This topic describes how to select a certificate type, certificate brand, and domain name type.

How do I select a certificate type?

  • For general enterprises, we recommend that you purchase organization validated (OV) certificates or certificates that provide a higher level of trust. For financial or payment enterprises, we recommend that you purchase extended validated (EV) certificates.
  • For mobile websites or API call-related applications, we recommend that you purchase OV certificates or certificates that provide a higher level of trust.
Note The server IP addresses that are supported by DigiCert-issued EV certificates are limited. If your domain name is associated with multiple server IP addresses, we recommend that you purchase multiple certificates.

How do I select a certificate brand?

  • The following certificate brands are sorted in descending order of compatibility: DigiCert > GeoTrust > CFCA.
  • For mobile websites or API call-related applications, we recommend that you purchase DigiCert certificates.

How do I select a domain name type?

Domain name typeDescription
Single domain nameIf you select this type for a certificate, the certificate can protect only one parent domain name, one subdomain, or one public IP address. Example: www.aliyundoc.com.
Multiple domain namesIf you select this type for a certificate, the certificate can protect multiple single domain names. The domain names can be top-level domains (TLDs) or non-TLDs such as demo.example.com and guide.developer.aliyundoc.com. You can bind up to 250 single domain names to a multi-domain certificate.
Wildcard domain nameA wildcard domain name can match its parent domain name and all first-level subdomains of the parent domain name. For example, if you bind the wildcard domain name *.aliyundoc.com to a certificate, the certificate is automatically assigned to its parent domain name aliyundoc.com free of charge. The domain name *.aliyundoc.com can match first-level subdomains such as www.aliyundoc.com and example.aliyundoc.com. The domain name *.aliyundoc.com cannot match second-level subdomains such as www.example.aliyundoc.com.

A wildcard domain name can match only subdomains at the same level. For example, *.aliyundoc.com can match demo.aliyundoc.com. However, *.aliyundoc.com cannot match learn.demo.aliyundoc.com. If you want to bind learn.demo.aliyundoc.com to the wildcard certificate, you must purchase a new wildcard certificate and bind *.demo.aliyundoc.com to the certificate.

A multi-domain wildcard certificate allows you to bind multiple wildcard domain names. Certificate Management Service allows you to apply for only a single-domain wildcard certificate to which a single wildcard domain name is bound. You cannot apply for a multi-domain wildcard certificate. To obtain a multi-domain wildcard certificate, you can combine multiple certificates of the same brand and type. For more information, see Combine certificate instances.

Hybrid domain nameA hybrid certificate allows you to bind both single and wildcard domain names. For example, if you bind the *.aliyundoc.com and demo.example.com domain names to a certificate, the certificate is a hybrid certificate.

Certificate Management Service does not allow you to apply for a hybrid certificate. To obtain a hybrid certificate, you can combine multiple certificates of the same brand and type. For more information, see Combine certificate instances.

Note
  • If the domain name that you bind to a certificate is a wildcard domain name, the certificate is also assigned to the parent domain name of the domain name. Examples:
    • The certificate to which the wildcard domain name *.aliyundoc.com is bound is also assigned to aliyundoc.com.
    • The certificate to which the wildcard domain name *.demo.aliyundoc.com is bound is not assigned to demo.aliyundoc.com.
  • If the domain name that you bind to a certificate starts with www, the certificate is also assigned to the parent domain name of the domain name. Examples:
    • The certificate to which www.aliyundoc.com is bound is also assigned to aliyundoc.com.
    • The certificate to which www.demo.aliyundoc.com is bound is not assigned to demo.aliyundoc.com.
  • You cannot change the domain names that are bound to a certificate after the certificate is issued.