How to purchase an SSL certificate - Certificate Management Service

Learn how to select and purchase the right SSL certificate on Alibaba Cloud.

Guide to choosing an SSL certificate

This guide helps you make the right selections during the Step 1: Configure certificate of your purchase.

Certificate type

To protect a single domain name (such as aliyun.com): Select a Single Domain certificate.
To protect an apex domain and all its subdomains (such as aliyun.com and *.aliyun.com): Select a Wildcard Domain certificate.
To protect multiple, different domains with one certificate: (such as aliyun.com and taobao.com): Select a Multi-Domain certificate.

Note

When you purchase certain certificates, the system automatically includes a free associated domain. For details, see Complimentary domains for SSL certificates.

Certificate specifications

For personal websites or development and testing environments: Select a Domain Validated (DV) certificate. This low-cost option requires only domain ownership verification and is typically issued automatically within 1 to 15 minutes.
For corporate websites or internal information systems: Select an OV (Organization Validated) certificate. It provides higher security by verifying your organization's identity, displays its name in the certificate details, and is typically issued in 5 calendar days.
For websites with high-security requirements, such as finance, e-commerce, or government: Select an EV (Extended Validation) certificate. It provides the highest level of trust through the strictest identity verification, displays the full legal organization name, and is typically issued in 5 calendar days.

Brand

For a top-tier brand and global trust: Select DigiCert.
For a stable and reliable international brand: Select GlobalSign.
For a cost-effective option: Select Alibaba Cloud.

Note

For a more comprehensive selection guide, see SSL certificate selection guide.

Procedure

The certificate acquisition process involves the following phases: purchasing a certificate on the Certificate Service console, and then submitting your application for certificate authority (CA) review and issuance.

Step 1: Configure certificate

Log on to the Certificate Service console. In the navigation pane on the left, choose Certificate Management > SSL Certificate Management > Official Certificate > Buy Now.

On the purchase page, configure the following certificate parameters.

Certificate Type

Select the domain type for the SSL certificate.

Single Domain: Secures a single apex domain, subdomain, or public IPv4 address. Examples: aliyun.com, abc.example.com, and 1.1.X.X.
Wildcard Domain: Secures an apex domain and all its immediate subdomains.
- Matching rule: Matches only subdomains at the same level. It cannot match subdomains across multiple levels. For example, a certificate for *.aliyun.com can match demo.aliyun.com, but not guide.demo.aliyun.com.
- Limitation: By default, one certificate supports only one wildcard domain. To include multiple wildcard domains in a single certificate, see Combine certificates.
Multiple-Domain: Secures up to 5 distinct domains. Wildcard domains are not supported.

Brand

Select the certificate brand.

Important

DigiCert does not issue certificates for domains with special suffixes such as .edu, .gov, .org, .jp, .pay, .bank, .live, .nuclear, or .ru.

Certificate Specifications

Select the certificate type. The available certificate types vary based on the domain type.

OV SSL: Verifies both domain ownership and the organization's identity. Best for government entities, small- to medium-sized enterprises, or educational institutions. OV_PRO SSL offers a higher level of encryption and security than OV SSL.
DV SSL: Verifies domain ownership only. Best for personal websites, brochure sites, or test environments. Offers the fastest issuance and lowest cost.
EV SSL: Involves the most rigorous corporate identity verification. Best for large enterprises, financial institutions, and e-commerce sites that handle transactions and sensitive user data. EV_PRO SSL offers a higher level of encryption and security than EV SSL.

Domain Names

The number of domains to secure with this certificate. Set this parameter only when you select the Multi-Domain type.

Quantity

The number of SSL certificates. This is fixed at 1.

Service Duration

Select the duration of the SSL certificate. Options:

1 Year: Includes one certificate with a 1-year validity period. Hosting services are not included.
2 Years: Includes two certificates, each with a 1-year validity period, and one hosting service. The CA issues one certificate initially. The system automatically requests a second certificate when the first one has less than 30 days of validity remaining.
3 Years: Includes three certificates, each with a 1-year validity period, and two hosting service. The CA issues one certificate initially. Subsequent certificates are automatically requested when the current one has less than 30 days of validity remaining.

Important

For purchase questions, contact an expert by filling out the form on the product page.

Step 2: Confirm and pay for your order

Click Buy Now. Read and agree to the Terms of Service, and then click Pay to complete the payment. After purchase, you can find the order for the SSL certificate on the Comprehensive Management > Order Refund Management page.

Step 3: View the purchased certificate

After purchase, the certificate appears in the Certificates with the status Pending Application.

Next step

Submit an application to the CA (certification authority) to issue a certificate. The CA reviews the application and issues the certificate after approval.

Complimentary domains for SSL certificates

When you purchase a certificate that meets certain conditions, a complimentary domain is automatically included to secure both the www and non-www versions of your site. The complimentary rules vary by certificate type and brand.

Conditions

GlobalSign

DV: The domain validation must be DNS validation.
OV: No special restrictions.
EV: The domain must be an apex domain.

DigiCert

DV: The domain validation must be DNS validation.
OV, EV: The domain must be an apex domain.

Alibaba Cloud

The domain must be a www subdomain such as www.aliyun.com.

Note

This offer is not reciprocal; securing an apex (such as aliyun.com) or wildcard domain (such as *.aliyun.com) will not include the www subdomain.

Complimentary rules

Single domain certificate:
The matching apex domain or www subdomain is automatically included.
- If your certificate is for yourdomain.com, www.yourdomain.com is added for free.
- If your certificate is for www.yourdomain.com, yourdomain.com is added for free.
Wildcard certificate:
The corresponding apex domain is automatically included.
- If your certificate is for *.yourdomain.com, yourdomain.com is added for free.
Multi-domain certificate:
The free domain offer applies only to the first domain listed in your certificate request.
Example: If the first domain in your request is www.domain-a.com, system will automatically include domain-a.com for free. No complimentary domain will be added for the second domain, domain-b.com.

FAQs

What do I do if I chose the wrong certificate information (such type or brand) during purchase?

Follow the instructions below based on your certificate's status and purchase date:

Within 7 days of purchase AND the certificate has not been issued:
Go to the Order Refund Management page to request a full refund. You can then purchase the correct certificate.
More than 7 days after purchase OR the certificate has already been issued:
A refund is not supported. For security reasons, revoke and delete the SSL Certificate.

What if I entered the wrong domain when submitting the application to CA?

If the certificate has not yet been issued by the CA, simply cancel the application. Canceling the application returns the corresponding Certificate Quota, which then appears in the Unused section of the certificate dashboard. Use the returned Certificate Quota to re-enter the correct information when you Create Certificate.

However, if the certificate has been issued, the domain cannot be changed.