All Products
Search
Document Center

Certificate Management Service:SSL certificate selection

Last Updated:May 19, 2026

Selecting the right SSL certificate is critical for securing your website, building visitor trust, and meeting compliance requirements. An incorrect choice can lead to service interruptions, security vulnerabilities, or unnecessary costs. This article provides a scenario-driven quick-match guide and a structured, parameter-based decision process to help you identify the required validation level, domain type, encryption algorithm, and brand, and select an optimal solution that balances security, compatibility, and cost-effectiveness.

Quick selection

Scenario 1: Personal, development, or test use

  • Use cases: Ideal for non-commercial and non-production purposes, such as personal blogs, portfolio websites, local development environments, CI/CD testing pipelines, and educational demonstrations.

  • Key needs: Low cost, fast deployment, and no need for high availability.

  • Recommended certificate type: DV single-domain or wildcard certificates.

  • Recommended brand: Alibaba Cloud.

Scenario 2: SMEs, e-commerce, and mini programs

  • Use cases: Public-facing production systems such as corporate websites, small to medium-sized e-commerce platforms, backend services for WeChat mini programs, and SaaS application gateways.

  • Key needs: Stable HTTPS encryption, a moderate level of trust, and high cost-effectiveness.

  • Recommended certificate type: DV wildcard certificate or OV single-domain certificate.

  • Validation level: DV or OV.

  • Domain support: Wildcard (*.aliyundoc.com) or single domain.

  • Recommended brands: Rapid, GeoTrust, DigiCert.

  • Important notes:

    • To protect multiple subdomains, a wildcard certificate is recommended.

    • If you want to display your company's information in the certificate to enhance user trust, choose an OV certificate.

Scenario 3: Finance, government, or high-trust services

  • Use cases: Mission-critical systems with extremely high security and compliance requirements, such as online banking, securities trading systems, government service platforms, large enterprise customer portals, and payment gateways.

  • Key needs: The highest level of identity assurance, industry compliance, and brand credibility.

  • Recommended certificate type: EV certificate or OV certificate.

  • Validation level: EV / OV.

  • Domain support: Single or multiple domains, depending on the business architecture. EV certificates do not support wildcard domains due to industry standard limitations. If you need a wildcard certificate, choose an OV certificate.

  • Recommended brands: GeoTrust, GlobalSign, DigiCert.

  • Important notes:

    • Major modern browsers, such as Chrome, Edge, and Safari, no longer display the company name directly in the address bar (the "green bar"). Company information now appears in the certificate details panel.

    • EV certificates still provide the highest standard of identity verification and have full legal validity. They remain the top choice for finance and government systems to prevent phishing attacks and build user trust.

Scenario 4: Public IP address access

  • Use cases: Devices or systems that serve traffic directly over a public IPv4 address and cannot be configured with a domain name, such as IoT gateways, edge servers, or legacy systems.

  • Recommended certificate type: OV single-domain certificate (supports IP).

  • Validation level: OV.

  • Domain support: Public IPv4 address (only for specific brands).

  • Recommended brands: GlobalSign, DigiCert, GeoTrust.

  • Important notes: Only OV single-domain certificates from GlobalSign, DigiCert, GeoTrust support binding to an IP address.

Selection parameters

Selection process

Use this guide to select a certificate that fits your business needs:

  • Step 1: Validation level

    • If you only need basic HTTPS encryption and do not need to display company information → Choose DV.

    • To display your organization's identity in the certificate and build user trust → Choose OV.

    • If you operate in a high-compliance sector such as finance, government, or payments → Choose EV.

  • Step 2: Domain type

    • To protect only a single domain (e.g., www.example.com) → Choose a single-domain certificate.

    • To protect all subdomains under the same root domain (e.g., *.example.com) → Choose a wildcard certificate.

    • To protect multiple different domains (e.g., a.com + b.com) → Choose a multi-domain certificate.

    • To protect both wildcard and single domains → Choose a hybrid-domain certificate.

    • To secure a public IP address directly (without a domain) → Choose a certificate that supports IP addresses (only some OV certificates support this feature).

  • Step 3: Encryption algorithm

    • For the widest compatibility (compatible with older devices and browsers) → Choose the RSA algorithm.

    • For higher performance and stronger security (ideal for mobile, IoT, etc.) → Choose the ECC algorithm.

  • Step 4: Certificate brand

    Based on your budget and preferences, review the Pricing Information and select a brand from Certificate Brands.

Validation levels (DV / OV / EV)

SSL certificates are classified by validation level: DV (Domain Validated), OV (Organization Validated), and EV (Extended Validation). These validation levels differ in required verification materials, average issuance time, and browser trust indicators.

Note

For personal websites without company information, you can only apply for a DV SSL certificate.

Feature

DV (Domain Validated)

OV (Organization Validated)

EV (Extended Validation)

Use case

Personal websites, app services, and development or testing environments.

Government organizations, small to medium-sized enterprises (SMEs), and educational institutions.

E-commerce sites, financial institutions, and large enterprises that handle transactions or sensitive private data.

Validation level

Low. The certificate authority (CA) only verifies domain ownership.

Medium. The CA verifies the organization's real-world identity.

High. The CA strictly verifies the organization's identity and legal status.

Verification method and documents

DNS verification.

Email or phone. Requires domain verification and submission of company information, and other documents.

Email or phone. Requires domain verification and submission of company information, and other documents.

Security level

Basic. Encrypts data in transit. The CA only verifies that the applicant controls the domain, so it does not confirm the identity of the organization behind the website.

Enhanced. Encrypts data in transit and displays the organization's verified identity in the certificate details. The CA verifies the organization's legal existence and physical address.

Maximum. Provides the highest level of identity assurance. The CA performs the most rigorous vetting, including verifying the organization's legal, physical, and operational existence. The certificate contains the verified organization name visible in browser certificate details.

Browser display

Displays the padlock icon and HTTPS indicator in the address bar. No organization identity is shown.

Displays the padlock icon and HTTPS indicator. The organization's verified name appears in the certificate details panel when users inspect the certificate.

Displays the padlock icon and HTTPS indicator. Modern browsers no longer show a green address bar, but the organization's verified identity is prominently displayed in the certificate details panel, providing the strongest visual trust signal available.

Price level

Lowest

Medium (DV < OV)

Highest (OV < EV)

Average issuance time

1–15 minutes.

5 calendar days

5 calendar days

How to choose a validation level

Use the following guidance to select the right validation level for your scenario:

  • DV certificate: Best for personal websites, mobile apps, or enterprise test environments. Choose DV when you only need basic HTTPS encryption without identity verification. It is the most cost-effective option with the fastest issuance time.

  • OV certificate: Recommended for government organizations, small to medium-sized enterprises (SMEs), and educational institutions that need to display their verified identity to visitors. Choose OV when your users need to know that a real, verified organization operates the website.

  • EV certificate: The top choice for large enterprises, financial institutions, and websites handling transactions or highly sensitive data. Choose EV when your business requires the highest level of identity trust and legal assurance. EV certificates undergo the most rigorous validation process.

Price hierarchy: DV certificates are the most affordable, followed by OV, with EV certificates at the highest price tier (DV < OV < EV). For detailed pricing, see Pricing Information.

Domain types

An SSL certificate must be bound to a domain name or IP address to take effect. The number and types of domains you need to secure determine the required certificate type and quantity. Alibaba Cloud supports certificates for the following domain types: single domain, multi-domain, wildcard domain, and hybrid domain. The following table compares these domain types and describes their corresponding certificates.

Domain type

Description

Notes

Single domain

Binds one certificate to a single, fully qualified domain name, such as www.aliyundoc.com.

Supports DV, OV, and EV validation levels.

Multi-domain

Binds one certificate to multiple domains or IP addresses. By default, you can add up to 5 domains.

To secure an IP address, you must use an OV certificate from a brand that supports IP addresses.

Wildcard domain

Uses the format *.aliyundoc.com to match all same-level subdomains. The asterisk * matches only one subdomain level.

For example, a wildcard domain *.aliyundoc.com matches www.aliyundoc.com and a.aliyundoc.com, but not a.b.aliyundoc.com or c.d.aliyundoc.com.

  • Supports only DV and OV certificates.

  • You can include only one wildcard domain per certificate application.

    Note

    To combine multiple wildcard domain certificates into one, see Certificate Consolidation Request.

Hybrid domain

A single certificate contains a mix of domain types, such as *.aliyundoc.com and demo.example.com.

Note

During the purchase or application process, you can merge multiple certificates of the same brand and type to create a hybrid domain certificate. For instructions, see Purchase a commercial SSL certificate or Certificate Consolidation Request.

  • OV and EV certificates: All brands support merging.

  • DV certificates: Only GlobalSign support merging.

  • GlobalSign DV hybrid domain certificates require all domains to share the same root domain. For example, if the root domain is aliyundoc.com, you can only merge its subdomains, such as a.aliyundoc.com and a.b.aliyundoc.com. Merging other root domains, such as aliyundoc.cn or aliyundoc01.com, is not supported.

IP address

Binds a single certificate to one public IPv4 address.

Only OV single-domain certificates from GlobalSign, DigiCert, GeoTrust support IP address binding.

Note

After a certificate is purchased and issued, it may include additional domains for free if certain conditions are met. For more information, see Rules for free domains included with SSL certificates.

Encryption algorithm (RSA / ECC)

  • RSA: An asymmetric encryption algorithm known for its excellent compatibility and widespread adoption.

  • ECC (elliptic curve cryptography): A modern asymmetric encryption algorithm that offers stronger security, faster performance, and lower resource consumption compared to RSA and is now widely supported by major browsers.

Item

RSA algorithm

ECC algorithm

Security and key length

Requires a longer key length. Supported key lengths are 2048-bit and 4096-bit.

Achieves the same security level with a much smaller key length.

  • 256-bit: Equivalent in security to a 2048-bit RSA key.

  • 384-bit: Equivalent in security to a 3072-bit RSA key.

Performance / Speed

Slower.

Faster, especially in resource-constrained environments like mobile and Internet of Things (IoT) devices.

Memory and CPU usage

High.

Low.

Compatibility

High.

Good, but not as widespread as RSA.

The following table lists the encryption algorithms supported by each SSL certificate brand and type.

Certificate brand

Certificate type

RSA

ECC

Signature algorithm

Key length

Signature algorithm

Key length

SHA256withRSA

SHA384withRSA

2048

4096

SHA256withECDSA

SHA384withECDSA

prime256v1

secp384r1

DigiCert

DV

Supported

Supported

Supported

Supported

Not supported

Not supported

Not supported

Not supported

OV

Supported

Supported

Supported

Supported

Supported

Supported

Supported

Supported

EV

Supported

Supported

Supported

Supported

Supported

Supported

Supported

Supported

GeoTrust

OV

Supported

Supported

Supported

Supported

Supported

Supported

Supported

Supported

EV

Supported

Supported

Supported

Supported

Supported

Supported

Supported

Supported

GlobalSign

DV

Supported

Supported

Supported

Supported

Not supported

Not supported

Not supported

Not supported

OV

Supported

Supported

Supported

Supported

Supported

Supported

Supported

Supported

Rapid

DV

Supported

Supported

Supported

Supported

Not supported

Not supported

Not supported

Not supported

Alibaba Cloud

DV

Supported

Supported

Supported

Supported

Not supported

Not supported

Not supported

Not supported

Note

By default, SSL certificates are signed with the SHA256withRSA or SHA256withECDSA signature algorithm. You cannot select a signature algorithm that uses the SHA384 hash function on the Certificate Management Service console. To issue a certificate with this signature algorithm, you must create a CSR file locally and upload it to the console. For more information, see How to Create a CSR File and Upload CSR.

Certificate brands

When choosing a certificate brand, consider factors such as its supported validation levels, domain types, encryption algorithms, and price, as well as your business requirements and budget.

Note

If you need help choosing a certificate brand, visit the product details page and fill out the "certificate management service product inquiry" form to get pre-sales support.

Certificate brand

Certificate authority

Description

DigiCert

DigiCert, Inc.

DigiCert (formerly Symantec) is a leading certificate authority and a trusted SSL certificate brand. All its certificates use industry-leading encryption to secure a wide range of websites and servers.

Rapid

Rapid is an entry-level SSL certificate brand from DigiCert. It focuses on providing fast-issuance, cost-effective domain-validated (DV) certificates, which are ideal for the basic encryption needs of personal websites and small businesses.

GlobalSign

GMO GlobalSign Pte Ltd.

GlobalSign is one of the earliest certificate authorities (CAs). It specializes in cybersecurity certification and digital certificate services and is a trusted SSL certificate provider.

Alibaba Cloud

DigiCert, Inc.

Alibaba Cloud brand certificates are issued by DigiCert and offer cost-effective domain-validated (DV) certificates.

Pricing

The price of an SSL certificate varies by its type, validation level, domain type, and brand. Choose a certificate that fits your requirements and budget.

Important

The prices below are for reference only. The final price is shown on the Certificate Service purchase page.

Certificate brand

Validation level

Domain type

Price (USD/year)

Notes

Alibaba Cloud

DV

Single domain

75

/

Wildcard domain

300

/

GeoTrust

OV

Single domain

324

/

Wildcard domain

1020

/

Rapid

DV

Single domain

66

/

Wildcard domain

263

/

DigiCert

DV

Single domain

149

/

Wildcard domain

629

/

OV

Single domain

  • OV SSL: 484

  • OV Pro SSL: 1,325

/

Wildcard domain

  • OV SSL: 2,309

  • OV Pro SSL: 4,717

/

EV

Single domain

  • EV SSL: 1,118

  • EV Pro SSL: 1,837

/

GlobalSign

DV

Single domain

249

/

Wildcard domain

849

/

OV

Single domain

349

/

Wildcard domain

949

/

Multi-domain

749

Includes 5 single domains by default.

Purchase a certificate

To purchase a certificate, see Buy a Commercial Certificate.

FAQ

Certificates for IP addresses

Choose an OV single-domain certificate that supports IP addresses. When purchasing, select an OV certificate from one of the following brands: GlobalSign, DigiCert, GeoTrust. When applying, enter your public IP address.

Redeployment after renewal or reissuance

Yes. Each renewal or reissuance generates a new certificate. You must download the new certificate and deploy it to your web server to replace the old one.

Note

If you renew your certificate for multiple years and used Cloud Product Deployment for the previous certificate, Certificate Management Service (Original SSL Certificate) will automatically deploy the new one using Cloud Product Managed Deployment after it is issued. If the deployment fails, you will receive a notification by email, and internal message.

Does a wildcard certificate (for example, *.aliyundoc.com) include the root domain (aliyundoc.com)?

Yes. A certificate for a wildcard domain also includes the root domain for free. For example, a certificate for *.aliyundoc.com also protects aliyundoc.com.

Note

After a certificate is purchased and issued, it may include additional domains for free if certain conditions are met. For more information, see Rules for free domains included with SSL certificates.