After you submit a certificate application, the certificate authority (CA) verifies the ownership of your domain name and the information in your certificate application. To ensure that your certificate can be issued at the earliest opportunity, we recommend that you read the descriptions for different types of certificates in this topic before you submit your application. The time that is required to issue a certificate varies based on the CA.

Review durations for OV and EV certificates

After you submit a certificate application for an OV certificate or an EV certificate, the CA completes review and issuance within 3 to 7 business days.

Notice If the OV or EV certificate is not issued more than 1 business day after you submit the certificate application, check whether you missed a phone call from the CA or an email that contains the instructions for verifying the ownership of your domain name. If you do not receive the phone call or email, you can search for and join the DingTalk group numbered 32435999. If you receive the email, we recommend that you perform the required operations that are indicated in the email to verify the ownership of your domain name at the earliest opportunity. This way, the period of time that is required to review your certificate is reduced.

View the results of domain name verification for free certificates and DV certificates

After you submit a certificate application, you can perform the following operations to check whether the ownership verification of the domain name that is bound to your certificate is successful. The CA issues the certificate only after the verification is successful. If the verification fails, you must modify the DNS record of your domain name in a timely manner and submit a certificate application to initiate the domain name verification again.

  • Log on to the Certificate Management Service console. In the certificate list, filter the certificates for those in the Validating Application state and check whether your certificate application is approved.
  • You can also run commands on your server to check whether your certificate application is approved.
    Note Host records that are provided by Alibaba Cloud Certificate Management Service contain full domain names. If full domain names are not supported by your DNS provider, remove the suffix of the root domain name.
    • DNS verification (automatic DNS verification or manual DNS verification)

      Log on to your DNS server and run the dig command to query the DNS record of your domain name.

      Run the dig Host record command or run the dig Host record @1.1.XX.XX command to use Google Public DNS to query the DNS record. Example:
      dig txt demo.aliyundoc.com @1.1.XX.XX
      • If the value of the TXT record is returned in the command output and the value is the same as the value of the Record Value parameter that is configured in the Verify Information step of the Apply for Certificate panel in the Certificate Management Service console, the configuration of your DNS record is correct and in effect. If the values are different, you must change the value of the TXT record in the system of your DNS provider to the value of the Record Value parameter.
      • If the value of the TXT record is not returned in the command output, the configuration of your DNS record may be incorrect or the configuration may fail to take effect. If the configuration of your DNS record is incorrect, set the value of the TXT record in the system of your DNS provider to the value of the Record Value parameter. If the configuration fails to take effect after a long period of time, contact your DNS provider.
    • File verification
      1. Log on to the Certificate Management Service console. On the SSL Certificates page, find your certificate, click Verify in the Actions column, and then configure the verification file based on the on-screen instructions provided in the Apply for Certificate panel.
      2. Verify that the verification URL address can be accessed from your browser and the value of the TXT record displayed on the page is the same as the value of the TXT record in the verification file that is downloaded on the order progress page. You must perform the verification based on the following aspects:
        • Check whether an HTTPS-based verification URL address is displayed. If an HTTPS-based verification URL address is displayed, access the HTTPS-based URL address from your browser again. If the browser displays a message which indicates that the certificate is untrusted or the displayed information is incorrect, we recommend that you temporarily disable the HTTPS service for your domain name.
        • Make sure that the verification URL address can be accessed from all regions. The detection servers of DigiCert and GeoTrust are located outside the Chinese mainland. Check whether your site has mirror sites outside the Chinese mainland or uses the DNS service.
        • Check whether a 301 redirect or a 302 redirect is enabled for the verification URL address. If a redirect is enabled, you must cancel the related settings to disable the redirect.
          Note You can run the wget -S URL address command to check whether a redirect is enabled for the verification URL address.
        • If your domain name is a second-level domain such as aliyundoc.com, make sure that the third-level domains of the second-level domain are accessible. The third-level domains must start with www.. For example, if your second-level domain is aliyundoc.com, make sure that both http://<aliyundoc.com>/.well-known/pki-validation/fileauth.txt and http://<www.aliyundoc.com>/.well-known/pki-validation/fileauth.txt can be accessed. Otherwise, the domain name verification fails.
        • If your domain name is a third-level domain that starts with www., such as www.example.com, make sure that the second-level domain of the third-level domain can be accessed. For example, if your third-level domain is www.example.com, make sure that both http://<www.example.com>/.well-known/pki-validation/fileauth.txt and http://<example.com>/.well-known/pki-validation/fileauth.txt can be accessed. Otherwise, the domain name verification fails.
If the DNS configuration for domain name verification is correct, the CA verifies the ownership of your domain name and the information in your certificate application. Your certificate is issued within one to two business days. Wait until the certificate is issued.
Note If your domain name contains sensitive keywords, such as bank, pay, or live, manual verification may be triggered. The manual verification process may require a long period of time. Wait until the certificate is issued.