Purchase an SSL certificate on the Certificate Service console, then submit an application for a certificate authority (CA) to review and issue.
Choose a certificate
Use the guidance below to select the right certificate type, specification, brand, and service duration before purchasing.
Certificate type
| Type | Protects | Notes |
|---|---|---|
| Single Domain | One domain name, subdomain, or public IPv4 address. Examples: aliyun.com, abc.example.com, 1.1.X.X | Cannot protect subdomains unless purchased separately. A certificate for www.yourdomain.com automatically includes yourdomain.com, and vice versa. |
| Wildcard Domain | An apex domain and all its first-level subdomains. Example: *.aliyun.com covers demo.aliyun.com | Matches only one subdomain level — *.aliyun.com does not cover guide.demo.aliyun.com. By default, supports only one wildcard domain per certificate. To include multiple wildcard domains, see Merge certificate requests. |
| Multi-Domain | Up to 5 individual domain names with one certificate | Wildcard domain names are not supported. The complimentary domain offer applies only to the first domain listed. |
When you purchase certain certificates, the system automatically includes a complimentary domain. For details, see Complimentary domains.
Certificate specification
Choose based on your security requirements:
DV (Domain Validated): Verifies domain ownership only — the fastest and lowest-cost option, typically issued within 1 to 15 minutes. Best for personal websites, brochure sites, or test environments.
OV (Organization Validated): Verifies both domain ownership and organizational identity. Displays the organization name in the certificate details. Typically issued within 5 calendar days. Best for government entities, small- to medium-sized enterprises, or educational institutions. OV_PRO SSL offers higher encryption than OV SSL.
EV (Extended Validation): Requires the most rigorous identity verification and displays the organization's full legal name. Best for large enterprises, financial institutions, and e-commerce sites that handle transactions and sensitive user data. Typically issued within 5 calendar days. EV_PRO SSL offers higher encryption than EV SSL.
Brand
| Brand | Best for |
|---|---|
| DigiCert, GeoTrust, RapidSSL, CFCA, vTrus, and WoSign | Maximum global trust and brand recognition |
| GlobalSign | Reliable international coverage |
| Alibaba Cloud | Cost-effective option |
For a full comparison, see Selection guide.
DigiCert does not issue certificates for domains with special suffixes such as .edu, .gov, .org, .jp, .pay, .bank, .live, .nuclear, or .ru.
Service duration
For multi-year plans, the system automatically requests a renewal certificate before the current one expires:
| Duration | Certificates included | Hosting service | Renewal trigger |
|---|---|---|---|
| 1 year | 1 certificate (1-year validity) | Not included | N/A |
| 2 years | 2 certificates (each 1-year validity) | 1 included | When the active certificate has fewer than 30 days remaining |
| 3 years | 3 certificates (each 1-year validity) | 2 included | When the active certificate has fewer than 30 days remaining |
Purchase a certificate
Step 1: Configure certificate
Go to the SSL Certificate Management page, click Commercial Certificates > Purchase Certificate, and fill in the parameters:
| Parameter | Description |
|---|---|
| Domain Type | Select Single Domain, Wildcard Domain, or Multiple Domains. See Certificate type. |
| Brand | Select DigiCert, GlobalSign, or Alibaba Cloud. See Brand. |
| Certificate Specifications | Select the validation level: DV SSL, OV SSL, OV_PRO SSL, EV SSL, or EV_PRO SSL. Available options vary by domain type. |
| Domain Names | The number of domain names to protect. Set this only when Domain Type is Multiple Domains. |
| Quantity | Fixed at 1. |
| Service Duration | Select 1 Year, 2 Years, or 3 Years. See Service duration. |
For purchase questions, contact an expert by filling out the form on the product page.
Step 2: Confirm and pay
Click Buy Now, read and agree to the Terms of Service, then click Pay. After purchase, find the order on the Order Refund Management page.
Step 3: View the purchased certificate
After purchase, the certificate appears in Certificates with the status Pending Application.

What's next
Submit an application to the CA for review and issuance. The CA reviews the application and issues the certificate after approval.
Complimentary domains for SSL certificates
When you purchase certain certificates, a complimentary domain is automatically included to cover both the www and non-www versions of your site. The rules vary by brand and certificate type.
Conditions
GlobalSign
DV: Domain validation must use DNS validation.
OV: No special restrictions.
EV: The domain must be an apex domain.
DigiCert
DV: Domain validation must use DNS validation.
OV, EV: The domain must be an apex domain.
Alibaba Cloud
The domain must be a www subdomain (for example, www.aliyun.com).
This offer is not reciprocal. Securing an apex domain (such asaliyun.com) or a wildcard domain (such as*.aliyun.com) does not include thewwwsubdomain.
Purchase a certificate
Go to the SSL Certificate Management V2.0 page, click , and select one of the following methods to purchase a certificate:
Purchase by Domain Name (Domain Name): This option is for when you have already determined the domain name.
Purchase by Quantity (Certificate Instance Purchase): This method is suitable if you need to purchase certificates in bulk, pre-purchase certificate resources, or have not yet determined the domain names. Because you do not need to provide a domain name during the purchase, you must manually associate a domain name with each certificate and submit an application after the purchase is complete.
Purchase by domain name
Purchase process
Step 1: Purchase options
On the purchase page, configure the certificate by using the following information.
Purchase Method
Select Domain Name.
Domain Name
Enter the domain name for the certificate. The system automatically suggests supported certificate types and brands. To enter multiple domains, type each one and press Enter. A domain name can be up to 253 characters long, and each label cannot exceed 63 characters. You can add up to 250 domain names. The following domain types are supported:
Single Domain: An SSL certificate is attached to a primary domain name, a subdomain, or a public IP address (IPv4). Examples:
aliyun.com,abc.example.com, and1.1.X.X.Wildcard Domain: A wildcard certificate is used to protect a primary domain name and all its first-level subdomains.
Matching rules: Matches only subdomains at the same level. It cannot match subdomains across multiple levels. For example, a certificate for
*.aliyun.comcan matchdemo.aliyun.com, but cannot matchguide.demo.aliyun.com.Limits: By default, a certificate supports only one wildcard domain name. To include multiple wildcard domain names in a single certificate, see Merge certificate requests.
Hybrid Domain: A single certificate is issued to protect multiple domains, which can be a combination of Single Domain and Wildcard Domain. We recommend that the number of domains does not exceed 200.
Certificate Type
The available certificate types vary depending on the domain type. For more information, see SSL certificate selection guide.
DV Certificate
Use cases: Personal websites and enterprise test environments.
Average issuance time: 1 to 15 minutes.
Supported domain types: Wildcard Domain, Single Domain, and Hybrid Domain.
OV Certificate
Use cases: Government organizations, small and medium-sized enterprises, and educational institutions.
Average issuance time: 5 calendar days.
Supported domain types: Wildcard Domain, Single Domain, and Hybrid Domain.
EV Certificate
Use cases: Large enterprises, financial institutions, and e-commerce sites that handle transactions and sensitive data.
Average issuance time: 5 calendar days.
Supported domain types: Single Domain, Hybrid Domain.
Certificate Brand
International brands: DigiCert, GeoTrust, GlobalSign, and Rapid. These support international standards (RSA/ECC).
Chinese domestic brands: vTrus, CFCA, and WoSign. These support international standards (RSA) and Chinese domestic standards (SM2).
For more information, see SSL certificate selection guide.
NoteOnly certificates from the GlobalSign brand support binding to domains with the
.rusuffix.Expert Services
Not Required: Do not purchase any technical support services.
Assistance Application: Provides assistance to expedite the issuance of SSL certificates during service hours (9:00–16:00) on business days.
Deployment: Helps you deploy RSA or ECC algorithm certificates during service hours (9:00 to 18:00) on business days.
Assistance Application + Deployment: Provides end-to-end assistance to help you quickly complete the certificate application, issuance, and deployment process. Support is available on non-working days from 9:00 to 20:00.
Deployment (SM Certificate): This service helps you deploy Shang Mi (SM2) algorithm certificates during business hours (9:00–18:00 on workdays) to resolve complex deployment and configuration issues. This option is available only when the certificate type is a Chinese brand certificate, such as CFCA, vTrus, or Wosign.
Automated Management
When you enable this service, the system automatically renews your certificate before it expires. It will consume a credit from your existing hosting plan if one is available; otherwise, a new credit will be automatically purchased. This service automates new certificate applications, DNS record additions, and certificate updates on your cloud products.
Resource Group and Tag Key
Associate an Alibaba Cloud Resource Group and a Tag Key with the certificate for easier future management and search.
Step 2: Select Duration
On the right side of the purchase page, confirm the order information and select the Duration.
A Duration may include multiple certificates with different validity periods. For more information, see Description of validity period changes.
Step 3: Payment
Read and agree to the Certificate Management Service Terms of Service and the Technical Support Agreement for Certificate Management Service, click Buy Now, and complete the payment. After the purchase is complete, you can view the purchased SSL certificate orders on the Order and Refund Management page.
Step 4: View certificate
After the purchase is complete, the certificate is displayed in SSL Certificate Management V2.0 with a status of Pending Application.
Next steps
Submit a certificate request:
If a certificate has the Pending Application status, you must submit a request to a certification authority (CA). A certificate is issued after the CA approves the request.
Complete domain ownership validation:
For certificates in the Validating Application status, you must complete domain ownership validation based on the certificate type.
Modify certificate application information:
If you need to modify the certificate information after purchase, you can perform the Cancel Application operation, and then make the modifications.purchase or
Purchase by quantity
Purchase process
Step 1: Purchase options
On the purchase page, configure the certificate by using the following information.
Purchase Method:
Select Certificate Instance Purchase.
Certificate Quantity:
The maximum number of certificates you can purchase at one time is 100.
Domain Type:
Single Domain: An SSL certificate is attached to a primary domain name, a subdomain, or a public IP address (IPv4). Examples:
aliyun.com,abc.example.com, and1.1.X.X.Wildcard Domain: A wildcard certificate is used to protect a primary domain name and all its first-level subdomains.
Matching rules: Matches only subdomains at the same level. It cannot match subdomains across multiple levels. For example, a certificate for
*.aliyun.comcan matchdemo.aliyun.com, but cannot matchguide.demo.aliyun.com.Limits: By default, a certificate supports only one wildcard domain name. To include multiple wildcard domain names in a single certificate, see Merge certificate requests.
Multiple Domains: Used to attach multiple single domain names at the same time. You can attach up to five single domain names. Only single domain names are supported. Wildcard domain names are not supported.
When Domain Type is set to Multiple Domains, you must enter Single Domains and Wildcard Domains.
ImportantIf you purchase multiple certificates, each certificate will support the number of domains that you enter in this field. The SSL Certificate Management V2.0 version currently does not support adding more domains to a certificate. Please confirm the number of domains when you make the purchase.
Certificate Type:
The available certificate types vary depending on the domain type. For more information, see SSL certificate selection guide.
DV Certificate
Use cases: Personal websites and enterprise test environments.
Average issuance time: 1 to 15 minutes.
Supported domain types: Wildcard Domain, Single Domain.
OV Certificate
Use cases: Government organizations, small and medium-sized enterprises, and educational institutions.
Average issuance time: 5 calendar days.
Supported domain types: Wildcard Domain, Single Domain, and Multiple Domains.
EV Certificate
Use cases: Large enterprises, financial institutions, and e-commerce sites that handle transactions and sensitive data.
Average issuance time: 5 calendar days.
Supported domain types: Single Domain, Multiple Domains.
Certificate Brand:
International brands: DigiCert, GeoTrust, GlobalSign, and Rapid. These support international standards (RSA/ECC).
Chinese domestic brands: vTrus, CFCA, and WoSign. These support international standards (RSA) and Chinese domestic standards (SM2).
For more information, see SSL certificate selection guide.
Automated Management:
When you enable this service, the system automatically renews your certificate before it expires. It will consume a credit from your existing hosting plan if one is available; otherwise, a new credit will be automatically purchased. This service automates new certificate applications, DNS record additions, and certificate updates on your cloud products.
Expert Services
Not Required: Do not purchase any technical support services.
Assistance Application: Provides assistance to expedite the issuance of SSL certificates during service hours (9:00–16:00) on business days.
Deployment: Helps you deploy RSA or ECC algorithm certificates during service hours (9:00 to 18:00) on business days.
Assistance Application + Deployment: Provides end-to-end assistance to help you quickly complete the certificate application, issuance, and deployment process. Support is available on non-working days from 9:00 to 20:00.
Deployment (SM Certificate): This service helps you deploy Shang Mi (SM2) algorithm certificates during business hours (9:00–18:00 on workdays) to resolve complex deployment and configuration issues. This option is available only when the certificate type is a Chinese brand certificate, such as CFCA, vTrus, or Wosign.
Resource Group and Tag Key:
Associate a certificate with an Alibaba Cloud Resource Group and a Tag Key for easier management and searching.
Step 2: Select Duration
On the right side of the purchase page, confirm the order information and select the Duration.
A Duration may include multiple certificates with different validity periods. For more information, see Description of validity period changes.
Step 3: Payment
Read and agree to the Certificate Management Service Terms of Service and the Technical Support Agreement for Certificate Management Service, click Buy Now, and complete the payment. After the purchase is complete, you can view the purchased SSL certificate orders on the Order and Refund Management page.
Step 4: View certificate
On the SSL Certificate Management V2.0 page, you can view your purchased certificates.
Next steps
Submit a certificate request:
If a certificate has the Pending Application status, you must submit a request to a certification authority (CA). A certificate is issued after the CA approves the request.
Complete domain ownership validation:
For certificates in the Validating Application status, you must complete domain ownership validation based on the certificate type.
Modify certificate application information:
If you need to modify the certificate information after purchase, you can perform the Cancel Application operation and then make the changes.
Complimentary rules
Single Domain certificate: The matching apex domain or
wwwsubdomain is automatically included.Certificate for
yourdomain.com→www.yourdomain.comadded for freeCertificate for
www.yourdomain.com→yourdomain.comadded for free
Wildcard certificate: The corresponding apex domain is automatically included.
Certificate for
*.yourdomain.com→yourdomain.comadded for free
Multi-Domain certificate: The free domain offer applies only to the first domain listed in your certificate request. Example: If the first domain is
www.domain-a.com, the system addsdomain-a.comfor free. No complimentary domain is added for the second domain,domain-b.com.
Billing
The final price for all billable items is shown on the purchase page. For details, see SSL certificates billing.
FAQ
What do I do if I chose the wrong certificate type or brand?
It depends on when you purchased and whether the certificate has been issued:
Within 7 days of purchase, and the certificate has not been issued: Go to the Refund Management page to request a full refund, then purchase the correct certificate.
More than 7 days after purchase, or the certificate has already been issued: A refund is not available. For security reasons, revoke and delete the SSL certificate.
What if I entered the wrong domain when submitting the application to a CA? I purchase or
If the certificate has not yet been issued, cancel the application. The certificate returns to the Unused section, and you can click Create Certificate to start a new application with the correct domain.
If the certificate has already been issued, the domain cannot be changed.