Selecting the right SSL certificate is critical for securing your website, building visitor trust, and meeting compliance requirements. An incorrect choice can lead to service interruptions, security vulnerabilities, or unnecessary costs. This article provides a scenario-driven quick-match guide and a structured, parameter-based decision process to help you identify the required validation level, domain type, encryption algorithm, and brand, and select an optimal solution that balances security, compatibility, and cost-effectiveness.
Quick selection
Scenario 1: Personal, development, or test use
Use cases: Ideal for non-commercial and non-production purposes, such as personal blogs, portfolio websites, local development environments, CI/CD testing pipelines, and educational demonstrations.
Key needs: Low cost, fast deployment, and no need for high availability.
Recommended certificate type: DV single-domain or wildcard certificates.
Recommended brand: Alibaba Cloud.
Scenario 2: SMEs, e-commerce, and mini programs
Use cases: Public-facing production systems such as corporate websites, small to medium-sized e-commerce platforms, backend services for WeChat mini programs, and SaaS application gateways.
Key needs: Stable HTTPS encryption, a moderate level of trust, and high cost-effectiveness.
Recommended certificate type: DV wildcard certificate or OV single-domain certificate.
Validation level: DV or OV.
Domain support: Wildcard (
*.aliyundoc.com) or single domain.Recommended brands: Rapid, GeoTrust, DigiCert.
Important notes:
To protect multiple subdomains, a wildcard certificate is recommended.
If you want to display your company's information in the certificate to enhance user trust, choose an OV certificate.
Scenario 3: Finance, government, or high-trust services
Use cases: Mission-critical systems with extremely high security and compliance requirements, such as online banking, securities trading systems, government service platforms, large enterprise customer portals, and payment gateways.
Key needs: The highest level of identity assurance, industry compliance, and brand credibility.
Recommended certificate type: EV certificate or OV certificate.
Validation level: EV / OV.
Domain support: Single or multiple domains, depending on the business architecture. EV certificates do not support wildcard domains due to industry standard limitations. If you need a wildcard certificate, choose an OV certificate.
Recommended brands: GeoTrust, GlobalSign, DigiCert.
Important notes:
Major modern browsers, such as Chrome, Edge, and Safari, no longer display the company name directly in the address bar (the "green bar"). Company information now appears in the certificate details panel.
EV certificates still provide the highest standard of identity verification and have full legal validity. They remain the top choice for finance and government systems to prevent phishing attacks and build user trust.
Scenario 4: Public IP address access
Use cases: Devices or systems that serve traffic directly over a public IPv4 address and cannot be configured with a domain name, such as IoT gateways, edge servers, or legacy systems.
Recommended certificate type: OV single-domain certificate (supports IP).
Validation level: OV.
Domain support: Public IPv4 address (only for specific brands).
Recommended brands: GlobalSign, DigiCert, GeoTrust.
Important notes: Only OV single-domain certificates from GlobalSign, DigiCert, GeoTrust support binding to an IP address.
Selection parameters
Selection process
Use this guide to select a certificate that fits your business needs:
Step 1: Validation level
If you only need basic HTTPS encryption and do not need to display company information → Choose DV.
To display your organization's identity in the certificate and build user trust → Choose OV.
If you operate in a high-compliance sector such as finance, government, or payments → Choose EV.
Step 2: Domain type
To protect only a single domain (e.g.,
www.example.com) → Choose a single-domain certificate.To protect all subdomains under the same root domain (e.g.,
*.example.com) → Choose a wildcard certificate.To protect multiple different domains (e.g.,
a.com+b.com) → Choose a multi-domain certificate.To protect both wildcard and single domains → Choose a hybrid-domain certificate.
To secure a public IP address directly (without a domain) → Choose a certificate that supports IP addresses (only some OV certificates support this feature).
Step 3: Encryption algorithm
For the widest compatibility (compatible with older devices and browsers) → Choose the RSA algorithm.
For higher performance and stronger security (ideal for mobile, IoT, etc.) → Choose the ECC algorithm.
Step 4: Certificate brand
Based on your budget and preferences, review the Pricing Information and select a brand from Certificate Brands.
Validation levels (DV / OV / EV)
SSL certificates are classified by validation level: DV (Domain Validated), OV (Organization Validated), and EV (Extended Validation). These validation levels differ in required verification materials, average issuance time, and browser trust indicators.
For personal websites without company information, you can only apply for a DV SSL certificate.
Feature | DV (Domain Validated) | OV (Organization Validated) | EV (Extended Validation) |
Use case | Personal websites, app services, and development or testing environments. | Government organizations, small to medium-sized enterprises (SMEs), and educational institutions. | E-commerce sites, financial institutions, and large enterprises that handle transactions or sensitive private data. |
Validation level | Low. The certificate authority (CA) only verifies domain ownership. | Medium. The CA verifies the organization's real-world identity. | High. The CA strictly verifies the organization's identity and legal status. |
Verification method and documents | DNS verification. | Email or phone. Requires domain verification and submission of company information, and other documents. | Email or phone. Requires domain verification and submission of company information, and other documents. |
Security level | Basic. Encrypts data in transit. The CA only verifies that the applicant controls the domain, so it does not confirm the identity of the organization behind the website. | Enhanced. Encrypts data in transit and displays the organization's verified identity in the certificate details. The CA verifies the organization's legal existence and physical address. | Maximum. Provides the highest level of identity assurance. The CA performs the most rigorous vetting, including verifying the organization's legal, physical, and operational existence. The certificate contains the verified organization name visible in browser certificate details. |
Browser display | Displays the padlock icon and HTTPS indicator in the address bar. No organization identity is shown. | Displays the padlock icon and HTTPS indicator. The organization's verified name appears in the certificate details panel when users inspect the certificate. | Displays the padlock icon and HTTPS indicator. Modern browsers no longer show a green address bar, but the organization's verified identity is prominently displayed in the certificate details panel, providing the strongest visual trust signal available. |
Price level | Lowest | Medium (DV < OV) | Highest (OV < EV) |
Average issuance time | 1–15 minutes. | 5 calendar days | 5 calendar days |
How to choose a validation level
Use the following guidance to select the right validation level for your scenario:
DV certificate: Best for personal websites, mobile apps, or enterprise test environments. Choose DV when you only need basic HTTPS encryption without identity verification. It is the most cost-effective option with the fastest issuance time.
OV certificate: Recommended for government organizations, small to medium-sized enterprises (SMEs), and educational institutions that need to display their verified identity to visitors. Choose OV when your users need to know that a real, verified organization operates the website.
EV certificate: The top choice for large enterprises, financial institutions, and websites handling transactions or highly sensitive data. Choose EV when your business requires the highest level of identity trust and legal assurance. EV certificates undergo the most rigorous validation process.
Price hierarchy: DV certificates are the most affordable, followed by OV, with EV certificates at the highest price tier (DV < OV < EV). For detailed pricing, see Pricing Information.
Domain types
An SSL certificate must be bound to a domain name or IP address to take effect. The number and types of domains you need to secure determine the required certificate type and quantity. Alibaba Cloud supports certificates for the following domain types: single domain, multi-domain, wildcard domain, and hybrid domain. The following table compares these domain types and describes their corresponding certificates.
Domain type | Description | Notes |
Single domain | Binds one certificate to a single, fully qualified domain name, such as | Supports DV, OV, and EV validation levels. |
Multi-domain | Binds one certificate to multiple domains or IP addresses. By default, you can add up to 5 domains. | To secure an IP address, you must use an OV certificate from a brand that supports IP addresses. |
Wildcard domain | Uses the format For example, a wildcard domain |
|
Hybrid domain | A single certificate contains a mix of domain types, such as Note During the purchase or application process, you can merge multiple certificates of the same brand and type to create a hybrid domain certificate. For instructions, see Purchase a commercial SSL certificate or Certificate Consolidation Request. |
|
IP address | Binds a single certificate to one public IPv4 address. | Only OV single-domain certificates from GlobalSign, DigiCert, GeoTrust support IP address binding. |
After a certificate is purchased and issued, it may include additional domains for free if certain conditions are met. For more information, see Rules for free domains included with SSL certificates.
Encryption algorithm (RSA / ECC)
RSA: An asymmetric encryption algorithm known for its excellent compatibility and widespread adoption.
ECC (elliptic curve cryptography): A modern asymmetric encryption algorithm that offers stronger security, faster performance, and lower resource consumption compared to RSA and is now widely supported by major browsers.
Item | RSA algorithm | ECC algorithm |
Security and key length | Requires a longer key length. Supported key lengths are 2048-bit and 4096-bit. | Achieves the same security level with a much smaller key length.
|
Performance / Speed | Slower. | Faster, especially in resource-constrained environments like mobile and Internet of Things (IoT) devices. |
Memory and CPU usage | High. | Low. |
Compatibility | High. | Good, but not as widespread as RSA. |
The following table lists the encryption algorithms supported by each SSL certificate brand and type.
Certificate brand | Certificate type | RSA | ECC | ||||||
Signature algorithm | Key length | Signature algorithm | Key length | ||||||
SHA256withRSA | SHA384withRSA | 2048 | 4096 | SHA256withECDSA | SHA384withECDSA | prime256v1 | secp384r1 | ||
DigiCert | DV | ||||||||
OV | |||||||||
EV | |||||||||
GeoTrust | OV | ||||||||
EV | |||||||||
GlobalSign | DV | ||||||||
OV | |||||||||
Rapid | DV | ||||||||
Alibaba Cloud | DV | ||||||||
By default, SSL certificates are signed with the SHA256withRSA or SHA256withECDSA signature algorithm. You cannot select a signature algorithm that uses the SHA384 hash function on the Certificate Management Service console. To issue a certificate with this signature algorithm, you must create a CSR file locally and upload it to the console. For more information, see How to Create a CSR File and Upload CSR.
Certificate brands
When choosing a certificate brand, consider factors such as its supported validation levels, domain types, encryption algorithms, and price, as well as your business requirements and budget.
If you need help choosing a certificate brand, visit the product details page and fill out the "certificate management service product inquiry" form to get pre-sales support.
Certificate brand | Certificate authority | Description |
DigiCert | DigiCert, Inc. | DigiCert (formerly Symantec) is a leading certificate authority and a trusted SSL certificate brand. All its certificates use industry-leading encryption to secure a wide range of websites and servers. |
Rapid | Rapid is an entry-level SSL certificate brand from DigiCert. It focuses on providing fast-issuance, cost-effective domain-validated (DV) certificates, which are ideal for the basic encryption needs of personal websites and small businesses. | |
GlobalSign | GMO GlobalSign Pte Ltd. | GlobalSign is one of the earliest certificate authorities (CAs). It specializes in cybersecurity certification and digital certificate services and is a trusted SSL certificate provider. |
Alibaba Cloud | DigiCert, Inc. | Alibaba Cloud brand certificates are issued by DigiCert and offer cost-effective domain-validated (DV) certificates. |
Pricing
The price of an SSL certificate varies by its type, validation level, domain type, and brand. Choose a certificate that fits your requirements and budget.
The prices below are for reference only. The final price is shown on the Certificate Service purchase page.
Certificate brand | Validation level | Domain type | Price (USD/year) | Notes |
Alibaba Cloud | DV | Single domain | 75 | / |
Wildcard domain | 300 | / | ||
GeoTrust | OV | Single domain | 324 | / |
Wildcard domain | 1020 | / | ||
Rapid | DV | Single domain | 66 | / |
Wildcard domain | 263 | / | ||
DigiCert | DV | Single domain | 149 | / |
Wildcard domain | 629 | / | ||
OV | Single domain |
| / | |
Wildcard domain |
| / | ||
EV | Single domain |
| / | |
GlobalSign | DV | Single domain | 249 | / |
Wildcard domain | 849 | / | ||
OV | Single domain | 349 | / | |
Wildcard domain | 949 | / | ||
Multi-domain | 749 | Includes 5 single domains by default. |
Purchase a certificate
To purchase a certificate, see Buy a Commercial Certificate.
FAQ
Certificates for IP addresses
Choose an OV single-domain certificate that supports IP addresses. When purchasing, select an OV certificate from one of the following brands: GlobalSign, DigiCert, GeoTrust. When applying, enter your public IP address.
Redeployment after renewal or reissuance
Yes. Each renewal or reissuance generates a new certificate. You must download the new certificate and deploy it to your web server to replace the old one.
If you renew your certificate for multiple years and used Cloud Product Deployment for the previous certificate, Certificate Management Service (Original SSL Certificate) will automatically deploy the new one using Cloud Product Managed Deployment after it is issued. If the deployment fails, you will receive a notification by email, and internal message.
Does a wildcard certificate (for example, *.aliyundoc.com) include the root domain (aliyundoc.com)?
Yes. A certificate for a wildcard domain also includes the root domain for free. For example, a certificate for *.aliyundoc.com also protects aliyundoc.com.
After a certificate is purchased and issued, it may include additional domains for free if certain conditions are met. For more information, see Rules for free domains included with SSL certificates.