All Products
Search

This Product

    Certificate Management Service:Submit an application to a CA (certification authority)

    Document Center

    Certificate Management Service:Submit an application to a CA (certification authority)

    Last Updated:Dec 02, 2025

    This topic describes how to submit a certificate application to a certification authority (CA). To meet the CA's verification requirements, you must provide information such as a domain name or IP address, contact information, and company documents such as a business license.

    Prerequisites

    The certificate status is Pending Application.

    Application flow

    image

    Scenario 1: Apply for a single certificate

    Apply for an official certificate

    Official certificates include three types: Domain Validated (DV), Organization Validated (OV), and Extended Validation (EV). When you submit a certificate application, you must fill in the required information for the certificate type and submit it to the CA for review. This information includes the domain name or IP address to bind, the domain verification method, the certificate contact, and the company.

    1. Log on to the Certificate Management Service console.

    2. In the navigation pane on the left, choose Certificate Management > SSL Certificates Management.

    3. On the Official Certificate tab, click Apply for Certificate in the Actions column of the target certificate, or hover over the Status icon icon in the Status column and click Apply for Certificate.

      image

    4. In the certificate application panel, complete the following configurations and click Submit.

      Note

      Alibaba Cloud Certificate Management Service sends the application information that you submit, such as the domain name to bind and contact information, to the CA for review.

      DV certificate application information

      • Domains to Bind

        • Domain name requirements

          • Type match: The domain name type you enter (single domain, multiple domains, or wildcard) must match the certificate you purchased.

          • Length limits: The total length of a single domain name cannot exceed 253 characters. The length of each label in the domain name, separated by a period (.), cannot exceed 63 characters.

        • Special format requirements:

          • Wildcard: Must start with an asterisk (*), such as *.example.com.

          • Chinese domain names: If you use a Chinese domain name, you must convert it to Punycode as prompted in the console. For example, Alibaba Cloud.company is converted to xn--fhq546a.xn--55qx5d. You can also use a transcoding tool to perform the conversion. For more information, see Chinese domain name conversion.

          • IP address: Supported only by some OV single-domain certificates (Brands: GlobalSign, GeoTrust).

        • Domain name TLDs:DigiCert-branded certificates cannot be issued for domain names with special TLDs such as .edu, .gov, .org, .jp, .pay, .bank, .live, .nuclear, and .ru. GlobalSign-branded certificates do not have this restriction.

        • Free domain name: You receive a free corresponding domain name when you purchase a commercial certificate from Alibaba Cloud Certificate Service and associate it with a domain name that is eligible for purchasing a commercial certificate.

      • Domain Verification Method

        The certificate and the domain name DNS are not under the same Alibaba Cloud account

        • Manual DNS Verification (Recommended): Log on to your domain name resolution service platform and add a TXT DNS record.

        • File Verification: Log on to your web server, and then create and upload the required validation file to the specified folder.

          Important

          Wildcard domain names do not support file validation.

        The certificate and the domain name DNS are under the same Alibaba Cloud account

        The system uses the Automatic DNS Verification method. Alibaba Cloud automatically adds a DNS record to the corresponding domain name in the Alibaba Cloud DNS console to verify domain ownership. No manual operation is required.

      • Contact

        Select a contact for this certificate application. The contact information includes an email address and a mobile number. To create or modify a contact, you can click Create Contact or Edit, or go to the Contact Management page.

        Important

        After the CA receives the certificate application, it sends a validation email to the contact's email address or communicates review-related matters using the contact's mobile number . Make sure that the contact information is accurate and valid.

      • Location

        Select the city or region where the applicant is located.

      • Encryption Algorithm

      • CSR Generation

        A Certificate Signing Request (CSR) is an application file submitted to a CA when you apply for an SSL certificate. It contains your domain name, organization information, and public key. You must securely store the corresponding private key.

        Automatic (Recommended)

        Alibaba Cloud automatically creates a CSR and a private key for you. After the certificate is issued, you can directly download the complete file that contains the private key.

        Manual

        You can use tools such as OpenSSL or Keytool to manually generate a CSR and a private key file, which you must store securely. Then, copy the CSR content to the CSR File configuration item. For more information about how to create a CSR and a private key file, see How to create a CSR file.

        Important

        • Make sure to securely store your private key. If the private key is lost, you cannot use the certificate on your server. The private key cannot be recovered. You must generate a new key pair and reapply for the certificate.

        • The encryption algorithm of the CSR must match the key algorithm that you selected.

        Select Existing CSR

        From the CSRs that you created or uploaded in the Certificate Service console, select one that matches the Domains to Bind. For more information about how to create and upload a CSR, see Create a CSR.

      • CSR File

        This parameter is required only when CSR Generation is set to Manual or Select Existing CSR. Enter the content of your CSR file here.

      OV certificate application information

      Note

      After you submit an application for an OV certificate, the CA sends domain ownership verification instructions to the contact by email or phone. The contact must complete the verification as required to confirm domain ownership.

      • Domains to Bind

        • Domain name requirements

          • Type match: The domain name type you enter (single domain, multiple domains, or wildcard) must match the certificate you purchased.

          • Length limits: The total length of a single domain name cannot exceed 253 characters. The length of each label in the domain name, separated by a period (.), cannot exceed 63 characters.

        • Special format requirements:

          • Wildcard: Must start with an asterisk (*), such as *.example.com.

          • Chinese domain names: If you use a Chinese domain name, you must convert it to Punycode as prompted in the console. For example, Alibaba Cloud.company is converted to xn--fhq546a.xn--55qx5d. You can also use a transcoding tool to perform the conversion. For more information, see Chinese domain name conversion.

          • IP address: Supported only by some OV single-domain certificates (Brands: GlobalSign, GeoTrust).

        • Domain name TLDs:DigiCert-branded certificates cannot be issued for domain names with special TLDs such as .edu, .gov, .org, .jp, .pay, .bank, .live, .nuclear, and .ru. GlobalSign-branded certificates do not have this restriction.

        • Free domain name: You receive a free corresponding domain name when you purchase a commercial certificate from Alibaba Cloud Certificate Service and associate it with a domain name that is eligible for purchasing a commercial certificate.

      • Contact

        Select a contact for this certificate application. The contact information includes an email address and a mobile number. To create or modify a contact, you can click Create Contact or Edit, or go to the Contact Management page.

        Important

        After the CA receives the certificate application, it sends a validation email to the contact's email address or communicates review-related matters using the contact's mobile number . Make sure that the contact information is accurate and valid.

      • Company

        Select the company information for this certificate application, including the name, phone number, and address. To create or modify company information, you can click Create Company Profile or Edit, or go to the Company Information Management page.

        Important

        When you apply for an OV certificate for a .gov domain name, the organization name in the WHOIS record must be identical to your company name.

      • Business License

        After you select a Company, the system automatically identifies the business license image that was uploaded for that company. If you did not upload a business license when you created the company profile, this field is empty. To ensure a quick review by the CA, upload your company's business license.

      • Encryption Algorithm

        Select the key algorithm for the certificate.

        • RSA (Default): A widely used asymmetric key encryption algorithm with good compatibility.

        • ECC: Elliptic Curve Cryptography. Compared with RSA, ECC is a more advanced and secure encryption algorithm. It provides faster encryption, higher efficiency, and lower server resource consumption. It is widely supported by mainstream browsers.

        Important

        Currently, only some brands and types of certificates support the ECC. For more information, see SSL certificate selection guide.

      • CSR Generation

        A Certificate Signing Request (CSR) is an application file submitted to a CA when you apply for an SSL certificate. It contains your domain name, organization information, and public key. You must securely store the corresponding private key.

        Automatic (Recommended)

        Alibaba Cloud automatically creates a CSR and a private key for you. After the certificate is issued, you can directly download the complete file that contains the private key.

        Manual

        You can use tools such as OpenSSL or Keytool to manually generate a CSR and a private key file, which you must store securely. Then, copy the CSR content to the CSR File configuration item. For more information about how to create a CSR and a private key file, see How to create a CSR file.

        Important

        • Make sure to securely store your private key. If the private key is lost, you cannot use the certificate on your server. The private key cannot be recovered. You must generate a new key pair and reapply for the certificate.

        • The encryption algorithm of the CSR must match the key algorithm that you selected.

        Select Existing CSR

        From the CSRs that you created or uploaded in the Certificate Service console, select one that matches the Domains to Bind. For more information about how to create and upload a CSR, see Create a CSR.

      • CSR File

        This parameter is required only when CSR Generation is set to Manual or Select Existing CSR. Enter the content of your CSR file here.

      EV certificate application information

      Note

      After you submit an application for an EV certificate, the CA sends domain ownership verification instructions to the contact by email or phone. The contact must complete the verification as required to confirm domain ownership.

      • Domains to Bind

        • Domain name requirements

          • Type match: The domain name type you enter (single domain, multiple domains, or wildcard) must match the certificate you purchased.

          • Length limits: The total length of a single domain name cannot exceed 253 characters. The length of each label in the domain name, separated by a period (.), cannot exceed 63 characters.

        • Special format requirements:

          • Wildcard: Must start with an asterisk (*), such as *.example.com.

          • Chinese domain names: If you use a Chinese domain name, you must convert it to Punycode as prompted in the console. For example, Alibaba Cloud.company is converted to xn--fhq546a.xn--55qx5d. You can also use a transcoding tool to perform the conversion. For more information, see Chinese domain name conversion.

          • IP address: Supported only by some OV single-domain certificates (Brands: GlobalSign, GeoTrust).

        • Domain name TLDs:DigiCert-branded certificates cannot be issued for domain names with special TLDs such as .edu, .gov, .org, .jp, .pay, .bank, .live, .nuclear, and .ru. GlobalSign-branded certificates do not have this restriction.

        • Free domain name: You receive a free corresponding domain name when you purchase a commercial certificate from Alibaba Cloud Certificate Service and associate it with a domain name that is eligible for purchasing a commercial certificate.

      • Contact

        Select a contact for this certificate application. The contact information includes an email address and a mobile number. To create or modify a contact, you can click Create Contact or Edit, or go to the Contact Management page.

        Important

        After the CA receives the certificate application, it sends a validation email to the contact's email address or communicates review-related matters using the contact's mobile number . Make sure that the contact information is accurate and valid.

      • Company

        Select the company information for this certificate application, including the name, phone number, and address. To create or modify company information, you can click Create Company Profile or Edit, or go to the Company Information Management page.

        Important

        When you apply for an OV certificate for a .gov domain name, the organization name in the WHOIS record must be identical to your company name.

      • Business License

        After you select a Company, the system automatically identifies the business license image that was uploaded for that company. If you did not upload a business license when you created the company profile, this field is empty. To ensure a quick review by the CA, upload your company's business license.

      • Encryption Algorithm

        Select the key algorithm for the certificate.

        • RSA (Default): A widely used asymmetric key encryption algorithm with good compatibility.

        • ECC: Elliptic Curve Cryptography. Compared with RSA, ECC is a more advanced and secure encryption algorithm. It provides faster encryption, higher efficiency, and lower server resource consumption. It is widely supported by mainstream browsers.

        Important

        Currently, only some brands and types of certificates support the ECC. For more information, see SSL certificate selection guide.

      • CSR Generation

        A Certificate Signing Request (CSR) is an application file submitted to a CA when you apply for an SSL certificate. It contains your domain name, organization information, and public key. You must securely store the corresponding private key.

        Automatic (Recommended)

        Alibaba Cloud automatically creates a CSR and a private key for you. After the certificate is issued, you can directly download the complete file that contains the private key.

        Manual

        You can use tools such as OpenSSL or Keytool to manually generate a CSR and a private key file, which you must store securely. Then, copy the CSR content to the CSR File configuration item. For more information about how to create a CSR and a private key file, see How to create a CSR file.

        Important

        • Make sure to securely store your private key. If the private key is lost, you cannot use the certificate on your server. The private key cannot be recovered. You must generate a new key pair and reapply for the certificate.

        • The encryption algorithm of the CSR must match the key algorithm that you selected.

        Select Existing CSR

        From the CSRs that you created or uploaded in the Certificate Service console, select one that matches the Domains to Bind. For more information about how to create and upload a CSR, see Create a CSR.

      • CSR File

        This parameter is required only when CSR Generation is set to Manual or Select Existing CSR. Enter the content of your CSR file here.

    5. After you confirm the certificate application information, you must complete the domain ownership verification.

    Scenario 2: Merge and apply for multiple certificates

    Certificate merge restrictions

    To merge certificates, all the following conditions must be met:

    1. Basic requirements:

      • The certificates must be of the same brand and type.

      • The certificate status must be Pending Application.

      • The certificates must not be hosted. If a certificate is hosted, you must first cancel certificate hosting.

    2. Additional rules for specific brands: In addition to the basic requirements, the following restrictions apply to some brands.

      • WoSign: Only DV certificates can be combined.

      • GlobalSign:

        • DV type: The primary domain names must be the same. Wildcard domain names and IP addresses are not supported.

        • EV type: There are no restrictions on primary domain names, but wildcard domain names and IP addresses are not supported.

        • OV type: There are no restrictions on primary domain names, and wildcard domain names and IP addresses are supported.

    Procedure

    Warning

    After certificates are combined, you cannot request a refund. If the merge is generated from a resource plan, you cannot cancel the application. Proceed with caution.

    1. Log on to the Certificate Service console.

    2. On the Official Certificate tab, click the certificate status drop-down list above the certificate list and select Pending Application. Find the certificate that you want to merge. In the Actions column, click Combine Certificates.

    3. In the Combine Certificates dialog box, select the certificates to combine and the confirmation checkbox, and then click Combine Certificates.

      image.png

      In the success dialog box, click OK.合并成功

    4. Find the combined certificate. In the Actions column, click Apply for Certificate.

      You can find the combined certificate by its name, which starts with cas-merge.

    5. In the certificate application panel, follow the prompts to set the Domains to Bind and fill in other application information. Then, click Submit.

      • The number of domain names that a combined certificate can be bound to is the sum of the domain names that each individual certificate could be bound to before the merge.

        image.png

      • For more information about other configuration items for a certificate application, see Application information.

    6. After you confirm the certificate application information, you must complete the domain ownership verification.

    Withdraw an application

    If you selected the wrong encryption algorithm or contact and need to change the application information, you can do so as follows:

    • If the certificate status is Validating Application and the certificate has not been issued, you can Withdraw the application. After you withdraw the application, you can enter the correct information and submit the application again.

    • If the certificate status is Issued, you can only revoke the certificate. If the certificate was issued less than 28 calendar days ago and you have not changed the domain name (such as by appending or replacing a domain name), the certificate quota is returned to you after the certificate is revoked. You can use the quota to create a new certificate, enter the correct information, and submit the application. For more information, see Revoke and delete an SSL certificate.

    FAQ

    How do I select a verification method?

    The console typically recommends a verification method based on the certificate type and domain name type that you apply for. You can also see How do I select a domain ownership verification method?

    Do certificate applications support Chinese domain names?

    Yes, they do. If you bind a Chinese domain name, you must convert it to Punycode as prompted in the console before you can apply for a certificate. You can also use a transcoding tool. For more information, see Convert a Chinese domain name.

    How do I change the contact's email address or phone number?

    • If you have not created a contact, you can click Create Contact in the contact drop-down list when you fill in the application information.

    • If you want to modify an existing contact, you can click Edit next to the contact in the contact drop-down list when you fill in the application information.

    • You can also manage contacts in the Comprehensive Management > Contact Management section of the console. For more information, see Manage contacts.

    How long does it take for a certificate to be issued after I submit an application?

    After you submit an application, you must cooperate with the CA to complete the domain ownership verification. For more information, see Domain ownership verification. After the domain ownership is verified, DV certificates are automatically issued in 1 to 15 minutes. OV and EV certificates are issued in an average of five calendar days. The review and issuance period may be extended depending on the verification process.

    Important

    Check your phone and email to avoid delays in certificate issuance.

    For OV and EV certificate applications, must the company information match the domain's authenticated company information?

    Yes, it must. You can manage company information in the Comprehensive Management > Company Profile Management section of the console. For more information, see Manage company information.

    References

    If the certificate status is Pending Review, but you no longer need this certificate due to business adjustments, you can request a refund within 7 calendar days after the payment is completed. For details about the refund process, see Certificate Refund Guide.

    If you encounter problems during the application, see FAQ about SSL certificate applications for solutions.