. After the purchase is complete, you can view the purchased SSL certificate orders on the Order and Refund Management page.

Step 4: View certificate

After the purchase is complete, the certificate is displayed in SSL Certificate Management V2.0 with a status of Pending Application.

Next steps

  • Submit a certificate request:

    If a certificate has the Pending Application status, you must submit a request to a certification authority (CA). A certificate is issued after the CA approves the request.

  • Complete domain ownership validation:

    For certificates in the Validating Application status, you must complete domain ownership validation based on the certificate type.

  • Modify certificate application information:

    If you need to modify the certificate information after purchase, you can perform the Cancel Application operation, and then make the modifications.purchase or

Purchase by quantity

Purchase process

image

Step 1: Purchase options

On the purchase page, configure the certificate by using the following information.

  • Purchase Method:

    Select Certificate Instance Purchase.

  • Certificate Quantity:

    The maximum number of certificates you can purchase at one time is 100.

  • Domain Type:

    • Single Domain: An SSL certificate is attached to a primary domain name, a subdomain, or a public IP address (IPv4). Examples: aliyun.com, abc.example.com, and 1.1.X.X.

    • Wildcard Domain: A wildcard certificate is used to protect a primary domain name and all its first-level subdomains.

      • Matching rules: Matches only subdomains at the same level. It cannot match subdomains across multiple levels. For example, a certificate for *.aliyun.com can match demo.aliyun.com, but cannot match guide.demo.aliyun.com.

      • Limits: By default, a certificate supports only one wildcard domain name. To include multiple wildcard domain names in a single certificate, see Merge certificate requests.

    • Multiple Domains: Used to attach multiple single domain names at the same time. You can attach up to five single domain names. Only single domain names are supported. Wildcard domain names are not supported.

  • When Domain Type is set to Multiple Domains, you must enter Single Domains and Wildcard Domains.

    Important

    If you purchase multiple certificates, each certificate will support the number of domains that you enter in this field. The SSL Certificate Management V2.0 version currently does not support adding more domains to a certificate. Please confirm the number of domains when you make the purchase.

  • Certificate Type:

    The available certificate types vary depending on the domain type. For more information, see SSL certificate selection guide.

    • DV Certificate

      • Use cases: Personal websites and enterprise test environments.

      • Average issuance time: 1 to 15 minutes.

      • Supported domain types: Wildcard Domain, Single Domain.

    • OV Certificate

      • Use cases: Government organizations, small and medium-sized enterprises, and educational institutions.

      • Average issuance time: 5 calendar days.

      • Supported domain types: Wildcard Domain, Single Domain, and Multiple Domains.

    • EV Certificate

      • Use cases: Large enterprises, financial institutions, and e-commerce sites that handle transactions and sensitive data.

      • Average issuance time: 5 calendar days.

      • Supported domain types: Single Domain, Multiple Domains.

  • Certificate Brand:

    • International brands: DigiCert, GeoTrust, GlobalSign, and Rapid. These support international standards (RSA/ECC).

    • Chinese domestic brands: vTrus, CFCA, and WoSign. These support international standards (RSA) and Chinese domestic standards (SM2).

    For more information, see SSL certificate selection guide.

  • Automated Management:

    When you enable this service, the system automatically renews your certificate before it expires. It will consume a credit from your existing hosting plan if one is available; otherwise, a new credit will be automatically purchased. This service automates new certificate applications, DNS record additions, and certificate updates on your cloud products.

  • Expert Services

    • Not Required: Do not purchase any technical support services.

    • Assistance Application: Provides assistance to expedite the issuance of SSL certificates during service hours (9:00–16:00) on business days.

    • Deployment: Helps you deploy RSA or ECC algorithm certificates during service hours (9:00 to 18:00) on business days.

    • Assistance Application + Deployment: Provides end-to-end assistance to help you quickly complete the certificate application, issuance, and deployment process. Support is available on non-working days from 9:00 to 20:00.

    • Deployment (SM Certificate): This service helps you deploy Shang Mi (SM2) algorithm certificates during business hours (9:00–18:00 on workdays) to resolve complex deployment and configuration issues. This option is available only when the certificate type is a Chinese brand certificate, such as CFCA, vTrus, or Wosign.

  • Resource Group and Tag Key:

    Associate a certificate with an Alibaba Cloud Resource Group and a Tag Key for easier management and searching.

Step 2: Select Duration

On the right side of the purchase page, confirm the order information and select the Duration.

Important

A Duration may include multiple certificates with different validity periods. For more information, see Description of validity period changes.

Step 3: Payment

Read and agree to the Certificate Management Service Terms of Service and the Technical Support Agreement for Certificate Management Service, click Buy Now, and complete the payment. After the purchase is complete, you can view the purchased SSL certificate orders on the Order and Refund Management page.

Step 4: View certificate

On the SSL Certificate Management V2.0 page, you can view your purchased certificates.

Next steps

  • Submit a certificate request:

    If a certificate has the Pending Application status, you must submit a request to a certification authority (CA). A certificate is issued after the CA approves the request.

  • Complete domain ownership validation:

    For certificates in the Validating Application status, you must complete domain ownership validation based on the certificate type.

  • Modify certificate application information:

    If you need to modify the certificate information after purchase, you can perform the Cancel Application operation and then make the changes.

Complimentary rules

  • Single Domain certificate: The matching apex domain or www subdomain is automatically included.

    • Certificate for yourdomain.comwww.yourdomain.com added for free

    • Certificate for www.yourdomain.comyourdomain.com added for free

  • Wildcard certificate: The corresponding apex domain is automatically included.

    • Certificate for *.yourdomain.comyourdomain.com added for free

  • Multi-Domain certificate: The free domain offer applies only to the first domain listed in your certificate request. Example: If the first domain is www.domain-a.com, the system adds domain-a.com for free. No complimentary domain is added for the second domain, domain-b.com.

Billing

The final price for all billable items is shown on the purchase page. For details, see SSL certificates billing.

FAQ

What do I do if I chose the wrong certificate type or brand?

It depends on when you purchased and whether the certificate has been issued:

  • Within 7 days of purchase, and the certificate has not been issued: Go to the Refund Management page to request a full refund, then purchase the correct certificate.

  • More than 7 days after purchase, or the certificate has already been issued: A refund is not available. For security reasons, revoke and delete the SSL certificate.

What if I entered the wrong domain when submitting the application to a CA? I purchase or

If the certificate has not yet been issued, cancel the application. The certificate returns to the Unused section, and you can click Create Certificate to start a new application with the correct domain.

If the certificate has already been issued, the domain cannot be changed.