Changes have been made to the certificate policies based on the latest proposals made by the CA/Browser Forum (CA/B). Due to these changes, the success rate of applying for a free SSL certificate in the Alibaba Cloud CDN console is greatly reduced. If you want to use free SSL certificates, we recommend that you apply for and deploy certificates in the SSL Certificates Service console.

Intended users

This notice is intended for users who use or are about to apply for free SSL certificates.

Details

Valued Alibaba Cloud users,

SSL Certificates Service product update: Notice on policy changes for domain ownership verification.

Based on the latest proposals made by CA/B, SSL Certificates Service will adjust the file-based verification method for domain ownership verification based on the latest proposal of CA/Browser Forum.

Effective date: September 21, 2021.

Changes:
  • Wildcard domain name: You can no longer upload a verification file to verify the ownership of a wildcard domain name such as *.example.com or *.1.example.com.

    If you use SSL Certificates Service to apply for a certificate that protects a wildcard domain name, you can verify the ownership of the wildcard domain name only by adding a DNS record. For more information, see Add a DNS record to verify the ownership of a domain name.

  • Single domain name: You can still upload a verification file to verify the ownership of a single domain name. A single domain name can be a top-level domain name such as example.com or a subdomain name such as www.example.com. The file-based verification method requires that each single domain name be separately verified.

    If you upload a verification file to verify the ownership of a top-level domain name such as example.com, you must also verify the ownership of each of its subdomain names such as www.example.com. For more information, see Upload a verification file to verify the ownership of a domain name.

References: Domain validation policy changes in 2021

We apologize for the inconvenience that this may have caused. If you have questions, submit a ticket to contact us.

Impacts

Domain name type Impacts
Top-level domain name, such as example.com No impact.
Individual domain names that start with www, such as www.example.com No impact.
Domain names that do not start with www, such as 123.example.com and yyy.example.com Applications for free SSL certificates may fail.
Note Alibaba Cloud CDN allows you to apply for free SSL certificates only for individual domain names. After you upload a verification file to verify the ownership of a domain name and pass the verification, the verification file is stored on CDN edge nodes. Then, the certificate authority (CA) accesses the verification file on the nodes and approves your application. Based on the latest policy, domain names that do not start with www, including top-level domain names such as example.com and their subdomain names such as 123.example and yyy.example.com must all pass ownership verification before they can acquire free SSL certificates. The Alibaba Cloud CDN console does not allow you to use verification files to verify the ownership of top-level domain names. In this case, individual domain names that do not start with www cannot pass ownership verification. Therefore, you cannot apply for free SSL certificates for individual domain names that do not start with www.
Note The feature that allows you to apply for free SSL certificates in the Alibaba Cloud CDN console will phase out and migrate to SSL Certificates Service. Alibaba Cloud will notify you of the phaseout time. We recommend that you apply for free SSL certificates in the SSL Certificates Service console and then deploy the certificates to Alibaba Cloud CDN.

Solutions

You have an existing free SSL certificate that has been deployed to Alibaba Cloud CDN

Alibaba Cloud CDN automatically applies for a new certificate before the current one expires, and deploys the certificate to the domain name. Due to the latest certificate policy changes made by CA/B, the success rate of applying for free SSL certificates is greatly reduced. If you have acquired a free SSL certificate through Alibaba Cloud CDN, we recommend that you apply for a new certificate in the SSL Certificates Service console and deploy the new certificate to your website before the current certificate expires.

If you use SSL Certificates Service to apply for free SSL certificates, you can add a DNS record or upload a verification file to verify the ownership of domain names. The success rate is higher than using Alibaba Cloud CDN to apply for free SSL certificates.

  1. Log on to the Alibaba Cloud CDN console.
  2. In the left-side navigation pane, choose Security & Protection > HTTPS Center.
  3. Certificate Source shows that the certificate is a free SSL certificate.
  4. We recommend that you use SSL Certificates Service to apply for a new free certificate for your domain name before September 21, 2021.
    Notice

    You must Prove the ownership of a domain name when you apply for a free SSL certificate for your domain name. Take note of the following rules:

    • Wildcard domain name: You can no longer upload a verification file to verify the ownership of a wildcard domain name such as *.example.com or *.1.example.com. If you use SSL Certificates Service to apply for a certificate that protects a wildcard domain name, you can verify the ownership of the wildcard domain name only by adding a DNS record.
    • Single domain name: You can still upload a verification file to verify the ownership of a single domain name. A single domain name can be a top-level domain name such as example.com or a subdomain name such as www.example.com. The file-based verification method requires that each single domain name be separately verified. If you upload a verification file to verify the ownership of a top-level domain name such as example.com, you must also verify the ownership of each of its subdomain names such as www.example.com.
    • For more information, see Prove the ownership of a domain name.
  5. Deploy the free SSL certificate for the domain name. For more information, see Configure an SSL certificate.

Apply for a free SSL certificate

We recommend that you use SSL Certificates Service to apply for free SSL certificates. For more information, see Apply for a free certificate.

If you must use Alibaba Cloud CDN to apply for free SSL certificates, take note of the changes made to the certificate policies. We recommend that you do not use Alibaba Cloud CDN to apply for free certificates.

Before After
The accelerated domain name must be mapped to the CNAME that is assigned by Alibaba Cloud CDN. Not changed.
No Certification Authority Authorization (CAA) record is configured for the domain name, or the CAA record must allow Digicert.com and digicert.com to issue certificates. Wildcard domain names are not supported. Not changed.
A free SSL certificate can protect only one specific domain name. Not changed.
You must authorize Alibaba Cloud to apply for free certificates on your behalf. Not changed.
The security level of SSL Labs for the accelerated domain name must be A. Not changed.
A free SSL certificate is valid for one year. If the certificate is not automatically renewed seven days before it expires, you must manually renew it before it expires. Not changed.
If you want to apply for a domain name that starts with www, you must resolve the top-level domain name to Alibaba Cloud CDN.
Note For example, both www.aliyun.com and aliyun.com must be resolved to Alibaba Cloud CDN and mapped to the CNAME assigned by Alibaba Cloud CDN. This requirement is optional to other domain names.
  • Domain names that start with www: not changed.
  • Other domain names: You cannot apply for a free certificate in the Alibaba Cloud CDN console for domain names that do not start with www.