An SSL Certificate is a digital certificate used to verify a website's identity and encrypt communications. It is issued by a Certificate Authority (CA) to enable the HTTPS protocol, securing data transmission and enhancing browser trust. - Certificate Management Service

An SSL certificate, based on the modern Transport Layer Security (TLS) standard, is a digital certificate that verifies a website's identity and encrypts communications between a browser and a server. Issued by a trusted certificate authority (CA), it enables the HTTPS protocol, which secures data in transit. This topic covers the benefits, how it works, and how to use SSL certificates.

Key benefits

SSL/TLS certificates are an essential security measure for modern websites and provide the following benefits:

Data encryption: Encrypts data transmitted between a client, such as a browser, and a web server to prevent it from being intercepted or modified during transmission.
Identity authentication: Verifies the server's identity to protect users from spoofed or phishing websites.
Improves browser trust: Removes Not Secure warnings in browsers and displays a security lock icon in the address bar.
Compliance assurance: Helps you comply with cybersecurity and data protection regulations, such as MLPS 2.0 and the Payment Card Industry Data Security Standard (PCI DSS).
Search Engine Optimization (SEO): Major search engines prioritize and rank HTTPS websites higher.

How it works

The Transport Layer Security (TLS) Protocol uses a hybrid encryption mechanism: Asymmetric Encryption for identity verification and Symmetric Encryption for data transmission.

Certificate issuance and validation (building the trust chain)

Request generation: The server generates a key pair (RSA 2048-bit or ECC 256-bit) and packages the public key with organization information into a Certificate Signing Request (CSR).
CA signing: After validating domain ownership, the Certificate Authority (CA) extracts the public key and applicant information from the CSR. The CA then combines this with issuer details, validity period, and extensions to construct the certificate content. Finally, it digitally signs the content with its private key to generate an X.509 standard certificate.
Trust establishment: The browser verifies the server certificate's signature by tracing it back to a pre-installed Root Certificate. This process establishes the Trust Chain.

Encrypted session establishment (TLS handshake)

Handshake initiation: The client sends a ClientHello message, which includes a list of supported protocol versions and Cipher Suites.
Certificate transfer: The server responds with a ServerHello message and sends its Certificate Chain.
Identity authentication: The client verifies the certificate's validity period and domain name match. It also confirms the certificate has not been revoked by checking a Certificate Revocation List (CRL) or by using the Online Certificate Status Protocol (OCSP). Some deployments use OCSP Stapling to optimize this process.
Key exchange: Both parties use a key exchange mechanism to generate a session key.
- ECDHE mode (recommended): Both parties generate temporary key pairs, exchange public keys, and independently calculate the same Session Key.
- RSA mode (legacy): The client generates a pre-master secret, encrypts it with the server's public key, and sends it. The server then decrypts it, and both parties derive the Session Key.
Symmetric communication: After the TLS Handshake is complete, all subsequent data is symmetrically encrypted with the Session Key.

Note

The public key in the certificate, based on an RSA, ECC, or SM2 algorithm, verifies the server's identity and establishes a secure channel for key exchange. For performance reasons, a negotiated symmetric key, such as AES, encrypts the actual data transmission. For more information, see What are public and private keys.

Certificate lifecycle

Purchase a certificate

Choose a certificate type that meets your business needs. For details, see SSL certificate selection guide.
Fill in the required information to purchase the certificate. For details, see Purchase commercial certificates.

Create a certificate

If you did not specify a domain to secure during the purchase, you must first create a certificate to link your purchased quota to a domain. The system provides a Quick Issue option during this process:

Select Quick Issue: You need to fill in the application information. After the certificate is created, the system automatically submits an application to the CA. You only need to complete the Domain ownership verification.
Do not select Quick Issue: After the certificate is created, you need to log on to the console and manually fill out and submit the application. For more information, see Submit an application to CA.

Note

The certificate list only displays certificates that secure specific domains. Certificates that do not secure domains appear after you complete the Create Certificate step.

Apply for a certificate

Submit an application to the CA
You need to provide information based on the certificate type, such as the domain name or IP address that the certificate secures, contact information, company details, and business licenses. Then, submit the application to the CA. For more information, see Apply for a certificate.
Domain ownership verification
When submitting your application to the CA, you need to verify that you own the domain name. For more information, see Domain Ownership Validation.
- Domain validated (DV) certificates support three verification methods: Automatic DNS Verification, Manual DNS Verification, and File Verification.
- For organization validated (OV) and extended validation (EV) certificates, follow the instructions in the domain verification email sent by the CA to complete the process.
CA review
After you submit the application and complete the domain ownership verification, the CA reviews your application. To check the review status and results, see Handle CA review results. DV certificates are typically issued within 1 to 15 minutes. OV and EV certificates are typically issued within 5 calendar days.

Deploy a certificate

Once your certificate is issued, deploy the certificate files to your web server (such as Nginx, Apache, or IIS) or cloud service to enable HTTPS on your site. For more information, see Deploy SSL certificate.

Important

If your server is located in the Chinese mainland, complete an ICP Filing. Otherwise, your website will be inaccessible.

If you use an Alibaba Cloud server, go to the Alibaba Cloud ICP Filing system to complete the ICP filing for your website. For more information, see ICP filing process.
If you do not use an Alibaba Cloud server, go to your server provider's ICP filing system or the MIIT ICP Filing website to complete the filing.

Lifecycle management

Renew a certificate

After an SSL certificate expires, you need to promptly renew it or apply for a new one. You also need to install the new SSL certificate to maintain your website's encrypted connection and security. For more information, see SSL certificate renewal and expiration.

Revoke a certificate

If a certificate is no longer in use, revoke it. For more information, see Revoke and delete a certificate.

Warning

Revocation is irreversible. Browsers and clients will treat revoked certificates as invalid during verification and display a security warning to visitors.

FAQ

Purchased certificate not found?

If you did not specify a domain to secure during the purchase, you only acquired a certificate quota, not the certificate itself. It will not appear in the certificate list. You need to Create an SSL certificate and specify a domain before it becomes visible.

Do SSL certificates support Chinese domain names?

Yes. If you want to secure a Chinese domain name, you must convert it to Punycode as prompted in the console before you can apply for a certificate. You can also use a transcoding tool to convert the domain name. For more information, see Convert a Chinese domain name.

Can I apply for an Alibaba Cloud SSL certificate if my DNS provider is not Alibaba Cloud?

Yes, you can. You only need to complete the domain ownership validation. This is independent of your DNS provider.

Solution	Method	Advantage
Configure the record at your current provider.	Log on to your current domain name platform and add the SSL certificate validation record (TXT) from Alibaba Cloud. Note Contact your provider's support if you need assistance.	Fast and direct. No domain name transfer is required.
Transfer your domain to Alibaba Cloud.	Follow the steps to transfer a domain name to Alibaba Cloud. Once complete, you can manage all DNS records in the Alibaba Cloud DNS console. Important Transferring a domain requires paying a one-year renewal fee.	Convenient for future certificate renewals and unified domain name management.