All Products
Search
Document Center

Certificate Management Service:Submit a CA application

Last Updated:May 14, 2026

After you purchase an SSL certificate, if its status is Pending Application, you must submit an application to a certificate authority (CA) to start the verification and issuance process. Depending on the certificate type (DV, OV, or EV), you need to provide a domain name or IP address, contact details, and any business documents required for OV or EV certificates. The CA issues the certificate for HTTPS encryption only after it validates that your information is complete and accurate.

Before you begin

This topic applies to certificates whose status is Pending Application.

Application process

image

Use case 1: Single certificate application

Commercial certificates come in three types: DV, OV, and EV. The information you must provide to the CA varies by type and can include the domain name or IP address to bind, the domain verification method, contact details, and company information.

  1. Log in to the Certificate Management Service console.

  2. In the left navigation pane, choose Certificate Management > SSL Certificate Management.

  3. On the Commercial Certificates tab, click Apply for Certificate in the Actions column of the target certificate. Alternatively, hover over the 状态标签 icon in the Status column and click Apply for Certificate.

  4. In the certificate application panel, configure the following settings and click Submit.

    Note

    Certificate Management Service sends the information you submit, such as bound domains and contact details, to the CA for review.

    DV certificate

    • Domains to Bind

      • Domain name requirements

        • Type matching: The domain type that you enter (single, multi-domain, or wildcard) must match your purchased certificate.

        • Length limits: The total length must not exceed 253 characters. Each label (a segment separated by the . character) must not exceed 63 characters.

      • Special format requirements

        • Wildcard: Must start with *, such as *.example.com.

        • Chinese domain name: If you use a Chinese domain name, you must convert it to Punycode as prompted in the console. You can also use a conversion tool. For more information, see Chinese Domain Name Conversion.

        • IP addresses: Supported only by some OV single-domain certificates (Brands: GlobalSign and GeoTrust).

      • Suffix restrictions: DigiCert-branded certificates cannot be issued for domain names with special suffixes, such as .edu, .gov, .org, .jp, .pay, .bank, .live, .nuclear, or .ru. This restriction does not apply to GlobalSign.

      • Complimentary domain names: When you purchase a commercial certificate from Certificate Management Service and bind it to your domain name, Alibaba Cloud provides a corresponding complimentary domain name if your domain name is eligible for a commercial certificate.

      Important

      After you first apply for a DigiCert DV or Rapid DV certificate, the domain name is locked. If you withdraw the application or reapply after revoking the certificate, you cannot change the domain name. To use a different domain name, purchase a new certificate.

    • Auto-managed Certificate

      Specifies whether to enable auto-renewal. When enabled, the system automatically applies for a new certificate before the current one expires.

    • Domain Verification Method

      Note
      • Certificate purchase account: The Alibaba Cloud account used to purchase the target SSL certificate in the Certificate Management Service console.

      • DNS resolution account: The Alibaba Cloud account used to configure DNS resolution for the target domain name in Alibaba Cloud DNS.

      The purchase and DNS accounts are different

      • Manual DNS Verification (recommended): Log on to your DNS service platform and add a TXT DNS record.

      • File Verification: Log on to your web server, and create and upload the required validation file to the specified directory.

        Important

        Wildcard domain names do not support file validation.

      The purchase and DNS account are the same

      The system uses the Automatic DNS Verification method. Alibaba Cloud automatically adds a DNS record for the domain name in Alibaba Cloud DNS to verify domain ownership. No manual operation is required.

    • Contact

      Select the contact for this certificate application. The contact information includes an email address and a mobile phone number. To create or modify a contact, click Create Contact or Edit, or go to Contact Management.

      Important

      After the CA receives the certificate application, it sends a validation email to the contact's email address or communicates with the contact using their mobile phone number for the review. Make sure that the contact information is accurate and valid.

    • Location

      Select the city or region where the applicant is located.

    • Encryption Algorithm

      Option

      Security

      Compatibility

      Performance

      Recommendation

      RSA_2048

      Medium

      Widest

      Middle

      Recommended for general use and suitable for most web applications.

      RSA_3072

      High

      Good

      Lower

      Suitable for scenarios with high security requirements, such as finance and payments.

      RSA_4096

      Very High

      Fair

      Low

      Recommended only for top-secret or extremely high-security scenarios.

      ECC_256

      High

      Good

      Very High

      Suitable for mobile applications, high-concurrency systems, and IoT devices.

      • RSA: An asymmetric key encryption algorithm based on the difficulty of factoring large integers. It is the most widely used and has excellent compatibility. Longer keys provide higher security but increase performance overhead.

      • ECC: An asymmetric key encryption algorithm based on the difficulty of the elliptic curve discrete logarithm problem. It achieves the same level of security as RSA with shorter keys, offers higher computational efficiency, and is suitable for resource-constrained environments such as mobile devices and IoT.

      Note

      Currently, only some brands and types of certificates support the ECC. For more information, see SSL certificate selection.

    • CSR Generation

      A Certificate Signing Request (CSR) is an application file submitted to a CA when you apply for an SSL certificate. It contains your domain name, organization information, and public key. You must securely store the corresponding private key.

      Automatic (recommended)

      Alibaba Cloud automatically creates a CSR and a private key for you. After the certificate is issued, you can directly download the complete file that contains the private key.

      Manual Entry

      You can use tools such as OpenSSL or Keytool to manually generate a CSR and a private key file, which you must store securely. Then, copy the CSR content into the CSR File configuration item. For more information about how to create a CSR and a private key file, see How to create a CSR file.

      Important
      • Securely store your private key. If you lose the private key, the certificate becomes unusable because the key is unrecoverable. You would need to generate a new key pair and request a certificate reissuance.

      • The encryption algorithm of the CSR must match the Key Algorithm selected above.

      Select an Existing CSR

      From the CSRs created or uploaded in the Certificate Management Service console, select the CSR that matches the Domains to Bind. For more information about how to create and upload a CSR, see Create a CSR.

    • CSR File

      This parameter is required only when CSR Generation is set to Manual or Select Existing CSR. Enter the content of your CSR file.

    OV certificate

    Note

    After you submit an OV certificate application, the CA sends domain ownership verification instructions to the contact by email or phone. The contact must complete the verification promptly to confirm domain ownership.

    • Domains to Bind

      • Domain name requirements

        • Type matching: The domain type that you enter (single, multi-domain, or wildcard) must match your purchased certificate.

        • Length limits: The total length must not exceed 253 characters. Each label (a segment separated by the . character) must not exceed 63 characters.

      • Special format requirements

        • Wildcard: Must start with *, such as *.example.com.

        • Chinese domain name: If you use a Chinese domain name, you must convert it to Punycode as prompted in the console. You can also use a conversion tool. For more information, see Chinese Domain Name Conversion.

        • IP addresses: Supported only by some OV single-domain certificates (Brands: GlobalSign and GeoTrust).

      • Suffix restrictions: DigiCert-branded certificates cannot be issued for domain names with special suffixes, such as .edu, .gov, .org, .jp, .pay, .bank, .live, .nuclear, or .ru. This restriction does not apply to GlobalSign.

      • Complimentary domain names: When you purchase a commercial certificate from Certificate Management Service and bind it to your domain name, Alibaba Cloud provides a corresponding complimentary domain name if your domain name is eligible for a commercial certificate.

    • Contact

      Select the contact for this certificate application. The contact information includes an email address and a mobile phone number. To create or modify a contact, click Create Contact or Edit, or go to Contact Management.

      Important

      After the CA receives the certificate application, it sends a validation email to the contact's email address or communicates with the contact using their mobile phone number for the review. Make sure that the contact information is accurate and valid.

    • Company

      Select the company information for this certificate application, including the name, phone number, and address. To create or modify company information, click Create Company Profile or Edit, or go to Company Information Management.

      Important

      When you apply for an OV certificate for a .gov domain name, the organization name in the domain's WHOIS information must exactly match the company name.

    • Encryption Algorithm

      Option

      Security

      Compatibility

      Performance

      Recommendation

      RSA_2048

      Medium

      Widest

      Middle

      Recommended for general use and suitable for most web applications.

      RSA_3072

      High

      Good

      Lower

      Suitable for scenarios with high security requirements, such as finance and payments.

      RSA_4096

      Very High

      Fair

      Low

      Recommended only for top-secret or extremely high-security scenarios.

      ECC_256

      High

      Good

      Very High

      Suitable for mobile applications, high-concurrency systems, and IoT devices.

      • RSA: An asymmetric key encryption algorithm based on the difficulty of factoring large integers. It is the most widely used and has excellent compatibility. Longer keys provide higher security but increase performance overhead.

      • ECC: An asymmetric key encryption algorithm based on the difficulty of the elliptic curve discrete logarithm problem. It achieves the same level of security as RSA with shorter keys, offers higher computational efficiency, and is suitable for resource-constrained environments such as mobile devices and IoT.

      Note

      Currently, only some brands and types of certificates support the ECC. For more information, see SSL certificate selection.

    • CSR Generation

      A Certificate Signing Request (CSR) is an application file submitted to a CA when you apply for an SSL certificate. It contains your domain name, organization information, and public key. You must securely store the corresponding private key.

      Automatic (recommended)

      Alibaba Cloud automatically creates a CSR and a private key for you. After the certificate is issued, you can directly download the complete file that contains the private key.

      Manual Entry

      You can use tools such as OpenSSL or Keytool to manually generate a CSR and a private key file, which you must store securely. Then, copy the CSR content into the CSR File configuration item. For more information about how to create a CSR and a private key file, see How to create a CSR file.

      Important
      • Securely store your private key. If you lose the private key, the certificate becomes unusable because the key is unrecoverable. You would need to generate a new key pair and request a certificate reissuance.

      • The encryption algorithm of the CSR must match the Key Algorithm selected above.

      Select an Existing CSR

      From the CSRs created or uploaded in the Certificate Management Service console, select the CSR that matches the Domains to Bind. For more information about how to create and upload a CSR, see Create a CSR.

    • CSR File

      This parameter is required only when CSR Generation is set to Manual or Select Existing CSR. Enter the content of your CSR file.

    EV certificate

    Note

    After you submit an EV certificate application, the CA sends domain ownership verification instructions to the contact by email or phone. The contact must complete the verification promptly to confirm domain ownership.

    • Domains to Bind

      • Domain name requirements

        • Type matching: The domain type that you enter (single, multi-domain, or wildcard) must match your purchased certificate.

        • Length limits: The total length must not exceed 253 characters. Each label (a segment separated by the . character) must not exceed 63 characters.

      • Special format requirements

        • Wildcard: Must start with *, such as *.example.com.

        • Chinese domain name: If you use a Chinese domain name, you must convert it to Punycode as prompted in the console. You can also use a conversion tool. For more information, see Chinese Domain Name Conversion.

        • IP addresses: Supported only by some OV single-domain certificates (Brands: GlobalSign and GeoTrust).

      • Suffix restrictions: DigiCert-branded certificates cannot be issued for domain names with special suffixes, such as .edu, .gov, .org, .jp, .pay, .bank, .live, .nuclear, or .ru. This restriction does not apply to GlobalSign.

      • Complimentary domain names: When you purchase a commercial certificate from Certificate Management Service and bind it to your domain name, Alibaba Cloud provides a corresponding complimentary domain name if your domain name is eligible for a commercial certificate.

    • Contact

      Select the contact for this certificate application. The contact information includes an email address and a mobile phone number. To create or modify a contact, click Create Contact or Edit, or go to Contact Management.

      Important

      After the CA receives the certificate application, it sends a validation email to the contact's email address or communicates with the contact using their mobile phone number for the review. Make sure that the contact information is accurate and valid.

    • Company

      Select the company information for this certificate application, including the name, phone number, and address. To create or modify company information, click Create Company Profile or Edit, or go to Company Information Management.

      Important

      When you apply for an OV certificate for a .gov domain name, the organization name in the domain's WHOIS information must exactly match the company name.

    • Encryption Algorithm

      Option

      Security

      Compatibility

      Performance

      Recommendation

      RSA_2048

      Medium

      Widest

      Middle

      Recommended for general use and suitable for most web applications.

      RSA_3072

      High

      Good

      Lower

      Suitable for scenarios with high security requirements, such as finance and payments.

      RSA_4096

      Very High

      Fair

      Low

      Recommended only for top-secret or extremely high-security scenarios.

      ECC_256

      High

      Good

      Very High

      Suitable for mobile applications, high-concurrency systems, and IoT devices.

      • RSA: An asymmetric key encryption algorithm based on the difficulty of factoring large integers. It is the most widely used and has excellent compatibility. Longer keys provide higher security but increase performance overhead.

      • ECC: An asymmetric key encryption algorithm based on the difficulty of the elliptic curve discrete logarithm problem. It achieves the same level of security as RSA with shorter keys, offers higher computational efficiency, and is suitable for resource-constrained environments such as mobile devices and IoT.

      Note

      Currently, only some brands and types of certificates support the ECC. For more information, see SSL certificate selection.

    • CSR Generation

      A Certificate Signing Request (CSR) is an application file submitted to a CA when you apply for an SSL certificate. It contains your domain name, organization information, and public key. You must securely store the corresponding private key.

      Automatic (recommended)

      Alibaba Cloud automatically creates a CSR and a private key for you. After the certificate is issued, you can directly download the complete file that contains the private key.

      Manual Entry

      You can use tools such as OpenSSL or Keytool to manually generate a CSR and a private key file, which you must store securely. Then, copy the CSR content into the CSR File configuration item. For more information about how to create a CSR and a private key file, see How to create a CSR file.

      Important
      • Securely store your private key. If you lose the private key, the certificate becomes unusable because the key is unrecoverable. You would need to generate a new key pair and request a certificate reissuance.

      • The encryption algorithm of the CSR must match the Key Algorithm selected above.

      Select an Existing CSR

      From the CSRs created or uploaded in the Certificate Management Service console, select the CSR that matches the Domains to Bind. For more information about how to create and upload a CSR, see Create a CSR.

    • CSR File

      This parameter is required only when CSR Generation is set to Manual or Select Existing CSR. Enter the content of your CSR file.

  5. After you confirm the certificate application, complete domain ownership verification.

Use case 2: Combine multiple certificates

Important

SSL Certificate Management V2.0 does not support certificate combination. Instead, when you purchase a certificate, select Domain Name. After you enter multiple domain names, the system automatically combines them into a single certificate. For more information about changes in SSL Certificate Management V2.0, see the release notes.

Certificate combination restrictions

To be combined, certificates must meet all of the following conditions:

  1. Basic requirements:

    • All certificates must be the same brand and type.

    • All certificates must have a status of Pending Application.

    • No certificate can be under certificate management. If a certificate is managed, you must first cancel certificate management.

  2. Additional rules for specific brands: Some brands have additional restrictions.

    • WoSign: Only DV certificates can be combined.

    • GlobalSign:

      • DV: The primary domain names must match. Wildcard domain names and IP addresses are not supported.

      • EV: No restrictions on the primary domain name, but wildcard domain names and IP addresses are not supported.

      • OV: No restrictions on the primary domain name. Wildcard domain names and IP addresses are supported.

Procedure

Warning

Combined certificates are non-refundable. If you create the combination from a resource plan, you cannot cancel the application. Proceed with caution.

  1. Log in to the Certificate Management Service console.

  2. On the Commercial Certificates tab, select Pending Application from the certificate status drop-down list. Find the target certificate and click Combine Certificates in the Actions column.

  3. On the Combine Certificates page, select the certificates to combine, select the confirmation checkbox, and click Combine Certificates. In the success dialog box, click OK.

  4. Find the combined certificate and click Apply for Certificate in the Actions column. You can identify the combined certificate by its name, which starts with cas-merge.

  5. In the certificate application panel, configure Domains to Bind and fill in the remaining application details. Then, click Submit.

    • The maximum number of domains for a combined certificate equals the sum of the domain limits of each individual certificate.

    • For details about other application parameters, see Application information.

  6. After you confirm the certificate application, complete domain ownership verification.

Withdraw an application

If you entered an incorrect encryption algorithm or contact and need to correct the information, your options depend on the certificate status:

  • If the certificate status is Validating Application, you can Withdraw the application. After withdrawal, resubmit the application with the correct information.

  • If the certificate status is Issued, you can only revoke the certificate. If the certificate was issued within the last 28 calendar days and you have not changed the domain name (for example, by adding or replacing a domain), your certificate quota is returned after revocation. You can then use the quota to apply for a new certificate with the correct information. For more information, see Revoke or delete SSL certificates.

Important

After you first apply for a DigiCert DV, Rapid DV, or personal test certificate, you cannot change the domain name by withdrawing the application or reapplying after revocation. To use a different domain name, purchase a new certificate.

FAQ

How do I choose a verification method?

The console automatically selects a recommended verification method based on the certificate and domain type in your application. You can also refer to How do I select a domain ownership verification method? for guidance.

Do certificate applications support Chinese domain names?

Yes. To apply for a certificate for a Chinese domain name, convert the domain to Punycode as prompted in the console. You can also use a conversion tool. For more information, see Convert Chinese domain names.

How do I modify contact information?

  • If you have not created a contact, click Create Contact in the contact drop-down list on the application form.

  • To modify an existing contact, click Edit next to the contact in the drop-down list on the application form.

  • You can also manage contacts in the console under Comprehensive Management > Contact Management. For more information, see Manage contacts.

Certificate issuance time

After you submit your application, you must complete domain ownership verification with the CA. For more information, see Domain ownership verification. After verification succeeds, a DV certificate is typically issued within 1 to 15 minutes. OV and EV certificates take an average of five calendar days to issue. Actual review and issuance times may be longer depending on the verification details.

Important

Monitor your phone and email for CA communications to avoid delays in certificate issuance.

Must company information for OV and EV certificates match the domain registration details?

Yes. You can manage company information in the console on the Comprehensive Management > Company Profile Management page. For details, see Manage company information.

References

If your certificate status is Validating Application and you no longer need the certificate, you can apply for a refund within 7 calendar days of payment. For details, see Certificate refund guide.

If you encounter problems with your application, see FAQ about SSL certificate applications.