Selecting the right SSL certificate is critical for securing your website, building visitor trust, and meeting compliance requirements. An incorrect choice can lead to service interruptions, security vulnerabilities, or unnecessary costs. This guide helps you quickly identify the best certificate for your needs by validation level, domain type, encryption algorithm, and brand. Using scenario-driven matching and a structured decision-making process, you can find an optimal solution that balances security, compatibility, and cost-effectiveness.
Quick selection
Scenario 1: Personal projects, development and testing, or non-commercial websites
Use cases: Personal blogs, portfolio sites, local development environments, CI/CD test pipelines, and teaching demos. These use cases are for non-commercial and non-production use only.
Key needs: Low cost and fast deployment. High availability is not required.
Recommended certificate type: Domain validated (DV) single-domain or wildcard certificate.
Recommended: Alibaba Cloud.
Scenario 2: SME official websites, e-commerce, mini programs, and other production services
Use cases: Corporate official websites, small-to-medium e-commerce platforms, WeChat mini program backend services, and SaaS application entry points. These are all public-facing production systems.
Key needs: Stable HTTPS encryption, moderate trust display, and cost-effectiveness.
Recommended certificate type: DV wildcard certificate or organization validated (OV) single-domain certificate.
Validation level: DV or OV.
Domain support: Wildcard (
*.aliyundoc.com) or single domain.Recommended brands: Recommended brands include Rapid, GeoTrust, and DigiCert..
Important notes:
To protect multiple subdomains, a wildcard certificate is the recommended choice.
If you want to display company information in the certificate to build user trust, choose an OV certificate.
Scenario 3: Finance, government, large enterprises, or high-trust services
Use cases: Online banking, securities trading systems, government service platforms, large enterprise customer portals, and payment gateways. These are mission-critical systems with strict security and compliance requirements.
Key needs: The highest trust endorsement, industry compliance, and brand credibility.
Recommended certificate type: Extended validation (EV) or OV certificate.
Validation level: EV or OV.
Domain support: Single domain or multi-domain, based on your architecture. EV certificates do not support wildcard domains due to an industry standard limitation. You should choose an OV certificate if you need a wildcard certificate.
Recommended brands: Recommended brands include GeoTrust, GlobalSign, and DigiCert..
Important notes:
Major modern browsers such as Chrome, Edge, and Safari no longer display the company name directly in the address bar (green bar). Company information now appears in the certificate details panel.
EV certificates still meet the highest identity verification standards and have full legal validity. They remain the top choice for finance and government systems to prevent phishing attacks and build user trust.
Scenario 4:Service accessed by public IP address (no domain)
Use cases: Devices or systems that serve traffic directly over a public IPv4 address and cannot use a domain name, such as IoT gateways, edge servers, and legacy systems.
Recommended certificate type: OV single-domain certificate that supports IP addresses.
Validation level: OV.
Domain support: Public IPv4 address. This is supported only by select brands.
Recommended brands: Recommended brands include GlobalSign, DigiCert, and GeoTrust..
Important notes: Only OV single-domain certificates from GlobalSign, DigiCert, GeoTrust support binding to IP addresses.
Selection parameter details
Selection flow
Follow these steps to determine the core parameters of your certificate based on your actual business needs:
Step 1: Select a validation level
If you only need basic HTTPS encryption without displaying company information, choose DV.
If you want to display your company's identity to build user trust, choose OV.
If you operate in high-compliance sectors such as finance, government, or payments, choose EV.
Step 2: Select a domain type
To protect only one domain, such as
www.example.com, choose a single-domain certificate.To protect all subdomains under one root domain, such as
*.example.com, choose a wildcard certificate.To protect multiple different domains, such as
a.comandb.com, choose a multi-domain certificate.If you need mixed protection for a wildcard domain and a single domain, choose a multi-domain certificate.
If the service is accessed by a public IP address without a domain, choose a certificate that supports IP binding. Only some OV certificates support this.
Step 3: Select an encryption algorithm
If you need the broadest compatibility with older devices and browsers, choose the RSA algorithm.
If you need better performance and stronger security, which is ideal for mobile or IoT, choose the ECC algorithm.
Step 4: Select a certificate brand
Based on your budget and preferences, review the pricing in Pricing Information and then select a brand from Certificate Brands.
Validation levels (DV / OV / EV)
SSL certificates fall into three validation levels: DV, OV, and EV. These levels differ in the required verification materials, issuance time, and how trust is displayed.
Individual websites without company information can apply only for DV (domain-only) SSL certificates.
Comparison item | DV | OV | EV |
Use case | Personal websites, app services, enterprise testing. | Government organizations, SMEs, or educational institutions. | Large enterprises, financial institutions, e-commerce sites handling transactions and private data. |
Validation level | Low. The CA verifies only domain ownership. | The CA validates the enterprise's identity. | High. The CA strictly reviews the organization and legal identity. |
Verification method and documents | DNS verification. | Email or phone. Submit domain, company info. | Email or phone. Submit domain, company info. |
Average issuance time | 1–15 minutes. | 5 calendar days | 5 calendar days |
Domain types (single domain / wildcard / multi-domain)
An SSL certificate works only when it is bound to a domain or IP address. Your website’s domain type and the number of domains you have directly determine which certificate type and the number of certificates you need. Alibaba Cloud supports the following certificate types: single domain, multi-domain, and wildcard domain. The table below compares each type.
Domain type | Selection guidance | Important notes |
Single domain | Binds one certificate to exactly one full domain, such as | Supports DV, OV, and EV validation levels. |
Multi-domain | Binds one certificate to multiple domains or IP addresses, up to 5 by default. | To include IP addresses, you must use one of the OV certificate brands listed above that support IP binding. |
Wildcard domain | Uses the format For example, a wildcard domain |
|
IP | Binds one certificate to one public IPv4 address. | Only OV single-domain certificates from GlobalSign, DigiCert, GeoTrust support IP binding. |
After you purchase and issue a certificate, extra domains may be included for free if certain conditions are met. For more information, see Certificate Domain Gift Rules.
Encryption algorithms (RSA / ECC)
RSA: A widely used asymmetric encryption algorithm that offers the best compatibility and broadest adoption.
ECC (Elliptic Curve Cryptography): A newer algorithm than RSA that is more advanced, secure, faster, and less resource-intensive. It is now widely supported in major browsers.
Comparison item | RSA algorithm | ECC algorithm |
Security and key length | Requires longer keys, supporting 2048-bit and 4096-bit lengths. | Provides equivalent security with smaller keys.
|
Performance efficiency / Encryption and decryption speed | Slow. | Faster, and especially efficient on low-resource devices such as mobile and IoT devices. |
Memory and CPU usage | Higher. | Lower. |
Compatibility | Good. | Fair. Slightly lower than RSA. |
Supported encryption algorithms by certificate brand and type:
Certificate brand | Certificate type | RSA | ECC | ||||||
Signature algorithm | Key length | Signature algorithm | Key length | ||||||
SHA256withRSA | SHA384withRSA | 2048 | 4096 | SHA256withECDSA | SHA384withECDSA | prime256v1 | secp384r1 | ||
DigiCert | DV | ||||||||
OV | |||||||||
EV | |||||||||
GeoTrust | OV | ||||||||
EV | |||||||||
GlobalSign | DV | ||||||||
OV | |||||||||
Rapid | DV | ||||||||
Alibaba Cloud | DV | ||||||||
The default SSL certificate signature algorithm is SHA256withRSA or SHA256withECDSA. You cannot select SHA384-based signature algorithms, such as SHA384withRSA, in the Certificate Management Service console. To use such an algorithm, you must create a CSR file locally and upload it to the console. For more information, see How to Create a CSR File and Upload CSR.
Certificate brands
When you choose a certificate brand, you should consider the supported validation levels, domain types, encryption algorithms, and price, and match them with your business needs and budget.
If you still cannot decide on a brand, visit the product page, fill out the “Certificate Management Service Product Inquiry” form, and obtain pre-sales support.
Certificate brand | Certification authority | Description |
DigiCert | DigiCert, Inc. | DigiCert (formerly Symantec) is a well-known certificate authority and trusted SSL certificate brand. All certificates use industry-leading encryption to secure websites and servers. |
Rapid | Rapid is an entry-level SSL certificate brand from DigiCert. It focuses on fast issuance and high value for money for domain-validated (DV) certificates—ideal for personal websites and small business basic encryption needs. | |
GlobalSign, Alibaba Cloud | GMO GlobalSign Pte Ltd. | GlobalSign is one of the earliest digital certificate CAs. It has long focused on cybersecurity certification and digital certificate services—and is a trusted CA and SSL provider. Compared to other brands, Alibaba Cloud certificates offer better pricing. |
Pricing reference
SSL certificate prices depend on the certificate type, validation level, domain type, and brand. You can choose a certificate based on your actual needs and budget.
The retail prices listed below are for reference only. For current pricing, go to the Certificate Service Purchase Page.
Certificate brand | Certificate type | Domain type | Price (USD per certificate per year) | Notes |
Alibaba Cloud | DV | Single domain | 99 | / |
Wildcard domain | 199 | / | ||
GeoTrust | OV | Single domain | 324 | / |
Wildcard domain | 1020 | / | ||
Rapid | DV | Single domain | 66 | / |
Wildcard domain | 263 | / | ||
DigiCert | DV | Single domain | 149 | / |
Wildcard domain | 629 | / | ||
OV | Single domain |
| / | |
Wildcard domain |
| / | ||
EV | Single domain |
| / | |
GlobalSign | DV | Single domain | 249 | / |
Wildcard domain | 849 | / | ||
OV | Single domain | 349 | / | |
Wildcard domain | 949 | / | ||
Multi-domain | 749 | Includes up to 5 single domains by default. |
Buy a certificate
For instructions on how to buy a certificate, see Buy a Commercial Certificate.
FAQ
I have only a public IP address—not a domain name. Which certificate should I choose?
You should choose an OV single-domain certificate that supports IP binding. During the purchase process, select an OV certificate from GlobalSign, DigiCert, GeoTrust, and enter your public IP address during the application process.
After renewal or reissuance, do I need to redeploy the certificate?
Yes, you do. Each renewal or reissuance generates a new certificate. You must download the new certificate file and deploy it to your web server to replace the old one.
If you renew and buy a multi-year certificate, and the previous certificate was deployed to Alibaba Cloud products, such as ALB, WAF, CDN, or DDoS, using Cloud Product Deployment, the Certificate Management Service (Original SSL Certificate) automatically deploys the new certificate to those cloud products using Cloud Product Managed Deployment. If the deployment fails, the system sends notifications by email, and internal message.
Does a wildcard certificate (e.g., *.aliyundoc.com) include the root domain (aliyundoc.com)?
Yes, it does. Binding a wildcard domain automatically includes the matching root domain. For example, a certificate for *.aliyundoc.com also protects aliyundoc.com.
After you purchase and issue a certificate, extra domains may be included for free if certain conditions are met. For more information, see Certificate Domain Gift Rules.