All Products
Search

This Product

    Certificate Management Service:SSL Certificates Service V2.0

    Document Center

    Certificate Management Service:SSL Certificates Service V2.0

    Last Updated:May 27, 2026

    Learn how to purchase, apply for, deploy, and automatically renew SSL certificates using the subscription-based SSL Certificates Service V2.0.

    Overview

    SSL Certificates Service V2.0 uses a subscription model. After purchase, the system creates a certificate instance. You must then complete the application process to obtain the certificate. The workflow includes:

    1. Purchase a certificate: Select a certificate type and subscription duration.

    2. Apply for a certificate: Provide your domain information and complete domain name validation.

    3. Wait for issuance: The certificate authority (CA) reviews your application and issues the certificate.

    4. Deploy the certificate: Install the certificate on your web server or a cloud product.

    5. Enable automatic hosting: (Optional) Enable automatic hosting to automate certificate renewal and deployment.

    If the CA-issued certificate validity is shorter than your subscription, you may need to repeat the application and deployment process. The validity period depends on the CA's policy at issuance. What is an SSL Certificate?.

    Step 1: Purchase a certificate

    Select a certificate type

    Choose a certificate type based on your validation, use case, and budget requirements.

    Type

    Validation method

    Use cases

    Description

    DV (Domain Validated)

    Domain ownership verification

    Personal websites, small businesses

    Verifies only domain ownership. Fast issuance (1 to 15 minutes) at a lower cost.

    OV (Organization Validated)

    Organization identity verification + domain name validation

    Corporate websites, e-commerce platforms

    Verifies organization authenticity. The certificate displays organization details. Issuance takes approximately 5 calendar days.

    EV (Extended Validation)

    Strict organization identity verification + domain name validation

    Financial institutions, large enterprises

    Highest level of validation, providing maximum trust. Issuance takes approximately 5 calendar days.

    To select certificate brands and domain types (single, multi-domain, or wildcard), use the SSL Certificate Selection Guide.

    Configure purchase parameters

    Log in to the Certificate Manager Service console and follow these steps to purchase a certificate:

    1. In the navigation pane, choose Certificate Management > SSL Certificate Management V2.0 to go to the SSL Certificate Management V2.0 page.

    2. On the Commercial Certificates tab, click Purchase Certificate.

    3. Select a Domain Type:

      1. Single Domain: Secures one fully qualified domain name (for example, www.example.com).

      2. Wildcard Domain: Secures one wildcard domain and its subdomains (for example, *.example.com).

      3. Multiple Domains: Secures multiple Single Domain and Wildcard Domain.

    4. Select a Certificate Type (DV, OV, or EV), a Certificate Brand (such as DigiCert, GeoTrust, or GlobalSign), and a Duration.

    5. Confirm your configuration and price, then complete the payment.

    After purchase, the system creates a certificate instance visible in the certificate list. Purchase an Official Certificate.

    Step 2: Apply for a certificate

    After purchase, submit an application and complete domain name validation to obtain a deployable certificate.

    Fill out the application form

    1. In the certificate list, find the certificate instance and click Certificate Application in the Actions column.

    2. Enter the Domains to Bind. The number of domains for each Domain Type must not exceed the purchased quantity.

    3. Enter the Contact information to receive notifications about the certificate application status.

    4. (OV/EV certificates only) Provide your organization's information, including the organization name and unified social credit code. The CA will verify this information.

    5. Select a Domain Validation Method:

      • Automatic DNS Verification: The system automatically adds a TXT record in Alibaba Cloud DNS. This is available for Alibaba Cloud domains only.

      • Manual DNS Verification: Manually add a TXT record to your domain's DNS resolution settings.

      • File Verification: Verify domain ownership by uploading a specified file to your web server.

    6. (Optional) Enable Auto-managed Certificate. If enabled, the system automatically applies for the next certificate before the current one expires.

    7. Confirm that the information is correct and click Submit Application.

    Submit an Application to a CA.

    Complete domain name validation

    After submitting the application, verify domain ownership using your selected method:

    • Manual DNS validation: Log in to your domain's DNS management console and add a TXT record. Set the record's value to the verification string provided by the CA. After adding the record, return to the certificate list and click Verify to confirm the configuration.

    • Automatic DNS validation: If you use Alibaba Cloud DNS, the system automatically adds the required TXT record. No manual action is needed.

    • Email validation (OV/EV certificates): The CA sends a verification email to the address registered with your organization. Follow the instructions in the email to reply or click the verification link to complete the validation.

    Domain Ownership Verification.

    Important

    Complete domain validation promptly after submitting the application to avoid issuance delays.

    Step 3: Wait for certificate issuance

    After domain validation, the CA reviews your application and issues the certificate. Process CA Review Results.

    Issuance time

    Type

    Estimated issuance time

    DV (Domain Validated) certificate

    1 to 15 minutes (automated review)

    OV (Organization Validated) / EV (Extended Validation) certificate

    Approximately 5 calendar days (manual review)

    Check the issuance status

    You can check the Status in the certificate list:

    • Pending Application: You need to fill out and submit the application form.

    • Verifying: The application has been submitted and is awaiting CA review.

    • Issued: The certificate has been issued and is ready for download and deployment.

    • Validation Failed: The review was unsuccessful. You need to resubmit the application based on the failure reason.

    Step 4: Deploy the certificate

    After issuance, deploy the certificate to your web server or cloud product to enable HTTPS. SSL Certificate Deployment Solutions.

    Deployment methods

    Two deployment methods are available:

    • Automatic deployment via console: Deploy with a single click to Alibaba Cloud products such as SLB, CDN, WAF, and ECS.

    • Manual download and deployment: Download certificate files and configure them on self-managed servers (Nginx, Apache, IIS, Tomcat).

    Automatic console deployment (cloud products)

    1. In the certificate list, find the issued certificate and click Deploy in the Actions column.

    2. Select the target cloud product (such as Server Load Balancer (SLB) or Web Application Firewall (WAF)). The product must be activated and configured first.

    3. Confirm the deployment configuration.

    After deployment, the certificate syncs to the selected cloud product and appears in its console.

    Manual deployment (self-managed servers)

    1. In the certificate list, find the issued certificate and click Download in the Actions column.

    2. Select the corresponding web server type (such as Nginx, Apache, IIS, or Tomcat) and download the compressed certificate file package.

    3. Unzip the downloaded package to get the certificate and private key files.

    4. Log in to your web server and upload the certificate and private key files to the specified directory.

    5. Modify the configuration file to add the HTTPS configuration according to your web server type.

    6. Restart the web server for the changes to take effect.

    Step 5: Configure certificate hosting (optional)

    As CA/Browser Forum policies shorten SSL/TLS certificate validity periods, enable automatic hosting to prevent expiration-related disruptions.

    You can enable it during application or after issuance:

    • Enable upon application: Enable hosting when you apply for a certificate. You can disable it later from the certificate list.

    • Enable/disable after issuance: In the certificate list, find the target certificate and click Enable Auto-Management.

    What is Certificate Hosting Service?

    Troubleshooting and FAQ

    Problem

    Description

    Solution

    Certificate application review failed.

    Domain name validation failed or organization information is incomplete.

    Verify your domain validation record is correct, provide any missing organization information, and resubmit the application.

    Certificate deployment failed.

    The cloud product instance is in an abnormal state or the domain has not completed its ICP filing.

    Check if the cloud product instance is running normally and confirm that the domain has completed its ICP filing.

    Automatic hosting failed.

    Insufficient hosting credits or insufficient account balance.

    Add funds to your account or manually purchase hosting credits.

    The downloaded certificate is unusable.

    The certificate files are incomplete or the server configuration is incorrect.

    Confirm that the downloaded package includes the certificate chain and the private key. Check your server's configuration file for syntax errors.

    Browser shows a "Certificate Not Trusted" error.

    The certificate was not installed correctly or the intermediate certificate is missing.

    Reinstall the certificate and make sure to include the intermediate certificate.

    Related FAQ topics: