When you apply for domain validated (DV), organization validated (OV), and extended validation (EV) SSL certificates by using Certificate Management Service, you must specify the application information based on the certificate types. The materials that you must submit for review also vary based on the certificate types. This topic describes the information that is required to apply for different types of certificates.

Alibaba Cloud Certificate Management Service sends the application information that you submit to the certificate authority (CA) for review. The application information includes domain names that are bound to your certificate and the contact information. For more information about how to apply for a certificate, see Apply for a certificate.

Required information for DV certificate application

When you apply for a DV certificate, you must configure the following parameters.

Parameter Description
Domains to Bind Enter the domain name that you want to protect by using the certificate.
You can move the pointer over the Question mark icon icon to view the number and type of supported domain names. You can also click View More to view the descriptions about how to configure this parameter. The number and type of supported domain names vary based on the configuration of your certificate instance.
Notice
  • The type of domain name must be the same as the value of the Domain Type parameter that you select when you purchase the certificate.
  • If you enter a wildcard domain name, you must use an asterisk (*). Example: *.aliyundoc.com.
  • If you apply for a DigiCert or an Entrust certificate, you cannot enter domain names that are suffixed with special words such as .edu, .gov, .org, .jp, .pay, .bank, .live, or .nuclear. This limit does not apply to GlobalSign certificates.
Domain Verification Method Select a method to verify the ownership of the domain name.
If the domain name that you enter appears on the Domain Name List page in the Domains console, Automatic DNS Verification is automatically selected. No manual configuration is required. In this case, Alibaba Cloud automatically verifies the domain name for you.
Notice Automatic DNS Verification is automatically selected by Certificate Management Service only when the domain name to which the certificate is bound belongs to the Alibaba Cloud account that you use to apply for the certificate.
If the domain name that you enter does not appear on the Domain Name List page in the Domains console, you can select one of the following methods:
  • Manual DNS Verification: You must log on to the system of your Domain Name Service (DNS) service provider. Then, you must manually add a TXT record for the domain name to the DNS list of the system. The TXT record must be the same as the DNS record that is provided in the Certificate Management Service console. You must have operation permissions on the domain name resolution to verify the ownership of the domain name.
  • File Verification: You must create a specific file on your DNS server. Then, Alibaba Cloud verifies the ownership of the domain name. You must have administrative rights on the DNS server to verify the ownership of the domain name.
For more information about the two verification methods, see Prove the ownership of a domain name.
Contact Select a contact to apply for the certificate. The contact information includes the email address and mobile phone number.
Notice After the CA receives your application, the CA sends a verification email to the email address or calls the mobile phone number to confirm the information in your certificate application. Therefore, you must make sure that the contact information is accurate and valid.

If you have not created contacts, you can click Create Contact to create one. Certificate Management Service saves the created contact for you to use next time. For more information about how to create a contact, see Create a contact.

Location Select the city or region where the applicant is located.
Encryption Algorithm Select the key algorithm for the certificate.
This parameter also specifies the key algorithm that is used to automatically generate a CSR file. Valid values:
  • RSA: The RSA algorithm is an asymmetric algorithm that is widely used in the world and provides high compatibility. This is the default value.
  • ECC: The Elliptic Curve Cryptography (ECC) algorithm is an encryption algorithm based on elliptic curves.

    Compared with the RSA algorithm, the ECC algorithm is more advanced and secure. The ECC algorithm provides faster encryption and higher efficiency at lower server resource consumption. The ECC algorithm is promoted among mainstream browsers.

  • SM2: The SM2 algorithm is developed and approved by the State Cryptography Administration of China based on the ECC algorithm. The SM2 algorithm is used to replace the RSA algorithm in Chinese commercial cryptography systems.
Notice The ECC and SM2 algorithms are supported only for specific brands and types of certificates. The valid values that are displayed in the console shall prevail.
CSR Generation A certificate signing request (CSR) file includes your request for a certificate. A CSR file contains the information about your server and organization. You must submit your CSR file to the CA for review. Valid values:
  • Automatic: Certificate Management Service automatically generates a CSR file based on the key algorithm that you specify for the Key Algorithm parameter. After your certificate is issued, you can download the certificate and private key. This method is recommended.
  • Manual: You must use OpenSSL or Keytool to manually generate CSR and private key files. Then, you must copy and paste the content of the CSR file to the CSR File field. You must keep your private key file private and secure. For more information about how to generate CSR and private key files, see How do I create a CSR file?
    Notice
    • If you set CSR Generation to Manual, you cannot deploy the certificate to Alibaba Cloud services by using the Certificate Management Service console after the certificate is issued.
    • Make sure that your CSR file contains accurate content. Otherwise, your certificate application may fail. We recommend that you set CSR Generation to Automatic so that Certificate Management Service can use the automatically generated CSR file for the application. This avoids application failures caused by the inaccurate content of CSR files.
    • Make sure that the encryption algorithm of the CSR file that you manually enter is the same as the key algorithm that you select for the Key Algorithm parameter. Otherwise, you cannot submit your certificate application for review.
    • If you manually generate a CSR file, you must securely store your private key file. A certificate corresponds to a private key. If the private key is lost, the certificate becomes invalid. Alibaba Cloud is not responsible for storing your private key. If your private key is lost, you must purchase a new certificate.
CSR File Specify this parameter only if you set CSR Generation to Manual. Enter the content of your CSR file.

Required information for OV certificate application

When you apply for an OV certificate, you must configure the following parameters.

Parameter Description
Domains to Bind Enter the domain name that you want to protect by using the certificate.

You can move the pointer over the Question mark icon icon to view the number and type of supported domain names. You can also click View More to view the descriptions about how to specify this parameter. The number and type of supported domain names vary based on the configuration of your certificate instance.

Notice
  • The type of domain name must be the same as the value of the Type of Domain parameter that you select when you purchase the certificate.
  • If you enter a wildcard domain name, you must use an asterisk (*). Example: *.aliyundoc.com.
Contact Select a contact to apply for the certificate. The contact information includes the email address and mobile phone number.
Notice After the CA receives your application, the CA sends a verification email to the email address or calls the mobile phone number to confirm the information in your certificate application. Therefore, you must make sure that the contact information is accurate and valid.

If you have not created contacts, you can click Create Contact to create one. Certificate Management Service saves the created contact for you to use next time. For more information about how to create a contact, see Create a contact.

Company Select a company profile to apply for the certificate. The company profile includes the company name, phone number, and address.

If you have not created company profiles, you can click Create Company Profile to create one. Certificate Management Service saves the created company profile for you to use next time. For more information about how to create a company profile, see Create a company profile.

Business License After you select a value for Company, the business license picture in the company profile is automatically uploaded. No modification is required.
Encryption Algorithm Select the key algorithm for the certificate.
This parameter also specifies the key algorithm that is used to automatically generate a CSR file. Valid values:
  • RSA: The RSA algorithm is an asymmetric algorithm that is widely used in the world and provides high compatibility. This is the default value.
  • ECC: The Elliptic Curve Cryptography (ECC) algorithm is an encryption algorithm based on elliptic curves.

    Compared with the RSA algorithm, the ECC algorithm is more advanced and secure. The ECC algorithm provides faster encryption and higher efficiency at lower server resource consumption. The ECC algorithm is promoted among mainstream browsers.

  • SM2: The SM2 algorithm is developed and approved by the State Cryptography Administration of China based on the ECC algorithm. The SM2 algorithm is used to replace the RSA algorithm in Chinese commercial cryptography systems.
Notice The ECC and SM2 algorithms are supported only for specific brands and types of certificates. The valid values that are displayed in the console shall prevail.
CSR Generation A certificate signing request (CSR) file includes your request for a certificate. A CSR file contains the information about your server and organization. You must submit your CSR file to the CA for review. Valid values:
  • Automatic: Certificate Management Service automatically generates a CSR file based on the key algorithm that you specify for the Key Algorithm parameter. After your certificate is issued, you can download the certificate and private key. This method is recommended.
  • Manual: You must use OpenSSL or Keytool to manually generate CSR and private key files. Then, you must copy and paste the content of the CSR file to the CSR File field. You must keep your private key file private and secure. For more information about how to generate CSR and private key files, see How do I create a CSR file?
    Notice
    • If you set CSR Generation to Manual, you cannot deploy the certificate to Alibaba Cloud services by using the Certificate Management Service console after the certificate is issued.
    • Make sure that your CSR file contains accurate content. Otherwise, your certificate application may fail. We recommend that you set CSR Generation to Automatic so that Certificate Management Service can use the automatically generated CSR file for the application. This avoids application failures caused by the inaccurate content of CSR files.
    • Make sure that the encryption algorithm of the CSR file that you manually enter is the same as the key algorithm that you select for the Key Algorithm parameter. Otherwise, you cannot submit your certificate application for review.
    • If you manually generate a CSR file, you must securely store your private key file. A certificate corresponds to a private key. If the private key is lost, the certificate becomes invalid. Alibaba Cloud is not responsible for storing your private key. If your private key is lost, you must purchase a new certificate.
CSR File Specify this parameter only if you set CSR Generation to Manual. Enter the content of your CSR file.

Required information for EV certificate application

When you apply for an EV certificate, you must configure the following parameters.

Parameter Description
Domains to Bind Enter the domain name that you want to protect by using the certificate.

You can move the pointer over the Question mark icon icon to view the number and type of supported domain names. You can also click View More to view the descriptions about how to specify this parameter. The number and type of supported domain names vary based on the configuration of your certificate instance.

Notice
  • The type of domain name must be the same as the value of the Type of Domain parameter that you select when you purchase the certificate.
  • If you enter a wildcard domain name, you must use an asterisk (*). Example: *.aliyundoc.com.
Contact Select a contact to apply for the certificate. The contact information includes the email address and mobile phone number.
Notice After the CA receives your application, the CA sends a verification email to the email address or calls the mobile phone number to confirm the information in your certificate application. Therefore, you must make sure that the contact information is accurate and valid.

If you have not created contacts, you can click Create Contact to create one. Certificate Management Service saves the created contact for you to use next time. For more information about how to create a contact, see Create a contact.

Company Select a company profile to apply for the certificate. The company profile includes the company name, phone number, and address.

If you have not created company profiles, you can click Create Company Profile to create one. Certificate Management Service saves the created company profile for you to use next time. For more information about how to create a company profile, see Create a company profile.

Business License After you select a value for Company, the business license picture in the company profile is automatically uploaded. No modification is required.
Encryption Algorithm Select the key algorithm for the certificate.
This parameter also specifies the key algorithm that is used to automatically generate a CSR file. Valid values:
  • RSA: The RSA algorithm is an asymmetric algorithm that is widely used in the world and provides high compatibility. This is the default value.
  • ECC: The Elliptic Curve Cryptography (ECC) algorithm is an encryption algorithm based on elliptic curves.

    Compared with the RSA algorithm, the ECC algorithm is more advanced and secure. The ECC algorithm provides faster encryption and higher efficiency at lower server resource consumption. The ECC algorithm is promoted among mainstream browsers.

  • SM2: The SM2 algorithm is developed and approved by the State Cryptography Administration of China based on the ECC algorithm. The SM2 algorithm is used to replace the RSA algorithm in Chinese commercial cryptography systems.
Notice The ECC and SM2 algorithms are supported only for specific brands and types of certificates. The valid values that are displayed in the console shall prevail.
CSR Generation A certificate signing request (CSR) file includes your request for a certificate. A CSR file contains the information about your server and organization. You must submit your CSR file to the CA for review. Valid values:
  • Automatic: Certificate Management Service automatically generates a CSR file based on the key algorithm that you specify for the Key Algorithm parameter. After your certificate is issued, you can download the certificate and private key. This method is recommended.
  • Manual: You must use OpenSSL or Keytool to manually generate CSR and private key files. Then, you must copy and paste the content of the CSR file to the CSR File field. You must keep your private key file private and secure. For more information about how to generate CSR and private key files, see How do I create a CSR file?
    Notice
    • If you set CSR Generation to Manual, you cannot deploy the certificate to Alibaba Cloud services by using the Certificate Management Service console after the certificate is issued.
    • Make sure that your CSR file contains accurate content. Otherwise, your certificate application may fail. We recommend that you set CSR Generation to Automatic so that Certificate Management Service can use the automatically generated CSR file for the application. This avoids application failures caused by the inaccurate content of CSR files.
    • Make sure that the encryption algorithm of the CSR file that you manually enter is the same as the key algorithm that you select for the Key Algorithm parameter. Otherwise, you cannot submit your certificate application for review.
    • If you manually generate a CSR file, you must securely store your private key file. A certificate corresponds to a private key. If the private key is lost, the certificate becomes invalid. Alibaba Cloud is not responsible for storing your private key. If your private key is lost, you must purchase a new certificate.
CSR File Specify this parameter only if you set CSR Generation to Manual. Enter the content of your CSR file.
Permit for Opening a Bank Account You must save a scanned copy of the bank account opening license of the company to your computer in advance. Then, you can click Upload File to upload the scanned copy from your computer.
Note Make sure that the scanned copy is in the PNG or JPEG format and is no more than 500 KB in size.