Changes to free SSL certificates - - Alibaba Cloud Documentation Center

Changes have been made to the certificate policies based on the latest proposals made by the CA/Browser Forum (CA/B). Due to these changes, the success rate of applying for a free SSL certificate in the Alibaba Cloud CDN console is greatly reduced. If you want to use free SSL certificates, we recommend that you apply for and deploy certificates in the SSL Certificates Service console.

Intended users

This notice is intended for users who use or are about to apply for free SSL certificates.

Details

Valued Alibaba Cloud users,

SSL Certificates Service product update: Notice on policy changes for domain name ownership verification.

Based on the latest proposals made by CA/B, SSL Certificates Service will adjust the file-based verification method for verifying domain name ownership.

Effective date: September 21, 2021.

Changes:

You can no longer upload a verification file to verify the ownership of a wildcard domain name, such as *.aliyundoc.com or *.developer.aliyundoc.com.
If you use SSL Certificates Service to apply for a certificate that protects a wildcard domain name, you can verify the ownership of the wildcard domain name only by adding a DNS record. For more information, see Add a DNS record to verify the ownership of a domain name.
You can still upload a verification file to verify the ownership of a specific domain name. A specific domain name can be a top-level domain name such as aliyundoc.com or a lower-level domain name such as developer.aliyundoc.com. You must upload a verification file for each specific domain name.
If you want to upload a verification file to verify the ownership of a top-level domain name such as aliyundoc.com and its lower-level domain names such as developer.aliyundoc.com, you must upload separate verification files for them. For more information, see Upload a verification file to verify the ownership of a domain name.

References: Domain validation policy changes in 2021

We apologize for any inconvenience caused. If you have any questions, submit a ticket to contact us.

Changes


Domain name type	Impact
Top-level domain name, such as example.com	No impact.
Specific domain names that start with www, such as www.example.com	No impact.
Domain names that do not start with www, such as *.aliyundoc.com.	Applications for free SSL certificates may fail. Note Alibaba Cloud CDN allows you to apply for free SSL certificates only for specific domain names. After you upload a verification file to verify the ownership of a domain name and pass the verification, the verification file is stored on CDN edge nodes. Then, the certificate authority (CA) accesses the verification file on the nodes and reviews your application. Based on the latest policy, domain names that do not start with www, including top-level domain names such as aliyundoc.com and their lower-level domain names such as example.aliyundoc.com and demo.aliyundoc.com, must all pass ownership verification before they can acquire free SSL certificates. For this type of domain name, the Alibaba Cloud CDN console does not allow you to use verification files to verify the ownership of top-level domain names. In this case, domain names that do not start with www cannot pass ownership verification. Therefore, you cannot apply for free SSL certificates for domain names that do not start with www.

Note The feature that allows you to apply for free SSL certificates in the Alibaba Cloud CDN console will be phased out and migrated to SSL Certificates Service. Alibaba Cloud will notify you of the phaseout time. We recommend that you apply for free SSL certificates in the SSL Certificates Service console and then deploy the certificates to Alibaba Cloud CDN.

Solutions

You have an existing free SSL certificate that has been deployed to Alibaba Cloud CDN

Alibaba Cloud CDN automatically applies for a new certificate before the current one expires, and deploys the certificate to the domain name. Due to the latest certificate policy changes made by CA/B, the success rate of applying for free SSL certificates is greatly reduced. If you have acquired a free SSL certificate through Alibaba Cloud CDN, we recommend that you apply for a new certificate in the SSL Certificates Service console and deploy the new certificate to your website before the current certificate expires.

If you use SSL Certificates Service to apply for free SSL certificates, you can add a DNS record or upload a verification file to verify the ownership of domain names. The success rate is higher than that of using Alibaba Cloud CDN to apply for free SSL certificates.

Log on to the Alibaba Cloud CDN console.
In the left-side navigation pane, choose Tools > .
Certificate Source shows that the certificate is a free SSL certificate.
We recommend that you use SSL Certificates Service to apply for a new free certificate for your domain name before September 21, 2021.
Important
You must Verify the ownership of a domain name when you apply for a free SSL certificate for your domain name. Take note of the following rules:
- You can no longer upload a verification file to verify the ownership of a wildcard domain name, such as *.aliyundoc.com or *.developer.aliyundoc.com. If you use SSL Certificates Service to apply for a certificate that protects a wildcard domain name, you can verify the ownership of the wildcard domain name only by adding a DNS record.
- You can still upload a verification file to verify the ownership of a specific domain name. A specific domain name can be a top-level domain name such as aliyundoc.com or a subdomain name such as example.aliyundoc.com. This verification method requires that each specific domain name uses a separate verification file. If you want to upload a verification file to verify the ownership of a top-level domain name such as aliyundoc.com and its lower-level domain names such as example.aliyundoc.com, you must upload separate verification files for them.
- For more information, see Verify the ownership of a domain name.
Deploy the free SSL certificate for the domain name. For more information, see Configure an SSL certificate.

Apply for a free SSL certificate

We recommend that you use SSL Certificates Service to apply for free SSL certificates. For more information, see Submit a certificate application.

If you must use Alibaba Cloud CDN to apply for free SSL certificates, take note of the changes made to the certificate policies. We recommend that you do not use Alibaba Cloud CDN to apply for free certificates.


Before	After
The accelerated domain name must be mapped to the CNAME that is assigned by Alibaba Cloud CDN.	No change.
No Certification Authority Authorization (CAA) record is configured for the domain name, or the CAA record must allow Digicert.com and digicert.com to issue certificates. Wildcard domain names are not supported.	No change.
A free SSL certificate can protect only one specific domain name.	No change.
You must authorize Alibaba Cloud to apply for free certificates on your behalf.	No change.
The security level of SSL Labs for the accelerated domain name must be A.	No change.
A free SSL certificate is valid for one year. If the certificate is not automatically renewed seven days before it expires, you must manually renew it before it expires.	No change.
If you want to apply for a free certificate for a domain name that starts with www, you must resolve the top-level domain name to Alibaba Cloud CDN. Note For example, both www.aliyundoc.com and aliyundoc.com must be resolved to Alibaba Cloud CDN and mapped to the CNAMEs assigned by Alibaba Cloud CDN. This requirement is optional to other domain names.	Domain names that start with www: not changed. Other domain names: You cannot apply for a free certificate in the Alibaba Cloud CDN console for domain names that do not start with www.