After purchasing a certificate, its status is Pending Application. Canceling the application returns the certificate quota to your account. This topic explains how to use your certificate quota to create an SSL certificate.
-
After purchase, a certificate defaults to the Pending Application state. You can then skip this topic and submit a request to the Certificate Authority (CA).
-
SSL Certificate Management V2.0 automatically creates a certificate in the Pending Application state after purchase. You do not need to create a certificate manually. This topic applies only to SSL Certificates Service (V1.0, which is no longer available for new purchases).
Prerequisites
You have purchased a paid certificate.
Workflow
Procedure
Log on to the Certificate Management Service console. In the left-side navigation pane, choose . On the Commercial Certificates tab, click Create Certificate.
Step 1: Configure basic information
Follow the instructions to configure the basic parameters. If you do not select Quick Issue, the certificate enters the Pending Application state after you provide the required information and click OK. You will need to submit an application to the Certificate Authority (CA) later.
-
Certificate Type
The system displays the types of certificates that you have purchased and can create. This can include single domain, multi-domain, and wildcard types. You can select a type only if you have purchased the corresponding certificate resources.
-
Certificate Specifications
Displays the certificate specifications you have purchased and their available quantities. If the required specification is not available, first purchase a commercial certificate.
-
Domain Name
Domain name requirements
Type matching: The domain type that you enter (single, multi-domain, or wildcard) must match your purchased certificate.
Length limits: The total length must not exceed 253 characters. Each label (a segment separated by the
.character) must not exceed 63 characters.
Special format requirements
Wildcard: Must start with
*, such as*.example.com.Chinese domain name: If you use a Chinese domain name, you must convert it to Punycode as prompted in the console. You can also use a conversion tool. For more information, see Chinese Domain Name Conversion.
IP addresses: Supported only by some OV single-domain certificates (Brands: GlobalSign and GeoTrust).
Suffix restrictions: DigiCert-branded certificates cannot be issued for domain names with special suffixes, such as
.edu,.gov,.org,.jp,.pay,.bank,.live,.nuclear, or.ru. This restriction does not apply to GlobalSign.-
Complimentary domain name: If your domain name is eligible, Alibaba Cloud provides a complimentary domain name.
-
Validity Period (Years)
Select the service duration for your certificate. Because certificate validity periods are decreasing, multiple certificates may be issued during the service period. For more information, see Changes in certificate validity periods.
-
Quick Issue
If you select Quick Issue, you must provide application details. After the certificate is created, the system automatically submits the certificate application to the CA. You must then complete domain name ownership verification. You do not need to submit the application again.
Step 2 (Optional): Provide application details (Quick Issue workflow)
If you select Quick Issue, provide the details that the CA requires for review. The required information varies by certificate type (DV, OV, or EV). After you provide this information and click Submit for Review, the certificate status changes to Validating Application, and you must then complete domain name ownership verification.
Certificate application information
DV certificates
-
Domain Verification Method
NoteCertificate purchase account: The Alibaba Cloud account used to purchase the target SSL certificate in the Certificate Management Service console.
DNS resolution account: The Alibaba Cloud account used to configure DNS resolution for the target domain name in Alibaba Cloud DNS.
The purchase and DNS accounts are different
Manual DNS Verification (recommended): Log on to your DNS service platform and add a TXT DNS record.
File Verification: Log on to your web server, and create and upload the required validation file to the specified directory.
ImportantWildcard domain names do not support file validation.
The purchase and DNS account are the same
The system uses the Automatic DNS Verification method. Alibaba Cloud automatically adds a DNS record for the domain name in Alibaba Cloud DNS to verify domain ownership. No manual operation is required.
-
Contact
Select a contact for this certificate application. The contact information includes an email address and a mobile number. To create or modify a contact, click Create Contact or Edit, or go to Contact Management.
-
Location
Select the city or region where the applicant is located.
-
Encryption Algorithm
Option
Security
Compatibility
Performance
Recommendation
RSA_2048
Medium
Widest
Middle
Recommended for general use and suitable for most web applications.
RSA_3072
High
Good
Lower
Suitable for scenarios with high security requirements, such as finance and payments.
RSA_4096
Very High
Fair
Low
Recommended only for top-secret or extremely high-security scenarios.
ECC_256
High
Good
Very High
Suitable for mobile applications, high-concurrency systems, and IoT devices.
RSA: An asymmetric key encryption algorithm based on the difficulty of factoring large integers. It is the most widely used and has excellent compatibility. Longer keys provide higher security but increase performance overhead.
ECC: An asymmetric key encryption algorithm based on the difficulty of the elliptic curve discrete logarithm problem. It achieves the same level of security as RSA with shorter keys, offers higher computational efficiency, and is suitable for resource-constrained environments such as mobile devices and IoT.
NoteCurrently, only some brands and types of certificates support the ECC. For more information, see SSL certificate selection.
-
CSR Generation
A Certificate Signing Request (CSR) is an application file submitted to a CA when you apply for an SSL certificate. It contains your domain name, organization information, and public key. You must securely store the corresponding private key.
Automatic (recommended)
Alibaba Cloud automatically creates a CSR and a private key for you. After the certificate is issued, you can directly download the complete file that contains the private key.
Manual Entry
You can use tools such as OpenSSL or Keytool to manually generate a CSR and a private key file, which you must store securely. Then, copy the CSR content into the CSR File configuration item. For more information about how to create a CSR and a private key file, see How to create a CSR file.
ImportantSecurely store your private key. If you lose the private key, the certificate becomes unusable because the key is unrecoverable. You would need to generate a new key pair and request a certificate reissuance.
The encryption algorithm of the CSR must match the Key Algorithm selected above.
Select an Existing CSR
From the CSRs created or uploaded in the Certificate Management Service console, select the CSR that matches the Domains to Bind. For more information about how to create and upload a CSR, see Create a CSR.
-
CSR File
This parameter is required only when CSR Generation is set to Manual or Select Existing CSR. Enter the content of your CSR file.
OV certificates
-
Contact
Select the contact for this certificate application. The contact information includes an email address and a mobile phone number. To create or modify a contact, click Create Contact or Edit, or go to Contact Management.
ImportantAfter the CA receives the certificate application, it sends a validation email to the contact's email address or communicates with the contact using their mobile phone number for the review. Make sure that the contact information is accurate and valid.
-
Company
Select the company information for this certificate application, including the name, phone number, and address. To create or modify company information, click Create Company Profile or Edit, or go to Company Information Management.
ImportantWhen you apply for an OV certificate for a .gov domain name, the organization name in the domain's WHOIS information must exactly match the company name.
-
Business License
After you select a Company, the system automatically identifies the business license picture uploaded for the company. If you did not upload a business license picture when you created the company, the business license picture is empty. To ensure a quick review by the CA, we recommend that you upload the company's business license picture.
-
Encryption Algorithm
Option
Security
Compatibility
Performance
Recommendation
RSA_2048
Medium
Widest
Middle
Recommended for general use and suitable for most web applications.
RSA_3072
High
Good
Lower
Suitable for scenarios with high security requirements, such as finance and payments.
RSA_4096
Very High
Fair
Low
Recommended only for top-secret or extremely high-security scenarios.
ECC_256
High
Good
Very High
Suitable for mobile applications, high-concurrency systems, and IoT devices.
RSA: An asymmetric key encryption algorithm based on the difficulty of factoring large integers. It is the most widely used and has excellent compatibility. Longer keys provide higher security but increase performance overhead.
ECC: An asymmetric key encryption algorithm based on the difficulty of the elliptic curve discrete logarithm problem. It achieves the same level of security as RSA with shorter keys, offers higher computational efficiency, and is suitable for resource-constrained environments such as mobile devices and IoT.
NoteCurrently, only some brands and types of certificates support the ECC. For more information, see SSL certificate selection.
-
CSR Generation
A Certificate Signing Request (CSR) is an application file submitted to a CA when you apply for an SSL certificate. It contains your domain name, organization information, and public key. You must securely store the corresponding private key.
Automatic (recommended)
Alibaba Cloud automatically creates a CSR and a private key for you. After the certificate is issued, you can directly download the complete file that contains the private key.
Manual Entry
You can use tools such as OpenSSL or Keytool to manually generate a CSR and a private key file, which you must store securely. Then, copy the CSR content into the CSR File configuration item. For more information about how to create a CSR and a private key file, see How to create a CSR file.
ImportantSecurely store your private key. If you lose the private key, the certificate becomes unusable because the key is unrecoverable. You would need to generate a new key pair and request a certificate reissuance.
The encryption algorithm of the CSR must match the Key Algorithm selected above.
Select an Existing CSR
From the CSRs created or uploaded in the Certificate Management Service console, select the CSR that matches the Domains to Bind. For more information about how to create and upload a CSR, see Create a CSR.
-
CSR File
This parameter is required only when CSR Generation is set to Manual or Select Existing CSR. Enter the content of your CSR file.
EV certificates
-
Contact
Select the contact for this certificate application. The contact information includes an email address and a mobile phone number. To create or modify a contact, click Create Contact or Edit, or go to Contact Management.
ImportantAfter the CA receives the certificate application, it sends a validation email to the contact's email address or communicates with the contact using their mobile phone number for the review. Make sure that the contact information is accurate and valid.
-
Company
Select the company information for this certificate application, including the name, phone number, and address. To create or modify company information, click Create Company Profile or Edit, or go to Company Information Management.
ImportantWhen you apply for an OV certificate for a .gov domain name, the organization name in the domain's WHOIS information must exactly match the company name.
-
Business License
After you select a Company, the system automatically identifies the business license picture uploaded for the company. If you did not upload a business license picture when you created the company, the business license picture is empty. To ensure a quick review by the CA, we recommend that you upload the company's business license picture.
-
Encryption Algorithm
Option
Security
Compatibility
Performance
Recommendation
RSA_2048
Medium
Widest
Middle
Recommended for general use and suitable for most web applications.
RSA_3072
High
Good
Lower
Suitable for scenarios with high security requirements, such as finance and payments.
RSA_4096
Very High
Fair
Low
Recommended only for top-secret or extremely high-security scenarios.
ECC_256
High
Good
Very High
Suitable for mobile applications, high-concurrency systems, and IoT devices.
RSA: An asymmetric key encryption algorithm based on the difficulty of factoring large integers. It is the most widely used and has excellent compatibility. Longer keys provide higher security but increase performance overhead.
ECC: An asymmetric key encryption algorithm based on the difficulty of the elliptic curve discrete logarithm problem. It achieves the same level of security as RSA with shorter keys, offers higher computational efficiency, and is suitable for resource-constrained environments such as mobile devices and IoT.
NoteCurrently, only some brands and types of certificates support the ECC. For more information, see SSL certificate selection.
-
CSR Generation
A Certificate Signing Request (CSR) is an application file submitted to a CA when you apply for an SSL certificate. It contains your domain name, organization information, and public key. You must securely store the corresponding private key.
Automatic (recommended)
Alibaba Cloud automatically creates a CSR and a private key for you. After the certificate is issued, you can directly download the complete file that contains the private key.
Manual Entry
You can use tools such as OpenSSL or Keytool to manually generate a CSR and a private key file, which you must store securely. Then, copy the CSR content into the CSR File configuration item. For more information about how to create a CSR and a private key file, see How to create a CSR file.
ImportantSecurely store your private key. If you lose the private key, the certificate becomes unusable because the key is unrecoverable. You would need to generate a new key pair and request a certificate reissuance.
The encryption algorithm of the CSR must match the Key Algorithm selected above.
Select an Existing CSR
From the CSRs created or uploaded in the Certificate Management Service console, select the CSR that matches the Domains to Bind. For more information about how to create and upload a CSR, see Create a CSR.
-
CSR File
This parameter is required only when CSR Generation is set to Manual or Select Existing CSR. Enter the content of your CSR file.
Advanced settings
Use the Advanced Settings to configure the Notification service for the certificate lifecycle.
-
Notification Status: Enabled by default.
-
Notification Method: You can configure Email Address, Text Message, Internal Message, and DingTalk/WeCom/Feishu.
-
Notification Content: You can configure three types of reminder messages: Business Notification, Alert Notification, and Product Change Notification.
-
Expiration Notification Frequency: Configure a reminder frequency policy. Options include: Only Once, Every Day, Every 3 Days, Every 5 Days, and Every 7 Days.
-
Expiration Deadline Notification: Configure how many days in advance to send reminders. Options include: 15 Days Before Expiration, 30 Days Before Expiration, 60 Days Before Expiration, and 90 Days Before Expiration.
The service period for the message reminder feature matches the validity period of the certificate. The service ends automatically when the certificate expires.
Next steps
Scenario 1: You selected Quick Issue.
After the certificate is created, the system automatically submits a certificate application to a CA. To track the application, hover over the
icon in the Status column and click View Progress in the tooltip. The Certificate Progress panel shows the review progress. You must then complete the domain name ownership verification.

Scenario 2: You did not select Quick Issue.
After a certificate is created, it appears in the certificate list with the status Pending Application. You must submit the certificate application to a CA for review. The CA issues the certificate only after your application is approved. For more information, see Submit an Application to a CA.

Complimentary domains for SSL certificates
When you purchase certain certificates, a complimentary domain is automatically included to cover both the www and non-www versions of your site. The rules vary by brand and certificate type.
Conditions
GlobalSign
-
DV: Domain validation must use DNS validation.
-
OV: No special restrictions.
-
EV: The domain must be an apex domain.
Alibaba Cloud
The bound domain must be the www subdomain corresponding to an apex domain.
-
A complimentary apex domain
aliyun.comis provided only when you bindwww.aliyun.com. -
If you bind a domain such as
aliyun.comor*.aliyun.com, the correspondingwwwsubdomain is not included.
DigiCert
-
DV: Domain validation must use DNS validation.
-
OV, EV: The domain must be an apex domain.
Alibaba Cloud
The domain must be a www subdomain (for example, www.aliyun.com).
This offer is not reciprocal. Securing an apex domain (such asaliyun.com) or a wildcard domain (such as*.aliyun.com) does not include thewwwsubdomain.
Purchase a certificate
To acquire a certificate, you must first place a purchase order and then apply to a certificate authority (CA) for issuance.
Step 1: Purchase options
Go to the SSL Certificate Management page, click , and fill in the required information as described below.
-
Domain Type:
Single Domain: An SSL certificate is attached to a primary domain name, a subdomain, or a public IP address (IPv4). Examples:
aliyun.com,abc.example.com, and1.1.X.X.Wildcard Domain: A wildcard certificate is used to protect a primary domain name and all its first-level subdomains.
Matching rules: Matches only subdomains at the same level. It cannot match subdomains across multiple levels. For example, a certificate for
*.aliyun.comcan matchdemo.aliyun.com, but cannot matchguide.demo.aliyun.com.Limits: By default, a certificate supports only one wildcard domain name. To include multiple wildcard domain names in a single certificate, see Merge certificate requests.
Multiple Domains: Used to attach multiple single domain names at the same time. You can attach up to five single domain names. Only single domain names are supported. Wildcard domain names are not supported.
-
Certificate Type:
The available certificate types vary depending on the domain type.
-
DV: A domain-validated certificate that requires only domain control validation. It is suitable for personal websites, informational sites, or test environments. This is the fastest and most affordable option.
-
OV: An organization-validated certificate that verifies both the domain and the organization's identity. It is suitable for government organizations, small to medium-sized enterprises, or educational institutions.
-
OV_PRO: Offers a higher level of encryption and security than a standard OV certificate.
-
EV: An extended validation certificate that involves the most rigorous corporate verification. It is suitable for large enterprises, financial institutions, and e-commerce sites that handle transactions and sensitive data.
-
EV_PRO: Offers a higher level of encryption and security than a standard EV certificate.
-
-
Brand:
Supports DigiCert, GlobalSign, and Alibaba Cloud. For more information, see SSL certificate selection guide.
ImportantDigiCert does not issue certificates for domains with special suffixes such as
.edu,.gov,.org,.jp,.pay,.bank,.live,.nuclear, or.ru. -
Domains: You can set this parameter only if you select the Multiple Domains type.
-
Certificate Instance Quantity: This value is fixed at 1 and cannot be changed.
-
Service Duration: The duration of the subscription or purchase.
ImportantA subscription period may include multiple certificates with different validity periods. For more information, see Changes to certificate validity periods.
-
Resource Group and Tag Key (optional): Associate the certificate with an Alibaba Cloud resource group and tag key for easier management and lookup. Both are optional. Not selecting them will not affect your certificate purchase, application, issuance, or subsequent deployment and use. You can safely ignore these options and proceed with the purchase.
If you have any questions during the purchase process, you can consult a technical expert on the product details page.
Step 2: Payment
Click Buy Now, read and agree to the Terms of Service, and then click Buy Now to complete the payment. After the purchase is complete, you can view your SSL certificate order on the Order and Refund Management page.
Step 3: View certificate
After you complete the purchase, the certificate appears in the Certificates with a status of Pending Application.
Next steps
If a certificate has the Pending Application status, you must submit a request to a certification authority (CA). A certificate is issued after the CA approves the request.
Complimentary rules
-
Single Domain certificate: The matching apex domain or
wwwsubdomain is automatically included.-
Certificate for
yourdomain.com→www.yourdomain.comadded for free -
Certificate for
www.yourdomain.com→yourdomain.comadded for free
-
-
Wildcard certificate: The corresponding apex domain is automatically included.
-
Certificate for
*.yourdomain.com→yourdomain.comadded for free
-
-
Multi-Domain certificate: The free domain offer applies only to the first domain listed in your certificate request. Example: If the first domain is
www.domain-a.com, the system addsdomain-a.comfor free. No complimentary domain is added for the second domain,domain-b.com.
FAQ
Insufficient certificate quota
|
Cause |
Solution |
|
Quota is occupied by certificates in the "Pending Application" state |
Check your certificate list for unneeded certificates in the "Pending Application" state. Click "Cancel Application". The quota is returned immediately after cancellation. Important
The quota is not returned if a certificate is revoked or deleted. |
|
All purchased quota is used or occupied |
To purchase additional certificate quota, go to the Purchase a paid certificate page. |
Chinese (IDN) domain names
When you apply for a certificate for a Chinese (IDN) domain name, you must convert it to Punycode. You can follow the prompts in the console or use a conversion tool. For more information, see Chinese Domain Name Conversion.